Time to Boycott Java?
In January 2013, a reader asked me if Java was safe to use. My answer then was somewhat equivocal; yes, Java complicates PC security, but you may want to keep it – carefully – if you run into situations where you need it. Basically, I felt the risk/reward ratio of Java was a toss-up. But my assessment is changing now. Read on to find out if you should keep Java or dump it…
Should You Kick Java to the Curb?
In my article “Is Java Safe And Do I Need It? I outlined the security issues with Java, and gave some tips on why you might want to keep it around, just in case. But the risks that Java poses now seem greater and the rewards are diminishing.
First, Java has become hackers’ favorite target. According to Microsoft’s latest Security Intelligence report more than three-quarters of all “drive-by download” attacks were aimed at Java vulnerabilities, up from 10 per cent in 2008. Cisco’s 2014 Annual Security Report states that 91% of all successful Web exploits targeted Java vulnerabilities. Do you see a pattern there?
There are several reasons for Java’s popularity among bad actors. (If Alec Baldwin was a hacker, that would make a great double entendre.) Java is installed on over 1.1 billion digital devices and enabled in virtually every Web browser, providing lots of potential victims for exploits. Also, Java has proven to be very exploitable, with numerous vulnerabilities discovered over the years.
You Can't Put a Band-Aid on Cancer
Sure, patches have been issued, but there are problems with Java patches.
Many patches issued by Oracle Corp., the developer of Java, have not fixed known vulnerabilities; installing the latest patch gives users a false sense of security. The April, 2014, Java patch release included fixes for more than thirty “critical” vulnerabilities, and still some independent security researches are claiming that gaping holes remain.
Many users don’t even know they have Java installed, so when a pop-up window says a new update is available they ignore it. Some may figure that any unfamiliar alert is malware trying to trick them. And often, they'd be right.
Oracle issues “critical” updates to Java only once every three months, providing plenty of time for them to be exploited. Microsoft issues Windows updates monthly and barely keeps up with malware developers.
Icing the cake, Oracle allows foistware in all Java update packages. Deceptively worded instructions and pre-checked “opt-in” checkboxes either dupe users into installing things they don’t want or annoy users who have to take pains to avoid installing unwanted software. Extraneous programs like the Ask.com toolbar have no business in any security patch installation package. Their very presence constitutes a security vulnerability, for they provide more places in which malware can be concealed.
Do You Really Need Java?
Java is everywhere, especially in the “Internet of Things,” but that does not mean it’s essential for everyday computer users. Java applets won’t run at all on Android or iOS browsers, and millions of their users seem pretty happy. Desktop versions of Chrome and Firefox recently changed their default settings to “Java disabled in the browser,” and there hasn’t been major outcry. The “Metro” interface of Windows 8 does not support Java.
Only enterprises that have invested heavily in specialized Java applications are truly stuck with Java. That may include your employer, your bank, or another institution that’s critical to you. If so, you can enable Java for that rare exception. But in general, you won’t miss Java or its headaches, and my recommendation is that you disable or uninstall it. See “Is Java Safe And Do I Need It?” for help with that.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 15 May 2014
|For Fun: Buy Bob a Snickers.|
Geekly Update - 14 May 2014
The Top Twenty
Learn More and Become Dangerous
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005
- Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Time to Boycott Java? (Posted: 15 May 2014)
Copyright © 2005 - Bob Rankin - All Rights Reserved