Hacking

Oracle Pulls Plug on Java Browser Plug-In

Oracle earlier this week announced its decision to scrap its Java browser plug-in.

The plug-in, which has been a frequent target of hackers, won’t be included in the next version of the kit for Java developers, JDK 9, which is expected to ship in September.

Oracle’s action was motivated by browser makers’ withdrawal of support for the plug-in.

As browser vendors restrict and reduce support for plug-ins in their products, developers of applications that depend on the Java plug-in need to consider alternatives, the company said.

Victim of Mobile

In a white paper for developers released this month, Oracle said plug-ins have become undesirable in a tech world that’s increasingly mobile.

“The rise of web usage on mobile device browsers, typically without support for plugins, increasingly led browser makers to want to restrict and remove standards based plugin support from their products, as they tried to unify the set of features available across desktop and mobile versions,” the white paper said.

“Google and Microsoft have already gotten away from using the Java plug-in,” said Jim McGregor, principal analyst atTirias Research.

“It’s an evolution of the software environment,” he told TechNewsWorld. “Plug-ins were great when we were first trying to enable multimedia features at websites, but the way that things are programmed now, they’re more a security hazard than a benefit.”

History of Vulnerability

Plug-ins are similar to browser extensions, but with a lot more permissions, noted Alex Smith, director of identity and access management products atIntermedia.

“They were primarily created to allow non-HTML content to be viewed from within the browser. A program external to the browser, like a PDF viewer, would actually render the content and then display it within the browser,” he told TechNewsWorld.

“In the case of the Java plug-in, this allows Java code — not JavaScript — to be executed locally — that is, outside of the browser — and displayed within the browser window,” Smith said.

“Since the Java client has a long history of security bugs and sloppy patching, it makes for a really attractive attack vector when paired with a browser,” he added.

Because the latest versions of the leading browsers have disabled the Java plug-in, Oracle’s move won’t affect many consumers, but it could have an impact on some businesses.

“I only really see it used for legacy applications, typically in-house-developed apps which should have died years ago,” Smith said.

“Forcing companies to deal with and remove this legacy crap might be painful in the short term, but it’s always the right thing to do in the long term,” he added.

HTML5 or Web Start?

For some companies, however, retiring those legacy apps — even in the name of security — could prove to be difficult.

“Overall this is a good step forward, but it doesn’t address legacy dependencies,” said Simon Crosby, CTO atBromium.

“For example, if your company uses Oracle ERP 11, you’re still stuck on Java 6 or 7 on the endpoint, which have a woeful security record,” he told TechNewsWorld. “You can’t buy a new ERP system just to prevent cyberattacks.”

Pulling the plug on the Java plug-in means developers will have to move any apps that use it to another technology. Oracle recommends using Java Web Start, although that may not be the best alternative.

“I believe that most vendors should invest in HTML5 technologies that are native to the browser and receive the development attention of the whole community,” Wolfgang Kandek, CTO ofQualys, told TechNewsWorld.

Removing unnecessary plug-ins from browsers can only improve security, said Craig Williams, senior technical leader at Cisco’sTalos Security Intelligence and Research Group.

“By removing plug-ins from the browser,” he told TechNewsWorld, “we remove this attack surface, making all users more safe from both known and unknown zero-day vulnerabilities.”

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Hacking

Technewsworld Channels