Java, once a vital component of the web, has dropped in popularity over the past several years. Most modern browsers block Java by default, and the majority of home users don’t need to install it anymore.
We’ve long heard that Java is the single most insecure piece of software for desktop computers, especially Windows. But is this still true? Let’s dig in and find out.
The Historical Problems With Java
The main reason that Java has become such a popular target for attack is how widespread it is. Because Java was designed for maximum compatibility, it runs on a host of devices. In addition to computers, Java powers Blu-ray players, printers, parking payment systems, lottery devices, and much more. It’s the opposite of security through obscurity: a major platform provides the best payoff for an attack.
Of course, we’re concerned with Java on the desktop. And there, the worst offense is that Java doesn’t automatically update itself. Unlike most other modern programs, Java simply asks the user to install updates when available. Even worse, by default, Java only checks for updates once a week or even once a month. That’s dangerous for an app with so many security vulnerabilities.
Many people see the update prompt and ignore it, resulting in them running an outdated version of Java. And with new versions offered regularly, even those who install some updates may get frustrated and ignore further ones. In some cases, even when users install a new version, they leave the old copy of Java installed as well. This widens their vulnerability to attack.
Of course, we can’t forget Java’s long-running saga of including the terrible Ask Toolbar. Every time you installed or updated Java, you had to remember to uncheck a box or it would include that piece of junk. While not an exploit, this left a bad taste in users’ mouths.
Java turns 22 today.
We should send Oracle a cake with the Ask Toolbar on it.
— Tim Barrett (@timbarrett) January 24, 2018
So that’s what was wrong with Java in the past, but what about recently?
In October 2017, Veracode found that 88 percent of Java applications contain at least one vulnerable component. In early 2016, Oracle announced that even the Java installer was vulnerable. If an attacker placed a DLL file with a specific name in your Downloads folder, it would trigger an infection when you ran the Java installer. And in general, due to Java’s popularity, you would only need to visit a compromised website that took advantage of your outdated copy of Java to be infected.
While this means that Java is far from safe, there’s good news, too. In early 2016, Oracle announced that it plans to deprecate the Java browser plugin (which is the source of most problems) in JDK 9, which is available now. Modern browsers have left Java behind, too. Chrome dropped support for Java in late 2015, and Firefox stopped supporting it in early 2017. Microsoft’s Edge browser, included with Windows 10, doesn’t support Java at all.
This means that if you really need to use Java in a browser, you’ll have to stick with Internet Explorer.
The Biggest Vulnerabilities
Since Java is dropping off in popularity, what’s taken its place as the most insecure desktop software?
Flexera’s latest data, from Q1 2017, reveals that 7.8% of programs on the average PC have reached the end of their life. It ranks the top 10 most exposed programs, based on market share multiplied by percentage of users who aren’t patched:
- iTunes 12.x
- Java 8.x
- VLC Media Player 2.x
- Adobe Reader XI 11.x
- Adobe Shockwave Player 12.x
- Malwarebytes Anti-Malware 2.x
- Kindle for PC 1.x
- Adobe Acrobat Reader DC 15.x
- uTorrent 3.x
- iCloud for Windows 6.x
This list may surprise you. While Java isn’t the most risky program, it’s still the second. Other programs that we don’t typically associate with security risks, like VLC and Malwarebytes, hold a spot too. This illustrates the importance of keeping all your software up to date, not just the popular ones.
We can see more by examining Avast’s Q3 2017 security report. It lists the top 10 most out of date programs on its users’ PCs:
- Java 6, 7, and 8
- Adobe Air
- Adobe Shockwave
- VLC Media Player
- Adobe Flash Player
When you include the older versions, it seems that Java still tops the least-updated software. Adobe’s plugins are also big culprits, and we see iTunes and VLC made this list as well.
Conversely, according to TechRadar, Chrome comes out on top for updated apps. When surveyed, 88% of users running Chrome had the latest version installed. This shows how silent automatic updates make a huge difference, compared to the nagging update prompts used by Java and Adobe runtimes.
Don’t Forget OS Updates Too
Another vital component of update to remember is OS updates. Remember that users who had automatic updates installed were spared from the terrible ransomware attack in mid-2017. Even if you keep software like Java up to date, your computer is still at risk if you don’t install Windows updates.
Windows 10 makes these automatic updates easy, but those on Windows 7 might have disabled them. And those still using Windows XP nearly four years after its end of life are putting themselves at major risk.
How Dangerous Is Java, Really?
Taken all together, can we still say that Java is the biggest security risk for desktops? Not really. On the negative side, people still continue to run outdated versions of Java even though they really don’t need it. This opens them up to security vulnerabilities. However, since most browsers don’t support Java anymore, they aren’t open to attack like they once were.
The weak link in your computer’s security comes from the most popular piece of software you don’t keep updated. If you have the newest version of Java but still haven’t uninstalled the unsupported QuickTime for Windows, that’s a big risk. Having an outdated version of Flash, Adobe Reader, or iTunes could open you up to attack too.
current mood: denying a software update for 18 months and now the tool to download is out of date
— moths, ? (@13_moths) February 12, 2018
We can glean from the data above that programs without automatic updates are typically the least secure. For example, iTunes constantly asks users to update, which is annoying. This leads people to ignore the updates and leave an insecure version installed.
What About Mac and Linux?
We’ve focused on Java for Windows above, but it’s worth quickly mentioning how this affects Mac and Linux users too.
Surprisingly, while Apple doesn’t let plugins run by default in Safari, the browser still supports the old plugins like Java and Silverlight. While you should uninstall Java on your Mac unless you need it for a specific reason, Java hasn’t caused as many problems for Mac users as it has on Windows. Lately, most security holes in macOS have been thanks to oversights from Apple itself.
I need to install NetBeans for something. The Mac version ships as an installer package(!), which was a red flag. But then it wanted me to install Java…
Nope. Nope nope nope. Nooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooope.
— Johnny Sombrero (@_nulldragon) February 8, 2018
Linux hasn’t seen any unique Java vulnerabilities either. If you need a browser that supports Java on Linux, you can try the ESR (Extended Support Release) version of Firefox. Firefox provides this version for business environments; it provides the latest security updates but waits longer to roll out feature updates. The current version, 52, supports Java and other legacy plugins will be available until sometime in Q2 2018.
A Plugin-Free Future
The good news is that you don’t need most of these potentially dangerous and annoying plugins installed anymore. Very few websites use Java, and the major program that people kept Java installed for—Minecraft—includes a safe bundled version of Java now. Other plugins aren’t necessary either. Microsoft deprecated Silverlight years ago, and you’d be hard-pressed to find a site with Shockwave content.
Flash is the lone exception. Most browsers still support it due to its popularity, but Adobe will kill it off in 2020. Until then, take care to make sure you update Flash on your PC. Chrome does so automatically, so you may not even have it installed anymore (which is great).
So in short: Java is still insecure but poses less of a risk thanks to browsers disabling it. You should uninstall programs you don’t need (including old plugins), keep the software on your computer updated, and apply OS updates. If you do this, you’ll be well-off.
Image Credit: avemario/Depositphotos