Oracle Fixes Java After Months of Silence, But You Might As Well Keep It Turned Off

The Citizen's Guide to the Future
Aug. 30 2012 4:00 PM

Oracle Fixes Java After Months of Silence, But You Might As Well Keep It Turned Off

oracle headquarters
Oracle headquarters in Redwood Shores, California.

Photo by Justin Sullivan/Getty Images

Oracle today released a new version of Java, plugging security holes so severe that experts recommended that Internet users disable the plugin immediately. The fix is available for download here for users and here for developers. “Due to the high severity of these vulnerabilities, Oracle recommends that customers apply this Security Alert as soon as possible,” the company wrote in a blog post.

But that urgency stands in contrast to how Oracle seemed to handle the problem. For four days after security researchers publicly reported that hackers were exploiting flaws in the Java web browser plug-in to gain access to people’s computers, the company was silent. I called at least five representatives and emailed the company’s main PR address, and heard in response not a peep.


Ah, but talk is cheap, and the four-day turnaround for the fix suggests that at least Oracle was quick in its actions, right? Well, maybe. But yesterday afternoon, IDG News Service’s Lucian Constantin reported that Polish security researcher Adam Gowdiak had actually notified the Redwood Shores-based company of the problem way back in April. Gowdiak told IDG that an Oracle status report dated Aug. 23 indicated the company was planning to fix the vulnerabilities in its regularly scheduled October update. Its previous update, in June, fixed only three of 29 issues that Gowdiak said he had reported. (A post from Softpedia has additional technical details, for those fluent in computer programming.)

And Alex Lanstein of the security firm FireEye, which publicly reported the Java attacks on Sunday, told me in an email that they had been going on much longer than that.

So for all those who followed my advice and disabled Java, is it now time to turn it back on? Unless you need it, probably not, experts say. Lanstein’s take: “We never recommend users run unnecessary software, so if there isn't a current need for Java, we'd recommend keeping it disabled until it is needed, and of course, patched to the most recent version.” And Sophos’ Chet Wisniewski: “Less programs, less vulnerabilities. If you don't really need it, don't enable/install it.”

Note: I mentioned this in my first post, but it is confusing enough that it bears repeating: Java is not related to Javascript. Disabling Javascript will do nothing to protect you from these attacks, and will probably impair your ability to view a bunch of websites that you use on a regular basis. Java applets, on the other hand, have become relatively scarce on the Web over time.

Future Tense is a partnership of SlateNew America, and Arizona State University.

Will Oremus is Slate's senior technology writer.


Medical Examiner

Here’s Where We Stand With Ebola

Even experienced international disaster responders are shocked at how bad it’s gotten.

It Is Very, Very Stupid to Compare Hope Solo to Ray Rice

The U.S. Is So, So Far Behind Europe on Clean Energy

Even if You Don’t Like Batman, You Might Like Gotham

Friends Was the Last Purely Pleasurable Sitcom

The Eye

This Whimsical Driverless Car Imagines Transportation in 2059


Meet the New Bosses

How the Republicans would run the Senate.

A Woman Who Escaped the Extreme Babymaking Christian Fundamentalism of Quiverfull

So, Apple Is Not Shuttering Beats, but the Streaming Service Will Probably Be Folded Into iTunes

  News & Politics
Sept. 22 2014 6:30 PM What Does It Mean to Be an American? Ted Cruz and Scott Brown think it’s about ideology. It’s really about culture.
Sept. 22 2014 5:38 PM Apple Won't Shut Down Beats Music After All (But Will Probably Rename It)
Sept. 22 2014 4:45 PM Why Can’t the Census Count Gay Couples Accurately?
  Double X
Sept. 22 2014 4:06 PM No, Women’s Soccer Does Not Have a Domestic Violence Problem Or, why it is very, very stupid to compare Hope Solo to Ray Rice.
  Slate Plus
Slate Plus
Sept. 22 2014 1:52 PM Tell Us What You Think About Slate Plus Help us improve our new membership program.
Brow Beat
Sept. 22 2014 5:45 PM The University of California Corrects “Injustice” by Making Its Rich Chancellors Even Richer
Future Tense
Sept. 22 2014 6:27 PM Should We All Be Learning How to Type in Virtual Reality?
  Health & Science
Medical Examiner
Sept. 22 2014 4:34 PM Here’s Where We Stand With Ebola Even experienced international disaster responders are shocked at how bad it’s gotten.
Sports Nut
Sept. 18 2014 11:42 AM Grandmaster Clash One of the most amazing feats in chess history just happened, and no one noticed.