After two decades of awful memories and zero-day vulnerabilities, Oracle is killing off the notoriously insecure Java browser plug-in. When Oracle releases version 9 of the Java Development Kit (currently anticipated for 23 March 2017), it’ll be deprecated and gone.
For those too young (or too traumatized) to remember, there was a moment way back in the 1990s when “Java in the browser” looked poised for global domination. Sun Microsystems’ tiny animated Duke applet seemed the harbinger of the web’s animated, cross-platform future.
Thundering herds of developers built thousands of applications designed to run on Java through a browser plug-in. Not just junky animations: business applications of all kinds.
Thanks to the cross-platform NPAPI plug-in API standard, Java plug-ins and their applications could run on multiple browsers, on multiple platforms – generating colossal security holes and killer migraines for anyone who cared about the safety of their computing environments.
First Sun – and then its successor Oracle – invested massive time and effort in shoring up Java browser security. But Java’s vulnerabilities kept on coming. Take for example:
- The massive bestiary of Java applet security flaws cataloged years ago in Securing Java.
- The newer Java flaws embedded in the Blackhole exploit kit in 2012.
- The multiple Java flaws CERT told the world about in 2013 – flaws that affected Java inside and outside the browser, with “web browsers using the Java plug-in… at particularly high risk”.
With each new security nightmare, we (and plenty of other experts) told everyone to get rid of Java in the browser. Gradually, most folks listened. Those responsible for fast-growing mobile platforms like iOS and Android never let Java plug-ins near their browsers.
Finally, in 2015, leading desktop browser makers – Google, Mozilla and Microsoft – all announced plans to stop supporting the NPAPI standard that made them practical. It’s becoming increasingly difficult to run Java in a halfway modern PC browser, should you so desire.
OK, nobody “so desires.” But some folks are still forced to run it, by legacy applications that still haven’t been upgraded or replaced.
Some of that software was built in-house many years ago, and somebody somewhere in management can’t bring themselves to pay for replacing it. (Please: bite the bullet.)
Some folks are still running vertical market applications dating to the Pleistocene. So says BeyondTrust executive Morey Haber in TechTarget’s SearchSecurity, “many financial and healthcare applications [are] pure Java and will have to adapt… legacy applications for professionals like radiologists or financial planners will require older browsers, continue to be vulnerable, and represent an exponential risk”.
Occasionally, even a major enterprise system shows up on the list – for example, in TechNewsWorld, Bromium CTO Simon Crosby cites Oracle ERP 11 as still requiring the flawed Java 6 or 7 at the endpoint.
If you’re still stuck with an application that requires Java in the browser, you (or your vendors) have two primary migration options. You can use the modern standards-based HTML5 to deliver comparable functionality in modern browsers, without Java. Or you can convert your Java code with Oracle’s Java Web Start technology.
Once you’ve done that, it can be launched outside the browser from either a desktop shortcut or a web link. If the latter option interests you, check out Oracle’s brief white paper on Java Web Start, and don’t miss its tips on tracking down stray Java applets still lurking in your infrastructure.
With Oracle killing the Java plug-in, and browser-makers abandoning it in droves, this might be the last time we ever have to tell anyone to trash Java in the browser. That would be so great.