Security experts continue to warn against enabling Java in your web browser despite Oracle issuing a patch for the latest vulnerability in the software - which is being actively exploited.

Java 7 Vulernabililty
Java's continued security flaws has led it to be dubbed the "perpetual vulnerability machine" by one security expert.

The latest exploit was discovered last week and allowed cyber criminals to carry out identify theft and other crimes. The US Department of Homeland Security's Computer Emergency Readiness Team (CERT) said on Friday that the vulnerability, which only affects Java 7, "is currently being exploited in the wild. This vulnerability may allow an attacker to execute arbitrary code on vulnerable systems."

CERT went on to advice that "due to the number and severity of this and prior Java vulnerabilities, it is recommended that Java be disabled temporarily in web browsers."

The patch issued yesterday is available from the Oracle website and updates Java to Java 7 update 11 (known as 7u11). As well as patching the most recent vulnerability, the update changes Java's default security setting from medium to high - highlighting the serious problems with the software.

However, despite the update,. CERT has continued to recommend that users disable Java in their browsers "unless it is absolutely necessary...even after updating to 7u11."

This sentiment is echoed by Java security expert Adam Gowdiak, a researcher with Poland's Security Explorations, who said: "We don't dare to tell users that it's safe to enable Java again."

HD Moore, chief security officer with online security company Rapid7, told Reuters it could take two years for Oracle to fix all the security bugs already identified in the Java used in web browsers. "The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don't really need Java on their desktop." 

Vulnerability

The vulnerability allows hackers to embed malicious programs, known as applets, into websites and if a user visits that website and has Java 7 enabled, it will allow the malicious code to be downloaded and give remote access to the PC.

While this is most often done on a website set-up specifically for the purpose of executing this malicious code, criminals have also been able to embed code into legitimate websites which users trust, making it virtually impossible to protect your PC if you have Java 7 enabled on your browser.

The new default "High" security level in Java will mean that no applet which is unsigned or self-signed will be able to run without the express permission of the user. Only programs which are digitally signed by a Certificate Authority (CA) will run without having to get the users' permission.

However, this is not as secure as once thought, as the recent discovery of a rogue certificate allowing people to impersonate Google.com has proved once again.

It was only back in August that Java last hit the headlines, again for all the wrong reasons, as it was revealed that Oracle had known about a security flaw for over 190 days before fixing the problem.

The latest vulnerability follows on from many other security problems with the platform, leading security researcher at F-Secure, Sean Sullivan to dub it the Perpetual Vulnerability Machine.