As humans, we have a difficult time letting go of things. Whether it be a favorite pair of jeans, a beloved dog or an old friend who you know is just bringing you down, putting aside things we know well is hard to do. But sometimes things are just too broken to be useful any longer, and that’s the point we’ve reached with Java.

It’s easy to take shots at Java, and by extension, Oracle, for the continuous parade of vulnerabilities that have plagued it over the course of the last few years. The bugs are too numerous to list here, but suffice it to say there have been more than a few. But it’s also not very useful to do that. Anyone who has been paying attention to Java’s career arc knows it hasn’t been a smooth ride, so kicking dirt on its corpse doesn’t serve any purpose.

But the problem is that Java isn’t dead yet. It’s alive and kicking in hundreds of millions of browsers, many of which reside on the PCs of users who are unaware of the security problems the technology has. News reports of new Java vulnerabilities often are loaded with technical details that are unimportant to or over the head of typical home users. Mostly, those folks are interested in what the ramifications of the vulnerabilities are and what actions they need to take in order to protect themselves. In most cases, the answer to those questions is that users should either disable or uninstall Java altogether until the problem is resolved.

But then once a patch is ready and users are told they can safely go back to using Java, it’s only a matter of time until the next bug appears and we’re all back to repeating that advice. It’s clear now that Java has become that friend who only comes around when he needs money or a place to crash and doesn’t contribute anything to the relationship. It’s time to get off that carousel and just cut Java loose altogether.

From a user’s perspectives, it’s hard to make the case to keep using Java. It’s just one of those legacy technologies that’s been hanging around for a while, whether through inertia or indifference or whatever else. It’s just there and most people don’t think much about it until a new problem crops up. Then it’s a fire drill, getting the word out to users about the new bug, telling them to disable Java and on and on.

There are very few instances in which Java is required and a user can’t get around it by using a different app or finding an alternative technology to the job. One of the those instances is using WebEx, which requires both Java and JavaScript for its Web-based meetings. That can be a major stumbling block for many corporate users who are required to use WebEx for company meetings, sales presentations and webinars. That’s an important use case, but it’s not nearly enough to warrant a stay of execution for Java.

If you’re in this situation, needing Java for one or two specific tasks, there’s a simple workaround: Keep Java enabled in one browser and use that only for the WebEx sessions (or other similar tasks). Don’t use that browser for general-purpose Web browsing, and be diligent about updating Java when new versions are pushed out. Otherwise, disable the plug-in the other browsers you use for everyday tasks. There’s just no upside to using it at this point.

“We’ve been telling folks to disable Java 10 times a year for the past couple of years now,” HD Moore, CSO of Rapid7 and the creator of the Metasploit Project, said about the use of Java. “It’s really to the point where you should be telling people to keep it disabled all the time.”

Time was, making such a decision would have made it quite difficult to use the Web effectively, given the broad use of Java on many Web sites. But that’s no longer the case and the potential downside of running Java far outweighs the upside, so it’s time to cut ties and let it go. The widespread availability of Java exploits in exploit kits such as Blackhole and Cool makes the threat more ominous, as that gives even unskilled attackers the ability to target large numbers or victims. These are exploits for the masses, not the privileged few.

In the face of that kind of threat, the most rational course of action is to simply eliminate the target, and that means it’s time to abandon Java for good.

Categories: Vulnerabilities

Comments (27)

  1. Larry J Seltzer
    1

    I have very little love for Java, but it’s important to underscore that Java’s considerable problems are limited, at least in the real world, to the browser plugin. For 90-something % of desktop users with a need for Java, the browser interface is all they need, so they don’t need Java at all. But there are users who need Java for apps; for instance, I hear there is important primary/secondary educational software written in Java. For them, disabling the browser plugin, which Oracle now thankfully lets you do in the control panel, solves the problem. (Is there a group policy or some other manageable interface to that setting?)

