Java

Over the course of the last two years, Oracle's Java has been exploited time and again as hackers eviscerate the technology, seemingly at will.

As each exploit emerges against Java, Oracle typically responds within a short period of time with a security update, only to have the update exploited within days. While Oracle has pledged with its successive releases that it is improving Java security, the company has not publicly spoken out about the string of exploitation that has crippled confidence in Java in recent months. That is until now.

Java's new security settings, designed to block "drive-by" browser attacks, can be bypassed by hackers, a researcher announced Sunday.

The news came in the aftermath of several embarrassing "zero-day" vulnerabilities, and a recent commitment by the head of Java security that his team would fix bugs in the software.

At this point, the words “Java” and “exploit” have become so tightly knit and so often used that they’ve faded into white noise as quickly as they’ve joined. Today, there’s yet another development in the long and monotonous story about Java that just refuses to stop unfolding.

Trend Micro has spotted a piece of malicious software that masquerades as the latest patch for Java, a typically opportunistic move by hackers.

Oracle released two emergency patches on Sunday for its Java programming language and application platform, which is installed on millions of computers worldwide.

Microsoft and Oracle both released patches this week for zero-day exploits found in Internet Explorer 8 and Java. If you still use Internet Explorer 8 or below, you should probably download the fix available via Windows Update. As for Java, you should probably still keep that disabled.

Krebs on Security reports that a hacker has already found a hole in the Java fix that Oracle uploaded this week. This particular hacker relayed the news to others on a private Web forum, and began looking for buyers. Here’s the sales pitch:

Hackers behind the long-running espionage campaign dubbed Red October were also using an old Java exploit to capture targets from government agencies and embassies.

Earlier this week Russian security firm Kaspersky Lab announced the discovery of a targeted malware campaign aimed at high-profile diplomatic, military and government targets across 39 nations. The victims were primarily in Eastern Europe, however individuals in Western Europe and North America were also targeted.

Oracle Corp. said Monday it has released a fix for the flaw in its Java software that raised an alarm from the U.S. Department of Homeland Security last week. Even after the patch was issued, the federal agency continued to recommend that users disable Java in their Web browsers.

Oracle Corp released an emergency update to its widely used Java software for surfing the Web on Sunday, days after the US government urged PC users to disable the program because of a bug it said made computers vulnerable to attack by hackers.

Java security expert Adam Gowdiak, who has discovered several bugs in the software over the past year, said that the update from Oracle leaves unfixed several critical security flaws. "We don't dare to tell users that it's safe to enable Java again," said Mr Gowdiak, a researcher with Poland's Security Explorations.

Java has its security flaws, but it isn't going away any time soon—after all, many important applications run on the technology, especially in business settings. Still, numerous users are worried enough about vulnerabilities that they restrict Java's ability to run on their machines. That's what we heard from Ars readers when we asked Friday whether they let Java run on their computers, and why.

Polish firm Security Explorations and its CEO Adam Gowdiak continue to be the a thorn in Oracle's side by repeatedly questioning the giant's decision not to issue an out-of-band patch for a critical Java flaw in Java SE (Standard Edition) 5, 6 and 7.

According to their research, the vulnerability could allow attackers to bypass the security sandbox in those three versions of Java, which are currently installed on nearly a billion of machines around the world.