Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Oracle to Kill Java Browser Plugin

Oracle on Wednesday announced specific plans to kill the Java browser plugin and has advised users to start migrating to other technologies.

Oracle on Wednesday announced specific plans to kill the Java browser plugin and has advised users to start migrating to other technologies.

In the old days, advanced Web features were only available in browsers via plugins leveraging the Netscape Plugin Application Programming Interface (NPAPI), the most popular applications being Java, Silverlight and Flash.

In recent years, browser vendors realized that the outdated NPAPI architecture was causing all sorts of problems, including crashes and security issues, so they decided to phase out support for NPAPI, especially since the needed features have become available via native APIs.

Google completely removed NPAPI support in September 2015 with the release of Chrome 45, and Mozilla recently announced its intention to remove support for most plugins by the end of 2016. Microsoft has also dropped support for plugins in its new Edge web browser.

Since there is no point in maintaining a product that could soon stop working in all major browsers, Oracle has advised Java users to migrate from applets, which rely on the Java plugin, to other technologies, such as Java Web Start.

The browser plugin will be deprecated in Java Development Kit (JDK) 9 and removed completely from JDK and Java Runtime Environment (JRE) in a future Java release.

Since organizations might have trouble determining which of their applications are applets that need to be converted, Oracle has advised system administrators to use the Java Advanced Management Console to identify and inventory the apps.

“For organizations using and deploying applications from 3rd parties, System Administrators can use the Java Advanced Management Console to track Java usage within their organization, identifying Applet, Web Start, and other Java application types. This usage tracking lets them identify which versions of Java are used by which applications. It also allows them to create Deployment Rule Sets to manage compatibility between different versions,” Oracle said in a whitepaper on migrating to plugin-free Java technologies.

Advertisement. Scroll to continue reading.

Due to the large number of vulnerabilities discovered in Java over the past years, many security experts have been advising users to disable the application unless specifically needed. If Java is needed, users should at least ensure that they are running the latest version.

“These days Java is used only for two reasons in the Internet: Educational sites built in the late 90’s and early 2000’s that use applets to showcase things like middle-school physics experiments and then there’s malware delivery,” Kowsik Guruswamy, CTO for Menlo Security, told SecurityWeek.

Guruswamy cautioned for people to remember that Java browser plugin support is being deprecated only in newer Web browsers.

“Many enterprises, large and small, continue to use Java technology in their users’ browser for many legacy internal applications. They are unable to eliminate Java entirely as their users require access to these applications as part of the doing their everyday job,” Guruswamy said. “These companies continue to battle the malware problems as their users take the Java-loaded browser and point it to the Internet.”

In its annual security report for 2015, Cisco noted that Java exploits decreased by 34 percent, a drop which the networking giant attributed to improved Java security and attackers’ efforts to embrace new attack vectors. Cisco’s 2016 report also shows a steady downward trend in Java threats, particularly when it comes to the use of Java vulnerabilities by exploit kits.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Register

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

SAP security firm SecurityBridge announced the appointment of Roman Schubiger as the company’s new CRO.

Cybersecurity training and simulations provider SimSpace has appointed Peter Lee as Chief Executive Officer.

Orchid Security has appointed a new Chief Product Officer and three advisors.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.