  2. Max
    2

    Dont see how java is any different from flash or other plugins. Problem is more of updates that arent easy to apply or need users to make a decision . Same could be said for windows come to that

  3. Anonymous
    3

    Perhaps you could also apply the “lose-it” argument to Microsoft Windows and the current incarnation of web browsers.  I also see javascript used by malware much more often than Java is used. 

    Wait a minute!  Think of all those security “experts” you would be putting out of a job!  They would not have anything to find “exploits” in that they could tell the world about!

    Regards,

  4. Rocio Castro
    4

    Hi!

    Nobody knows the complete story. So, it is easy to point fingers.

    Right now, why not YOU tell me, directly, to me the next technical step?

    A PARTIAL history has been told. In fact it is just the beginning of what happened to me (many other people immigrants or not).  There is room for improvement.

    Learning is a continue process, ever changing.

    Instead of telling us that there is nothing what you or anybody can do about JAVA.

    We know the behavior of a virus. There is not much diference between virus in devices and the body.

    So, if we can not do anything to improve the viral infections. Can we establish or suggest policies to protect children, adolescentes, …

    Emotions at side, let°s just work together.

    Should we at least try it?

    Rocio Castro

     

  5. Mauro Migliardi
    5

    As some readers have already pointed out, it seems to me that the article fails to perceive a baseline truth: software has bugs.

    Is the JVM a piece of software? Yes.

    Is the Java plugin a piece of software? Yes.

    Is anything we execute on our pcs/tablets/smartphones a piece of software? Yes.

    Quite harsh a judgement to just point your finger toward Java, isn’t it?

    Then, there is another baseline truth: anytime you automagically run new code you expose yourself to a risk.

    Why is Java that different from any other server provided but client executed code?

    There are now frameworks that give access to hardware resources of tablets and smartphones to Javascript code executed in browsers: are we sure the javascript engines are so much safer than Java Virtual Machines? Is there a fundamental reason why they should?

    Aren’t we just swapping a powerful but potentially dangerouss tool for just another one?

  6. Cody Burleson
    6

    I cannot argue with your point about Java in the browser, but I think it would have been better if the article was called “It’s Time to Abandon Java Applets” or “It’s Time to Abandon Java in the Browser”. You seem to use the term, Java, as if it specifically refers to Java in a browser. You say things like “kicking dirt on its corpse”, with “its” being formally referred to as Java. The article’s context, being Java in the browser, is pretty clear, but perhaps not enough. Java is very, very much alive – especially within the corporate enterprise where it powers some of the world’s leading platform software such as portals, content management systems, social suites, CRM’s, HR systems, etc. The term, Java, in my opinion, is a very broad term which accounts for the entire language and subsumes all things created with it. Java Applets – that part that goes in the browser is probably one of the smallest facets of Java which Java boneheads like me care little about anyway.

    But, I agree. It was always kind of crappy in the browser (except for in the early ninetees when it was the only option). Good riddance to Java in the browser (i.e. Java Applets)? Sure. Why not? But if we’re going to be throwing away crap and cleaning house, shouldn’t we send Internet Explorer to the trash heap too? 

  7. Boris
    7

    Scanned article for phrases “client-side” or “server-side”. Didn’t find.
    Therefore not reading, on the basis that you don’t know what you’re talking about.

     

  8. Anonymous
    11

    Security vulnerabities are not nature of Java but nature of closed source. Use OpenJDK on Linux and any Oracle JDK problems on Windows and other operating systems will not affect you at all.

  9. Dave
    12

    YOU (commenters) seem to forget one thing… the problem with Java isn’t so much that it’s exploitable, it’s that the company responsible for it isn’t really interested in patching it quickly or well, and that company also doesn’t seem to care if it’s making a mess of the (mostly Windows) users systems.  Mr. Ellison has no love for Microsoft or Windows, and doesn’t seem interested in fixing the issues.  Microsoft said as much in October of 2010, and the situation hasn’t improved one bit since then.  Java must go because Oracle does not care.  

