As humans, we have a difficult time letting go of things. Whether it be a favorite pair of jeans, a beloved dog or an old friend who you know is just bringing you down, putting aside things we know well is hard to do. But sometimes things are just too broken to be useful any longer, and that’s the point we’ve reached with Java.
It’s easy to take shots at Java, and by extension, Oracle, for the continuous parade of vulnerabilities that have plagued it over the course of the last few years. The bugs are too numerous to list here, but suffice it to say there have been more than a few. But it’s also not very useful to do that. Anyone who has been paying attention to Java’s career arc knows it hasn’t been a smooth ride, so kicking dirt on its corpse doesn’t serve any purpose.
But the problem is that Java isn’t dead yet. It’s alive and kicking in hundreds of millions of browsers, many of which reside on the PCs of users who are unaware of the security problems the technology has. News reports of new Java vulnerabilities often are loaded with technical details that are unimportant to or over the head of typical home users. Mostly, those folks are interested in what the ramifications of the vulnerabilities are and what actions they need to take in order to protect themselves. In most cases, the answer to those questions is that users should either disable or uninstall Java altogether until the problem is resolved.
But then once a patch is ready and users are told they can safely go back to using Java, it’s only a matter of time until the next bug appears and we’re all back to repeating that advice. It’s clear now that Java has become that friend who only comes around when he needs money or a place to crash and doesn’t contribute anything to the relationship. It’s time to get off that carousel and just cut Java loose altogether.
From a user’s perspectives, it’s hard to make the case to keep using Java. It’s just one of those legacy technologies that’s been hanging around for a while, whether through inertia or indifference or whatever else. It’s just there and most people don’t think much about it until a new problem crops up. Then it’s a fire drill, getting the word out to users about the new bug, telling them to disable Java and on and on.
If you’re in this situation, needing Java for one or two specific tasks, there’s a simple workaround: Keep Java enabled in one browser and use that only for the WebEx sessions (or other similar tasks). Don’t use that browser for general-purpose Web browsing, and be diligent about updating Java when new versions are pushed out. Otherwise, disable the plug-in the other browsers you use for everyday tasks. There’s just no upside to using it at this point.
“We’ve been telling folks to disable Java 10 times a year for the past couple of years now,” HD Moore, CSO of Rapid7 and the creator of the Metasploit Project, said about the use of Java. “It’s really to the point where you should be telling people to keep it disabled all the time.”
Time was, making such a decision would have made it quite difficult to use the Web effectively, given the broad use of Java on many Web sites. But that’s no longer the case and the potential downside of running Java far outweighs the upside, so it’s time to cut ties and let it go. The widespread availability of Java exploits in exploit kits such as Blackhole and Cool makes the threat more ominous, as that gives even unskilled attackers the ability to target large numbers or victims. These are exploits for the masses, not the privileged few.
In the face of that kind of threat, the most rational course of action is to simply eliminate the target, and that means it’s time to abandon Java for good.