By Jim Finkle
BOSTON (Reuters) - Computer security firms are urging PC users to disable Java software in their browsers, saying the widely installed, free software from Oracle Corp opens machines to hacker attacks and there is no way to defend against them.
The warnings, which began emerging over the weekend from Rapid7, AlienVault and other cyber security firms, are likely to unnerve a PC community scrambling to fend off growing security threats from hackers, viruses and malware.
Researchers have identified code that attacks machines by exploiting a newly discovered flaw in the latest version of Java. Once in, a second piece of software called "Poison Ivy" is released that lets hackers gain control of the infected computer, said Jaime Blasco, a research manager with AlienVault Labs.
Several security firms advised users to immediately disable Java software -- installed in some form on the vast majority of personal computers around the world -- in their Internet browsers. Oracle says that Java sits on 97 percent of enterprise desktops.
"If exploited, the attacker will be able to perform any action the victim can perform on the victim's machine," said Tod Beardsley, an engineering manager with Rapid7's Metasploit division.
Computers can get infected without their users' knowledge simply by a visit to any website that has been compromised by hackers, said Joshua Drake, a senior research scientist with the security firm Accuvant.
Java is a computer language that enables programmers to write one set of code to run on virtually any type of machine. It is widely used on the Internet so that Web developers can make their sites accessible from multiple browsers running on Microsoft Windows PCs or Macs from Apple Inc.
An Oracle spokeswoman said she could not immediately comment on the matter.
Security experts recommended that users not enable Java for universal use on their browsers. Instead, they said it was safest to allow use of Java browser plug-ins on a case-by-case basis when prompted for permission by trusted programs such as GoToMeeting, a Web-based collaboration tool from Citrix Systems Inc
Rapid7 has set up a web page that tells users whether their browser has a Java plug-in installed that is vulnerable to attack: http://www.isjavaexploitable.com/
(Editing by Ciro Scotti)
(Reporting By Jim Finkle)