Oracle Patches Dangerous Java Holes

Oracle on Monday was distributing a patch for Java software flaws deemed so dangerous that the U.S. Department of Homeland Security said that people should stop using it.

"Oracle recommends that this Security Alert be applied as soon as possible because these issues may be exploited 'in the wild' and some exploits are available in various hacking tools," Oracle's Eric Maurice said in a blog post.

The patch was crafted to fix two holes that hackers could slip through in Java 7 software used by web browsers to interact with websites.

"To be successfully exploited, an attacker needs to trick an unsuspecting user into browsing a malicious website," Maurice said.

"The execution of the malicious applet within the browser of the unsuspecting users then allows the attacker to execute arbitrary code in the vulnerable system."

Essentially, hackers could take advantage of the vulnerability to infect and take control of computers by getting them to visit a booby-trapped website.

Oracle raised Java security settings so that mini-programs referred to as "applets" will need to get permission from website visitors before being able to run on people's computers, according to Maurice.

Despite the patch, which was released by Oracle on Sunday, computer specialists at the Department of Homeland Security advised people to avoid using the software "unless it is absolutely necessary," even after updating.

"This will help mitigate other Java vulnerabilities that may be discovered in the future," the DHS Computer Emergency Readiness Team said Monday in an updated advisory on its website.

Java is distributed by business software powerhouse Oracle and is popular because it lets developers create websites in code that can be accessed regardless of a computer's operating system.

Java was created by Sun Microsystems, which was purchased by Northern California-based Oracle.