Java Security Problem Still Not Fixed; Don't Download The Update

Don't download the new Java update, and if you haven't disabled Java on your browser yet, do that right now.

If the Department of Homeland Security says it's a problem, then it must be bad. Earlier this month, DHS warned computer users everywhere to disable Java in their web browsers because egregious security flaws had been discovered. A flaw in the Java Security Manager allowed Java 7 permission to execute any arbitrary code, including malicious code in a hacked Java applet.

This was big news because Java is such a basic and ubiquitous little piece of programming that nearly every web browser, on both Mac and PC, runs it. How big of a problem was it? I was first told to disable my Java by Brian Williams on NBC Nightly News. DHS, in its announcement, suggested that anyone running the Java plug-in Version 7, Update 10, in their web browsers (which is everyone) to leave their Java disabled until an updated, more secure version called Update 11 was released.

Last week, Oracle, maker of Java, released a patch for their flawed software. Don't download it.

Coding experts took a look at the patch and announced on Friday that they discovered that Oracle's patch, Update 11, still allowed the original security problem, and two new security vulnerabilities were found as well.

Basically, this means that updating Java at this moment - something DHS originally suggested people do once Oracle issued a patch - makes your machine more vulnerable to malware, because Oracle's update doesn't fix the problem, but instead creates potential new ones. Soon after Oracle's "fix", there were reports of malware posing as the Java Update 11.

Now internet security experts are growing impatient with Oracle. As Computerworld reported, one expert is telling Oracle to completely redesign Java from the ground up.

"Oracle should just take a mulligan and redesign Java before everyone completely loses faith in it," said Andrew Storms, director of security operations at nCircle Security to Computerworld's Gregg Keizer.

"Obviously, there's something broken in the Java development or design cycles. Oracle needs to wake up and learn secure software development," said Storms.