  10. Reality Check
    13

    Dennis, the far greater to risk to security is that there are no laws to prevent illiterate, biased morons like you post the kind of crap you have just dumped on us here.  Sadly, some people will take you seriously in the assumption that you have even a fraction of a clue of what you are talking about.  Ludicrous comments like “It’s just one of those legacy technologies that’s been hanging around for a while, whether through inertia or indifference or whatever else.” clearly highlight your inability to even use such as “advanced” technologies as “Google search”.

    Had you actually done any research before you started typing this gibberish you would have learned that Java is consistently the most popular and heavily used programming language in the world (occasionally losing this crown to C).  Yes, that is CURRENTLY! Why do you think that might be?  Must be a global epidemic of inertia and indifference I suppose…

    Why don’t you do us all a favour and state the true motivation behind this nonsense post? Big fan of Microsoft are you?  (That would be understandable given the spotless security records of their flagship products such as IE, Windows, ActiveX etc. LOL) . Or maybe you are a Google fanboy and didn’t take too kindly to Oracle suing them over Dalvik?  (I mean just because the class names and method names are identical to Java doesn’t mean it *is* Java right? LOL).  Some other reason for so much animosity towards Java?

    Whatever your actual motivation, please spend  a few minutes researching your next topic before clicking the Post button.  Or for you Dennis, maybe it’s “time to abandon posting on the interwebs”.

    P.S. These comments are based on the assumption that are not just a mindless troll, even though there is scant evidence to support this theory.

  11. Octavian Nita
    14

    I don’t recall anyone saying that it’s time to abandon ActiveX and that piece of … technology had thousands of vulnerabilities…

  12. Jon Davis
    16

    The frustrations with Java have not been just client-side. How easily you guys seem to forget that Java 7 was released with a compiler bug that, if a certain optimization flag was set, automatically destabilized your code. There has been one problem after another with Java over the last couple of years, and the fact that the most recent craziness was solely in the client has no bearing on the fact that it is all one umbrella solution of “Java”, not to mention one maintainer/owner.

  13. Anonymous
    17

     

     

     

    Java is garbage. So many holes and the patches screw up the functioning of Java which take many vendor applications down.

     

     

  14. Anonymous
    18

    So long as people keep programming thing in Java it will never  go away.  Java does NOT belong in a coprorate environment; as an I.T. specialist, we spend a significant time addressing patches, etc. for Java far more than for other apps and OS’s.  That is time better spent supportng our customers on things that need attention instead of always trying to stay ahead of the malicious programmers out there….

  15. alberlau
    19

    I don’t see Java future at the client side. However it will long live at the server side.

  16. Anonymous
    20

    Fsck Java, seriously, it’s a P.O.S. with no future with the lemmings marching towards closed devices.

    Oracle and everyone else knows it has no future, so they have second rate programmers maintaining it and they want to maintain their jobs so they are fscking up on purpose so they can justify their existence.

    I disabled Java off my browsers a decade ago and so glad I did after seeing all the malware for it come and go.

    And lets not forget Apple who INTENTIONALLY didn’t fix Java they were maintaining for OS X users on time, thus allowing Flashback trojan to infect not only 750,000 Mac’s, but the ENTIRE CUPERTINO HQ as well.

    Search Wikipedia for Flashback for details, and the associated sites that show the IP addresses for Apple Inc were pwned hard.

    Also Apple didn’t fix Finisher iTunes exploit for three years (being notified of it) while it was being sold to (good and bad) governments to spy into people’s machines.

    Fsck all of you, Apple, Oracle, Microsoft, Adobe etc.

    Sincerely yours, the consumer.

  17. Anonymous
    21

    Java is not a troublesome language, easy to debug and fix.

    For the browser problem, one solution I’ve used is to stay a version behind or so until they fix the bugs in the new one. Actually, I’d recommend that for software in general.

  18. Carlos Crosetti
    22

    A recommendation to abandon Java (or any other widely adopted technology, like DotNet) demands, to be serious, some numbers/metrics around the risks and potential losses, in order to support what you say. Without such numbers you are talking about your feelings…

  19. Anonymous
    23

    What about those people that play minecraft? (One of the top ranking games at this point, written in JAVA!)

Comments are closed.