Oracle patches zero-day Java security hole in three days

Oracle isn't really know for keeping its Java plug-in up-to-date to combat the latest security threats but following the discovery of yet another new zero-day vulnerability last week, the company was pretty quick to act.

ARS Technica writs Oracle rolled out the out-of-band Java 7 Update 11 just three days after news about the leak hit the web.

Earlier this week, a security hole in the latest version of Java was being "massively exploited in the wild." Hackers were turning compromised websites into platforms for installing silent keyloggers or other malicious software. And at the time news broke, even fully patched Java installations were at risk.

Security experts quoted by Reuters remark it's still unsafe to use Java on your computer as several other critical security flaws remain unpatched. HD Moore, chief security officer with Rapid7, even goes as far as to say it could take Oracle two years just to fix all security bugs that have currently been identified in the current version of Java.

HD Moore, chief security officer with Rapid7, a company that helps businesses identify critical security vulnerabilities in their networks, said it could take two years for Oracle to fix all the security bugs that have currently been identified in the version of Java that is used for surfing the Web.

"The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don't really need Java on their desktop," Moore said.