Home · Security · US-CERT continues call to disable Java plug-in

US-CERT continues call to disable Java plug-in

Even after Oracle patched critical Java vulnerabilities on Monday, the U.S. Computer Emergency Readiness Team (US-CERT) continued urging users to disable Java browser plug-ins.

"Due to the number and severity of this and prior Java vulnerabilities, it is recommended that Java be disabled temporarily in Web browsers," said US-CERT in a note Monday, a day after Oracle shipped an "out-of-band," or emergency update.

While calls to disable a plug-in -- or even to stop using a particular browser -- are not uncommon in the face of active exploits of an unpatched vulnerability, it's unusual that they continue after a patch is released.

But a pair of security professionals, including a researcher known for uncovering scores of Java bugs, said US-CERT's move was justified.

"Disabling Java seems to be a reasonable step to mitigate the risk associated with confirmed, not-yet-patched flaws," said Adam Gowdiak, founder and CEO of Security Explorations, in an email late Tuesday.

Gowdiak was referring to other Java vulnerabilities he has reported to Oracle, including two that he has been told will be patched in an upcoming Feb. 19 update. More...

01-19-2013 19:10