February 2, 2016

Good news: Oracle says the next major version of its Java software will no longer plug directly into the user’s Web browser. This long overdue step should cut down dramatically on the number of computers infected with malicious software via opportunistic, so-called “drive-by” download attacks that exploit outdated Java plugins across countless browsers and multiple operating systems.

javamessAccording to Oracle, some 97 percent of enterprise computers and a whopping 89 percent of desktop systems in the U.S. run some form of Java. This has made Java JRE (the form of Java that runs most commonly on end-user systems) a prime target of malware authors.

“Exploit kits,” crimeware made to be stitched into the fabric of hacked and malicious sites, lie in wait for visitors who browse the booby-trapped sites. The kits can silently install malicious software on computers of anyone visiting or forcibly redirected to booby-trapped sites without the latest version of the Java plugin installed. In addition, crooks are constantly trying to inject scripts that invoke exploit kits via tainted advertisements submitted to the major ad networks.

These exploit kits — using names like “Angler,” “Blackhole,” “Nuclear” and “Rig” — are equipped to try a kitchen sink full of exploits for various browser plugins, but historically most of those exploits have been attacks on outdated Java and Adobe Flash plugins. As a result, KrebsOnSecurity has long warned users to remove Java altogether, or at least unplug it from the browser unless and until it is needed.

On Jan. 27, 2016, Oracle took a major step toward reducing the effectiveness of exploit kits and other crimeware when the company announced it was pulling the browser plugin from the next desktop version of Java – Java JRE 9.

“By late 2015, many browser vendors have either removed or announced timelines for the removal of standards based plugin support, eliminating the ability to embed Flash, Silverlight, Java and other plugin based technologies,” wrote Dalibor Topic, principle product manager for Open Java Development Kit (OpenJDK).

“With modern browser vendors working to restrict and reduce plugin support in their products, developers of applications that rely on the Java browser plugin need to consider alternative options such as migrating from Java Applets (which rely on a browser plugin) to the plugin-free Java Web Start technology,” Topic continued. “Oracle plans to deprecate the Java browser plugin in JDK 9. This technology will be removed from the Oracle JDK and JRE in a future Java SE release.”

Crooks have used Java flaws to attack a broad range of systems, and not just Windows PCs: In 2013, the Flashback Trojan used a Java flaw to ensnare more than 600,000 Mac OS X systems in a massive botnet.

I look forward to a world without the Java plugin (and to not having to remind readers about quarterly patch updates) but it will probably be years before various versions of this plugin are mostly removed from end-user systems worldwide. And some businesses still reliant on very old versions of Java will continue to use outdated versions of the program.

But for most users, there is no better time like the present to determine whether you have Java installed and decide whether it’s time to give it the boot once and for all. Hopefully, this is the last time I will have to include these boilerplate instructions on how to do that:

Windows users can check for the program in the Add/Remove Programs listing in Windows, or visit Java.com and click the “Do I have Java?” link on the homepage. Oracle’s instructions for removing Java from Mac OS X systems are available here.

If you have an specific use or need for Java, make sure you have the latest version. Also, know that there is a way to have this program installed while minimizing the chance that crooks will exploit unknown or unpatched flaws in the program: Unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play, which can block Web sites from displaying both Java and Flash content by default). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel.

Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Many people confuse Java with  JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. For more about ways to manage JavaScript in the browser, check out my tutorial Tools for a Safer PC.


24 thoughts on “Good Riddance to Oracle’s Java Plugin

  1. kopecky

    Singular labs have number of free tools including “java ra” @ this link: singularlabs.com/software/javara/. Windows 7 on up delete flash ,HTML5 will play, if not try to find u-tube link or forget it, all HTML5 if you have no java/flash in browser. I only use chrome last 2-3 yrs no java/flash.

    1. SeymourB

      Bad news, if you use Chrome, you have Flash. You just have to depend on Google to update the plugin, which they are occasionally lax at doing (and occasionally release early), but if you don’t keep Chrome updated, then you don’t keep the bundled Flash updated.

      At home I don’t have any plugins, period, zip, nil, nada. Every so often I have to fire up a web browser that has Flash or Java or something, but the one I normally browse with either works using HTML5 or bust. Very very very rarely will I care enough about a site to fire up an alternate browser. Lots of fish in the sea, not all of them are feeding from the Java/Flash/Shockwave trough.

      1. kopecky

        re: no flash in chrome browser. Go to settings menu–content–manage individual plugins–disable adobe flash player–all done no flash in chrome , also use “java ra” to remove all traces of java runtime (jre).

      2. Erik Reppen

        The key point is that Chrome keeps Flash updated for you. It’s primarily outdated Flash plugins that are the problem. If you run into a lot of Flash content you would find convenient to access, I wouldn’t be shy about leaving it enabled in Chrome but Flash is dying a slow death owing to browsers finally being able to handle pretty much everything natively that Flash used to cover so there’s less and less to miss every year. For the record I’m a web UI developer who personally can’t stand Flash, which did have a terrible security record in the past, but I don’t think up to date versions are a severe security risk. Are you safer without it? Sure. You’re also safer not visiting the web at all. If you never miss it, it doesn’t hurt to turn it off of course.

