Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Oracle to Kill Java Browser Plugin

Oracle on Wednesday announced specific plans to kill the Java browser plugin and has advised users to start migrating to other technologies.

Oracle on Wednesday announced specific plans to kill the Java browser plugin and has advised users to start migrating to other technologies.

In the old days, advanced Web features were only available in browsers via plugins leveraging the Netscape Plugin Application Programming Interface (NPAPI), the most popular applications being Java, Silverlight and Flash.

In recent years, browser vendors realized that the outdated NPAPI architecture was causing all sorts of problems, including crashes and security issues, so they decided to phase out support for NPAPI, especially since the needed features have become available via native APIs.

Google completely removed NPAPI support in September 2015 with the release of Chrome 45, and Mozilla recently announced its intention to remove support for most plugins by the end of 2016. Microsoft has also dropped support for plugins in its new Edge web browser.

Since there is no point in maintaining a product that could soon stop working in all major browsers, Oracle has advised Java users to migrate from applets, which rely on the Java plugin, to other technologies, such as Java Web Start.

The browser plugin will be deprecated in Java Development Kit (JDK) 9 and removed completely from JDK and Java Runtime Environment (JRE) in a future Java release.

Since organizations might have trouble determining which of their applications are applets that need to be converted, Oracle has advised system administrators to use the Java Advanced Management Console to identify and inventory the apps.

“For organizations using and deploying applications from 3rd parties, System Administrators can use the Java Advanced Management Console to track Java usage within their organization, identifying Applet, Web Start, and other Java application types. This usage tracking lets them identify which versions of Java are used by which applications. It also allows them to create Deployment Rule Sets to manage compatibility between different versions,” Oracle said in a whitepaper on migrating to plugin-free Java technologies.

Due to the large number of vulnerabilities discovered in Java over the past years, many security experts have been advising users to disable the application unless specifically needed. If Java is needed, users should at least ensure that they are running the latest version.

“These days Java is used only for two reasons in the Internet: Educational sites built in the late 90’s and early 2000’s that use applets to showcase things like middle-school physics experiments and then there’s malware delivery,” Kowsik Guruswamy, CTO for Menlo Security, told SecurityWeek.

Guruswamy cautioned for people to remember that Java browser plugin support is being deprecated only in newer Web browsers.

“Many enterprises, large and small, continue to use Java technology in their users’ browser for many legacy internal applications. They are unable to eliminate Java entirely as their users require access to these applications as part of the doing their everyday job,” Guruswamy said. “These companies continue to battle the malware problems as their users take the Java-loaded browser and point it to the Internet.”

In its annual security report for 2015, Cisco noted that Java exploits decreased by 34 percent, a drop which the networking giant attributed to improved Java security and attackers’ efforts to embrace new attack vectors. Cisco’s 2016 report also shows a steady downward trend in Java threats, particularly when it comes to the use of Java vulnerabilities by exploit kits.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...