The U.S. Department of Homeland Security has advised computer users to temporarily disable or uninstall Oracle Corp.'s (NASDAQ:ORCL) Java software, warning that a serious flaw in the software could make the system vulnerable to hacking.
The warning came in an advisory posted on the department’s website late Thursday night, amid escalating fears and warnings from security experts about a flaw in Java Runtime Environment (JRE) 7 and earlier versions that allows hackers to install malicious software and malware on computers.
The vulnerability is so dangerous that the Department of Homeland Security's Computer Emergency Readiness Team urged people to stop using the software immediately to mitigate damage.
“Due to the number and severity of this and prior Java vulnerabilities, it is recommended that Java be disabled temporarily in web browsers,” the agency said in its advisory.
"This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. We are currently unaware of a practical solution to this problem," the agency said.
Experts had been warning about a weakness in Java’s coding that could allow a remote, unauthenticated hacker to execute arbitrary code on a vulnerable system, leading to identity theft and other criminal activities.
Java is a popular program used by millions worldwide in Windows, Mac and Linux operating systems and in mobile and television devices. Its popularity has made it a favorite target of hackers.
According to security software maker Kaspersky Lab, Java was the most frequently attacked piece of software last year.
Programs and applications using Java software can run in any type of computer and on various web browsers such as Firefox, Chrome and Internet Explorer through Java plug-ins.
The DHS-CERT’s advisory came after security experts Thursday warned of a newly discovered flaw that could probably bypass security checks in Java.
According to the security experts, a recently discovered flaw -- zero-day vulnerability -- in the latest version of the Java Runtime Environment has made its way into several popular exploit kits such as Blackhole, Cool and Nuclear Pack.
“This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available,” the advisory said.
In a similar incident in August last year, a Java flaw was added to the Blackhole exploit kit within 24 hours of its discovery.
Security experts say that although several security lapses on JRE were discovered in past years, Oracle is yet to come up with a reliable patch or update to solve the crucial issues.
Adam Gowdiak, a researcher with Polish security firm Security Explorations, told Reuters he believed that Oracle failed to properly test its software fixes for security flaws. "It's definitely safer for users to stay away from Java 'til Oracle starts taking security seriously," he said.
In October, Apple Inc. (NASDAQ:AAPL) released an update for Mac that removed a Java plug-in from all Mac-compatible web browsers. Both the companies have not specified the reasons for the removal.
Java was first released by Sun Microsystems in 1995 and Oracle Corp. purchased it as part of a $7.3-billion acquisition of its maker in 2010.