Oracle on Wednesday announced specific plans to kill the Java browser plugin and has advised users to start migrating to other technologies.
In the old days, advanced Web features were only available in browsers via plugins leveraging the Netscape Plugin Application Programming Interface (NPAPI), the most popular applications being Java, Silverlight and Flash.
In recent years, browser vendors realized that the outdated NPAPI architecture was causing all sorts of problems, including crashes and security issues, so they decided to phase out support for NPAPI, especially since the needed features have become available via native APIs.
Google completely removed NPAPI support in September 2015 with the release of Chrome 45, and Mozilla recently announced its intention to remove support for most plugins by the end of 2016. Microsoft has also dropped support for plugins in its new Edge web browser.
Since there is no point in maintaining a product that could soon stop working in all major browsers, Oracle has advised Java users to migrate from applets, which rely on the Java plugin, to other technologies, such as Java Web Start.
The browser plugin will be deprecated in Java Development Kit (JDK) 9 and removed completely from JDK and Java Runtime Environment (JRE) in a future Java release.
Since organizations might have trouble determining which of their applications are applets that need to be converted, Oracle has advised system administrators to use the Java Advanced Management Console to identify and inventory the apps.
“For organizations using and deploying applications from 3rd parties, System Administrators can use the Java Advanced Management Console to track Java usage within their organization, identifying Applet, Web Start, and other Java application types. This usage tracking lets them identify which versions of Java are used by which applications. It also allows them to create Deployment Rule Sets to manage compatibility between different versions,” Oracle said in a whitepaper on migrating to plugin-free Java technologies.
Due to the large number of vulnerabilities discovered in Java over the past years, many security experts have been advising users to disable the application unless specifically needed. If Java is needed, users should at least ensure that they are running the latest version.
“These days Java is used only for two reasons in the Internet: Educational sites built in the late 90’s and early 2000’s that use applets to showcase things like middle-school physics experiments and then there’s malware delivery,” Kowsik Guruswamy, CTO for Menlo Security, told SecurityWeek.
Guruswamy cautioned for people to remember that Java browser plugin support is being deprecated only in newer Web browsers.
“Many enterprises, large and small, continue to use Java technology in their users’ browser for many legacy internal applications. They are unable to eliminate Java entirely as their users require access to these applications as part of the doing their everyday job,” Guruswamy said. “These companies continue to battle the malware problems as their users take the Java-loaded browser and point it to the Internet.”
In its annual security report for 2015, Cisco noted that Java exploits decreased by 34 percent, a drop which the networking giant attributed to improved Java security and attackers’ efforts to embrace new attack vectors. Cisco’s 2016 report also shows a steady downward trend in Java threats, particularly when it comes to the use of Java vulnerabilities by exploit kits.
