The United States Department of Homeland Security has warned that Java is still open to attacks, despite Oracle's attempts to fix its vulnerabilities.
Last week, it was discovered that the web browser software contained a zero-day vulnerability that could allow hackers to remotely control users' computers through the use of arbitrary code, therefore enabling the bypassing of security checks and tricking of Java.
Further reading
Java zero-day exploit being sold for ‘five digits’ New Java exploit details emerge as attacks escalate; no patch from Oracle yet US lawmakers urged to impose minimum cyber security standards for critical infrastructure
As a result, security experts blasted Java as "a mess".
The US government said the flaw enabled hackers to steal the identities of Java users across all types of browser.
However, despite Oracle - the firm behind Java since its acquisition of Sun Microsystems - offering a fix for the software, Homeland Security continues to believe the software poses a potential security threat to web users and still recommends the best of course of action is to disable Java entirely.
"Oracle Security Alert CVE-2013-0422 states that Java 7 Update 11 addresses this (CVE-2013-0422) and an equally severe, but distinct vulnerability (CVE-2012-3174)," said the updated US Cert group statement.
"Immunity has indicated that only the reflection vulnerability has been fixed and that the JMX MBean vulnerability remains. Java 7u11 sets the default Java security settings to 'High' so that users will be prompted before running unsigned or self-signed Java applets.
"Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future," the updated statement added.
The recommendation from the US government must come as a blow to Oracle and Java users, with the software installed on millions of computers across the world.
