Millions of computer users were advised Friday to temporarily disable Oracle's Java software because of security weaknesses that make their machines vulnerable to everything from virus-infected websites to "ransomeware," which often locks users out of their computers until they pay the perpetrators money.
Oracle said it will issue a patch on Tuesday that "contains 86 new security vulnerability fixes." It added that, "due to the threat posed by a successful attack, Oracle strongly recommends" that customers update Java on their computers with the patch as soon as possible.
Java makes it easy for different software programs to run on most computers and websites, and it is widely used throughout the world.
In a warning it issued
The federal agency noted that "reports indicate this vulnerability is being actively exploited" by cyber crooks, who could use the flaw to lure computer users to virus-infected websites. Some crooks already are selling "exploit kits" to other crooks to take advantage of Java's problems, said Liam Murchu, a researcher with Mountain View security firm Symantec.
He said one common scam that
Murchu said Symantec has determined that its Norton anti-virus software can block current versions of malware designed to take advantage of the Java vulnerabilities. So if a
However, he said, crooks may issue new types of malware that might temporarily evade Symantec's software. "So if you really wanted to be safe," he suggested disabling Java until it can be updated with Oracle's patch.
Murchu added that shutting off Java shouldn't cause huge problems for most people, unless they need to access a website that requires the Oracle software, such as some payroll-related sites. In those instances, the user may need to turn on Java just long enough to access that site and then turn it off until the patch can be issued.
"Unfortunately, turning it on and off for most people is cumbersome," Murchu said. And while it may be unlikely a computer would be infected during the brief time it's running Java, he added, "you basically never know when you're going to be hit."
Contact Steve Johnson at firstname.lastname@example.org or 408-920-5043. Follow him at Twitter.com/steveatmercnews