Oracle has announced that it’s finally going to kill its
Java browser plug-in. This move can’t come soon enough — in recent
years, the Java browser plug-in has become a favored target of hackers
and malware authors. A 2014 report from Cisco claimed that a whopping
91% of all attacks were against Java.
The situation has actually improved somewhat since then;
Cisco’s mid-year 2015 report indicated that while Java was still a major
headache, the company had made progress on reducing its attack profile
and improving overall security. As of last year, attacks against Flash
were rising sharply, while Java declined overall.
Despite these improvements, Oracle is still deprecating the
Java plugin when it releases Java 9, and removing it entirely at some
point after that date. Both Edge and Chrome have already nuked browser support
for Java from orbit; Firefox announced plans to do so late last year.
Historically, Oracle has been slow to respond to vulnerabilities in
Java, and its sandboxing was never as foolproof as the company
advertised.
Oracle’s stated reasons for killing the browser plug-ins doesn’t
mention the broken sandbox model or the lack of an automatic security
update process. Instead, it reads:As Java evolved to become one of the leading mainstream development platforms, so did the applet’s hosts – the web browsers. The rise of web usage on mobile device browsers, typically without support for plugins, increasingly led browser makers to want to restrict and remove standards based plugin support from their products, as they tried to unify the set of features available across desktop and mobile versions. The Oracle JRE can only support applets on browsers for as long as browser vendors provide the requisite cross-browser standards based plugin API (e.g. NPAPI) support.
In other words, Java was an amazing, cutting-edge technology, until pesky browser companies decided to kill it.
If you don’t specifically need Java, we recommend uninstalling it.
It’s the kind of application that you’ll know if you need (and won’t
miss, if you don’t). IE11 still supports Java from within the browser if
you need to use it, but Chrome has phased it out and Mozilla is in the
process of doing so. Oracle’s migration document suggests that firms
which rely on Java’s browser plug-ins should begin investigating
“plug-in-free alternatives.”Computer security is, by its nature, a moving target. Every now and then, however, Team White Hat scores a genuine victory. With Adobe Flash rapidly fading and Java plug-ins facing a near-term expiration date, the Internet should be genuinely safer — at least, for a little while.
Post a Comment