Security pros advise users to ditch Java

The 'write once, run anywhere' software platform has become a favorite of cyber attackers. Is it time for users to kill their Java?

Security firms are being none too gentle with Oracle's Java following the revelation this week that attackers are using two unpatched Java vulnerabilities to compromise selected targets. The most common advice: Uninstall the Java plug-in in your browser and don't use services that require the software.

On Monday, security firm FireEye revealed that a customer had been attacked with a previously unknown vulnerability. Yet Oracle already knew about the security issue and apparently had an update at the ready to be released on its regularly scheduled patch day in October. With reliable exploits for the vulnerabilities rapidly being adopted by security researchers and cyber criminals alike, the company rushed out a fix for the flaw on Thursday.

Overall, the incident has left a bitter taste in the collective mouths of many security professionals.

"I think there is a lot of sentiment toward not using Java at all if you can avoid it," says Stephen Cobb, security evangelist for antimalware firm ESET. "That is what I would say, and I'm not the first to say that, and I'm not alone in saying that."

Security firm Sophos is among the many to recommend that users turn off the Java plug-in within the browser. And the U.S. Computer Emergency Readiness Team (CERT), the response agency for the U.S. government, offered advice for system administrators that boiled down to "remove Java plug-ins." In April, InfoWorld covered the backlash against Java in the wake of the infection of more than 600,000 Mac computers by the Flashback Trojan and pointed out why removing Java infrastructure is not an option for many enterprises.

While Oracle is not to blame for malicious actors using Java, the company needs to clarify its commitment to securing the platform, argues ESET's Cobb.

An analysis of the flaws found that Oracle introduced the issues into Java 7 a year ago and warned that while it was found recently, cyber criminals and intellectual-property thieves had likely been using the attack for months.