Despite Oracle's (ORCL) emergency fix to patch a serious vulnerability in its widely used Java software, several security experts on Monday advised computer users to minimize using the product, because of fears more flaws will be discovered.
"This is definitely a temporary fix," said Sorin Mustaca, a data security expert with Avira, a German-based company that sells anti-virus software. "If you do a fix under a lot of pressure and very, very fast, then only one thing will happen: more vulnerabilities. So, for me, this is just the rain before the storm. I think it will get worse, it will get much worse."
Still, Mustaca recommended installing Oracle's security patch, which is available here:
But once that is done, he advised computer users to disable Java and only switch it on when absolutely necessary for some functions, such as those that handle stock trades and employee payrolls.
Although Java is used occasionally by millions of people worldwide, it is generally not vital for most computer or web-based functions, several experts noted. Mustaca said he uses two browsers, one with Java plugged in for limited purposes and another that he uses more frequently without Java activated.
"You're better off disabling Java," said H. D. Moore, chief security officer with Rapid7, which helps businesses identify and deal with cyber vulnerabilities. "For the most part, you don't need it."
He gave Oracle of Redwood City credit for issuing the fix on Sunday, after Thursday's advisory from the federal Department of Homeland Security to disable Java because flaws found in the software could enable crooks to steal information and create other havoc for computer users. Oracle initially had said it would issue the fix on Tuesday.
"It's nice to see," since the company in the past has had a reputation for reacting slowly to flaws, Moore said. But he also noted that Java has experienced a number of previous security vulnerabilities and "there is no reason to think this is the last one."
Contact Steve Johnson at email@example.com or 408-920-5043. Follow him at Twitter.com/steveatmercnews