        Java plugins, however, have never not been a security disaster. If it’s not something you need for work that was built by your company’s crappy IT department, stay the heck away from anything requiring Java applets and make sure you’re using up to date browsers for all other internet usage.

  2. Tom R

    Bad news for my brother-in-law who earns his living writing server-side Java code to run on client browsers. It shouldn’t take him long, tho, to learn ASP, AJAX, .Net or other in-demand skills. Good luck, Don.

    1. Jason R

      Java isn’t going away in the business environment just because plugin support is being deprecated.

      https://java.com/en/download/faq/java_webstart.xml

      It’s been gone for a “long time” to most consumer websites. I can’t recall the last time I encountered it (probably my small local credit union, and they replaced that interface 3-4 years ago).

      Here is an example of a current and continuing business-based Java application used daily by many (click on “WEBICE” on the top-left of the page):
      https://www.theice.com/

      1. Compguy

        Oh god, not ICE. This tool is awful to support. I wasted countless hours trying to keep this working, along with pipeline software for folks, each of whom used 3-5 different pipelines that each wanted their own version of Java, often out-dated and unsecure. ICE needs to build a NEW interface that isn’t awful, resource hogging crap.

  3. Jay

    The lead person is the principal, not principle, as in ” “principle product manager”.

    1. Dax

      I remember from the Elementary school saying: “The principal is your PAL”.

  4. chesscanoe

    It appears to me that Windows 10 (and 7 and 8) intent is to use IE11 to support legacy current Java plug-in applications both now and the indefinite future. The Edge browser will support only the latest web standards. Maybe this is wishful thinking, but the only Java web application I currently use will not be updated per the author, so when Firefox drops their current Java support, at least IE11 will still be around.

  5. J.Tate

    “some 97 percent of enterprise computers and a whopping 89 “- When conducting a feasibility study on maximum effective range of a specific exploit the above numbers could be considered jackpot. Bravo Oracle, but #dearciso, what are your next moves for exclaiming the vulnerabilities vectors, and managing the millions of “exceptions” users will have when you try to decommission. Remember Defense In Depth.

  6. David

    Oracle’s decision has nothing to do with security in the present context. Has been more than a year since Java commenced requiring plug-in code be signed and active exploit development halted the day it arrived; deploying security updates is no longer an urgent priority. The bad-guys turned all efforts toward Flash which promiscuously runs anything coming it’s way; shows no evidence of change in this regard.

    What’s really going on is that web-developers abandoned Java several years ago for various reasons and Oracle is making the hard-nosed decision to cease expending resources on it.

    A good deal of legacy browser code runs off the Java plug-in but can continue to do so for some time even with a stale plug-in as the signing / whitelisting requirement locks out 99.99% of malware. Probably the NSA et al. have and use exploits in APT campaigns, but for their targets this one minor point in a universe of potential attack surfaces.

  7. SFer

    I wonder how this affects
    desktop PCs with Ubuntu (v.12.04 and up…).

    I don’t have JAVA installed, (as far as I know…),
    but I’ve see some progs in my PC
    (during a regular update/upgrade),
    reporting:
    …”JRE this and that updated…”.

    Q:
    What’s the relation btw. JRE and Java?
    Are they also a risk in Linux PCs?

    1. AgentGoat

      JRE *is* Java for end users. It’s the package you need in order to run programs written in Java. The JRE by itself isn’t the problem, and in linux you are probably more likely to need it than most people.

      The problem is the Java *browser plugin* which attaches to a web browser and allows Java content to be run on websites. In Linux you’re most likely using Firefox or Chrome; Chrome has stopped running the Java plugin some months ago, and Firefox will be dropping support soon. In the meantime if you’re using firefox, check your addons/plugins menus and make sure that Java if present is set to “never activate”, or remove it from Firefox outright.

      1. SFer

        Thank you AgentGoat and Mapes
        for your **very clear** answers.

        Yes,
        no Java plugins
        in either my Firefox and Pale Moon browsers!
        (Ubuntu Linux 32-bit ).

  8. Mapes

    SFer JRE is java runtime environment as opposed to JDK java developer kit. An end user would use the jre flavor

  9. Carol

    What was really annoying was the continuous use of opted in downloads associated with the updates.

  10. James Edward Lewis II

    The way I understood Oracle’s announcement, the Java plugin would still be available in Java 9, just not enabled by default, similarly to how the QuickTime plugin (32-bit only) is not installed by default anymore but can be installed if desired.

    I will likely keep around the latest JRE that has the plugin, just in case I want to load up one of those old physics demonstration applets.

  11. WD

    I wouldn’t get too excited about the disappearance of the Java *plugin*.

    As described, Oracle is focusing now on Java Web Start. Java Web Start (JNLP) is a way that a web page can cause Java to be launched to run an applet. The lack of the plug-in just means that Java will no longer run in the process space of the browser.

  12. Phil

    I disagree that this is good news. Java applets provide a somewhat-safe sandbox so that users can run Java software from websites. Now, unless I misunderstand Web Start, if an application needs the CPU power of client-side Java, the user has to download a Java program with no applet sandbox, and trust the website completely.

    I agree the plug-in is a weakness, but downloading executables instead isn’t better security. It just shifts the blame away from the plugin provider.

Comments are closed.