Oracle has announced that it’s finally going to kill its Java browser plug-in. This move can’t come soon enough — in recent years, the Java browser plug-in has become a favored target of hackers and malware authors. A 2014 report from Cisco claimed that a whopping 91% of all attacks were against Java.
The situation has actually improved somewhat since then; Cisco’s mid-year 2015 report indicated that while Java was still a major headache, the company had made progress on reducing its attack profile and improving overall security. As of last year, attacks against Flash were rising sharply, while Java declined overall.
Despite these improvements, Oracle is still deprecating the Java plugin when it releases Java 9, and removing it entirely at some point after that date. Both Edge and Chrome have already nuked browser support for Java from orbit; Firefox announced plans to do so late last year. Historically, Oracle has been slow to respond to vulnerabilities in Java, and its sandboxing was never as foolproof as the company advertised.
Oracle’s stated reasons for killing the browser plug-ins doesn’t mention the broken sandbox model or the lack of an automatic security update process. Instead, it reads:
As Java evolved to become one of the leading mainstream development platforms, so did the applet’s hosts – the web browsers. The rise of web usage on mobile device browsers, typically without support for plugins, increasingly led browser makers to want to restrict and remove standards based plugin support from their products, as they tried to unify the set of features available across desktop and mobile versions. The Oracle JRE can only support applets on browsers for as long as browser vendors provide the requisite cross-browser standards based plugin API (e.g. NPAPI) support.
In other words, Java was an amazing, cutting-edge technology, until pesky browser companies decided to kill it.
If you don’t specifically need Java, we recommend uninstalling it. It’s the kind of application that you’ll know if you need (and won’t miss, if you don’t). IE11 still supports Java from within the browser if you need to use it, but Chrome has phased it out and Mozilla is in the process of doing so. Oracle’s migration document suggests that firms which rely on Java’s browser plug-ins should begin investigating “plug-in-free alternatives.”
Computer security is, by its nature, a moving target. Every now and then, however, Team White Hat scores a genuine victory. With Adobe Flash rapidly fading and Java plug-ins facing a near-term expiration date, the Internet should be genuinely safer — at least, for a little while.
0 comments:
Post a Comment