Java security fix coming 'shortly'; Up to 850m machines at risk

A day after the U.S. Department of Homeland Security warned computer users to disable or uninstall Java after a serious security vulnerability was discovered by researchers, Oracle has said that a fix will be made available "shortly."

Oracle, which develops the Java plug-in software after the technology giant acquired Sun Microsystems in 2009, did not give a timeframe in which a fix would be released, though it is expected this coming week.

More than 850 million PCs around the world use Java, according to Oracle, and could be at risk if they do not disable or uninstall the plug-in immediately.

While the flaw was found in Java 7, Oracle told sister site CNET in a statement that the flaw does not exist in older versions of the software.

Oracle is aware of a flaw in Java software integrated with web browsers. The flaw is limited to [Java Development Kit 7]. It does not exist in other releases of Java, and does not affect Java applications directly installed and running on servers, desktops, laptops, and other devices," a spokesperson told CNET.

In a rare move, the U.S. government warned computer users on Friday to disable the software to prevent hackers and malware writers from taking advantage of the zero-day vulnerability -- which is currently being exploited in the wild.

There are fears that the vulnerability in Java 7 could allow unauthorized installation of malicious software on machines, which could then be used to acquire personal information, which could lead to identity theft. There is a strong risk that infected computers could become part of a wider "botnet"; a network of 'zombie' machines that are used to carry out denial-of-service attacks on Web sites and networks.

http://www.zdnet.com/java-security-fix-coming-shortly-up-to-850m-machines-at-risk-7000009723/