NEW YORK — Oracle fixed a security flaw in its Java software Sunday after the Department of Homeland Security warned computer users to disable the software completely, citing a loophole that allows hackers to take control of their machines.
‘‘Java 7 Update 10 and earlier contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system,’’ the agency said in an alert. ‘‘This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered.’’
A European security researcher who blogs under the name Kafeine first discovered the vulnerability and posted it to his blog in a rare alert Thursday.
Advertisement
The homeland security agency said that it had confirmed that Microsoft Windows, Apple’s Mac OS X, and Linux platforms were all affected and that it was ‘‘unaware of a practical solution.’’ On Thursday, the agency had recommended that users disable Java in their Web browsers.
On Sunday, Oracle released a patch for the security hole. Apple stopped shipping its computers with Java enabled last year, largely because of security concerns, but it said it was remotely disabling the Java 7 plug-in on Macs where it had already been installed. Windows and Linux users can disable Java by following a guide on java.com, a website maintained by Oracle.
Oracle did not respond to a request for comment Sunday.
Java, a widely used programming language that runs on more than 850 million personal computers, has been the source of security problems before. In April, hackers exploited a Java vulnerability to infect more than half a million Apple computers with a vicious form of malware in what was the largest-ever attack on the OS X operating system.
A month later, the Shadowserver foundation, a nonprofit group that tracks computer-based threats, discovered that hackers had used a Java security hole to infect visitors to several foreign policy websites, including the websites of the International Institute for Counter-Terrorism, Amnesty International Hong Kong, and the Cambodian Ministry of Foreign Affairs.
Advertisement
What made the exploit particularly disconcerting was that it allowed attackers to download a malicious program onto victims’ machines without prompting. Users did not even have to click on a malicious link for their computers to be infected. The program simply downloaded itself.