Millions of computer users were warned Monday to continue disabling Oracle's (ORCL) Java software -- or to use it sparingly -- despite the emergency fix issued by the company for a serious security vulnerability.
Given past flaws that have been found in Java, several experts said they feared more could be discovered.
Even after updating Java with Oracle's latest fix, consumers should disable the software "unless it is absolutely necessary to run Java in Web browsers," the U.S. Department of Homeland Security advised. "This will help mitigate other Java vulnerabilities that may be discovered in the future."
The agency, which on Thursday issued a rare public advisory to disable Java, added in a statement to this newspaper that "it may take some time for researchers to digest the latest patch that's been distributed to address the vulnerability." As a result, it said, federal officials "will continue to monitor the situation and issue updates as they become available."
Computer users were urged last week to disable the software because it makes their machines vulnerable to virus-infected websites and attacks from hackers. The threat disclosure exemplifies the growing global concerns about crooks and others who mount cyberattacks and the chaos they can cause computer users.
Sorin Mustaca, a data security expert with Avira, a German-based company that sells anti-virus software, said anyone using Java in their Web browser should download Oracle's latest patch, which is available at http://java.com/en/download/index.jsp.
But once that is done, he also advised disabling Java and switching it on only when absolutely necessary.
"This is definitely a temporary fix," he said of the patch Oracle hurriedly made available Sunday after initially saying it would do so Tuesday. "If you do a fix under a lot of pressure and very, very fast, then only one thing will happen: more vulnerabilities. So, for me, this is just the rain before the storm. I think it will get worse, it will get much worse."
The flaw was the latest of several that have been found in Java in recent months, including one that resulted in the infection of thousands of Apple (AAPL) Mac computers with malware. The most recent security problem was found in Oracle's latest Java product, version 7. In a statement, the company said it "strongly recommends" that computer users download the patch "due to the severity of these vulnerabilities."
"To be successfully exploited," the company added, "an attacker needs to trick an unsuspecting user into browsing a malicious website. ... These vulnerabilities are applicable only to Java in Web browsers because they are exploitable through malicious browser applets."
As part of the fix, Oracle said it set Java's default security settings at "high," so someone visiting a website will be notified before a Java applet is activated and given the choice of blocking it or letting it run.
Liam Murchu, a researcher with Mountain View security firm Symantec, said his company already has learned of computers being compromised by malware that had exploited the Java flaw. That includes attacks of so-called ransomware, which typically shuts down a user's computer and then demands money to let the victim regain use of the machine.
Apple disabled Java in the operating system for its Mac computers last week, but the Cupertino company on Monday was letting the software run on its machines again because of the patch. Mountain View-based Mozilla also discontinued a precaution it instituted last week, which blocked Java's version 7 on its Firefox browser unless a computer user clicked on a feature to enable the software.
But some consumers remained unsure how they should react.
"What are people supposed to do?" asked 75-year-old Bob Ilgen, a retired Chevron employee in Concord. "It's all very confusing."
H.D. Moore, chief security officer with Rapid7, which helps businesses identify and deal with cyber vulnerabilities, gave Oracle of Redwood City credit for quickly issuing the fix. "It's nice to see," Moore said. But given Java's previous security vulnerabilities, he added, "there is no reason to think this is the last one."
Contact Steve Johnson at 408-920-5043. Follow him at Twitter.com/steveatmercnews.
To download Oracle's patch for the Java version 7 vulnerability, go to http://java.com/en/download/index.jsp.
Because the flaw primarily poses a threat to people when browsing websites and Java isn't essential for most online surfing, some security experts advise computer users to mostly access the Internet with a browser that isn't enabled with Java.
For the few occasions where a person does need Java, such as accessing a business payroll site, they advise using a separate browser that runs Java.
To determine whether the browsers you depend on use Java, go to www.java.com/en/download/testjava.jsp