Why Java Is Less of a Security Risk Now on Windows, Mac, and Linux

Ben Stegner 22-02-2018

Java, once a vital component of the web, has dropped in popularity over the past several years. Most modern browsers block Java by default, and the majority of home users don’t need to install it anymore.


We’ve long heard that Java is the single most insecure piece of software for desktop computers, especially Windows. But is this still true? Let’s dig in and find out.

The Historical Problems With Java

The main reason that Java has become such a popular target for attack is how widespread it is. Because Java was designed for maximum compatibility, it runs on a host of devices. In addition to computers, Java powers Blu-ray players, printers, parking payment systems, lottery devices, and much more. It’s the opposite of security through obscurity: a major platform provides the best payoff for an attack.

Of course, we’re concerned with Java on the desktop. And there, the worst offense is that Java doesn’t automatically update itself. Unlike most other modern programs, Java simply asks the user to install updates when available. Even worse, by default, Java only checks for updates once a week or even once a month. That’s dangerous for an app with so many security vulnerabilities.

Many people see the update prompt and ignore it, resulting in them running an outdated version of Java. And with new versions offered regularly, even those who install some updates may get frustrated and ignore further ones. In some cases, even when users install a new version, they leave the old copy of Java installed as well. This widens their vulnerability to attack.

Of course, we can’t forget Java’s long-running saga of including the terrible Ask Toolbar. Every time you installed or updated Java, you had to remember to uncheck a box or it would include that piece of junk. While not an exploit, this left a bad taste in users’ mouths.


Modern Java

So that’s what was wrong with Java in the past, but what about recently?

In October 2017, Veracode found [No Longer Available] that 88 percent of Java applications contain at least one vulnerable component. In early 2016, Oracle announced that even the Java installer was vulnerable. If an attacker placed a DLL file with a specific name in your Downloads folder, it would trigger an infection when you ran the Java installer. And in general, due to Java’s popularity, you would only need to visit a compromised website that took advantage of your outdated copy of Java to be infected.

While this means that Java is far from safe, there’s good news, too. In early 2016, Oracle announced that it plans to deprecate the Java browser plugin (which is the source of most problems) in JDK 9, which is available now. Modern browsers have left Java behind, too. Chrome dropped support for Java in late 2015, and Firefox stopped supporting it in early 2017. Microsoft’s Edge browser, included with Windows 10, doesn’t support Java at all.


This means that if you really need to use Java in a browser, you’ll have to stick with Internet Explorer.

The Biggest Vulnerabilities

Since Java is dropping off in popularity, what’s taken its place as the most insecure desktop software?

Flexera’s latest data, from Q1 2017, reveals that 7.8% of programs on the average PC have reached the end of their life. It ranks the top 10 most exposed programs, based on market share multiplied by percentage of users who aren’t patched:

  1. iTunes 12.x
  2. Java 8.x
  3. VLC Media Player 2.x
  4. Adobe Reader XI 11.x
  5. Adobe Shockwave Player 12.x
  6. Malwarebytes Anti-Malware 2.x
  7. Kindle for PC 1.x
  8. Adobe Acrobat Reader DC 15.x
  9. uTorrent 3.x
  10. iCloud for Windows 6.x

This list may surprise you. While Java isn’t the most risky program, it’s still the second. Other programs that we don’t typically associate with security risks, like VLC and Malwarebytes, hold a spot too. This illustrates the importance of keeping all your software up to date, not just the popular ones.


We can see more by examining Avast’s Q3 2017 security report. It lists the top 10 most out of date programs on its users’ PCs:

  1. Java 6, 7, and 8
  2. Adobe Air
  3. Adobe Shockwave
  4. VLC Media Player
  5. iTunes
  6. Firefox
  7. 7-Zip
  8. WinRAR
  9. QuickTime
  10. Adobe Flash Player

When you include the older versions, it seems that Java still tops the least-updated software. Adobe’s plugins are also big culprits, and we see iTunes and VLC made this list as well.

Conversely, according to TechRadar, Chrome comes out on top for updated apps. When surveyed, 88% of users running Chrome had the latest version installed. This shows how silent automatic updates make a huge difference, compared to the nagging update prompts used by Java and Adobe runtimes.

Don’t Forget OS Updates Too

Another vital component of update to remember is OS updates. Remember that users who had automatic updates installed were spared from the terrible ransomware attack in mid-2017 The Global Ransomware Attack and How to Protect Your Data A massive cyberattack has struck computers around the globe. Have you been affected by the highly virulent self-replicating ransomware? If not, how can you protect your data without paying the ransom? Read More . Even if you keep software like Java up to date, your computer is still at risk if you don’t install Windows updates.


Windows 10 makes these automatic updates easy Pros & Cons of Forced Updates in Windows 10 Updates will change in Windows 10. Right now you can pick and choose. Windows 10, however, will force updates onto you. It has advantages, like improved security, but it can also go wrong. What's more... Read More , but those on Windows 7 might have disabled them. And those still using Windows XP nearly four years after its end of life are putting themselves at major risk.

How Dangerous Is Java, Really?

Taken all together, can we still say that Java is the biggest security risk for desktops? Not really. On the negative side, people still continue to run outdated versions of Java even though they really don’t need it. This opens them up to security vulnerabilities. However, since most browsers don’t support Java anymore, they aren’t open to attack like they once were.

The weak link in your computer’s security comes from the most popular piece of software you don’t keep updated. If you have the newest version of Java but still haven’t uninstalled the unsupported QuickTime for Windows, that’s a big risk. Having an outdated version of Flash, Adobe Reader, or iTunes could open you up to attack too.

We can glean from the data above that programs without automatic updates are typically the least secure. For example, iTunes constantly asks users to update, which is annoying. This leads people to ignore the updates and leave an insecure version installed.

What About Mac and Linux?

We’ve focused on Java for Windows above, but it’s worth quickly mentioning how this affects Mac and Linux users too.

Surprisingly, while Apple doesn’t let plugins run by default in Safari, the browser still supports the old plugins like Java and Silverlight. While you should uninstall Java on your Mac unless you need it for a specific reason, Java hasn’t caused as many problems for Mac users as it has on Windows. Lately, most security holes in macOS have been thanks to oversights from Apple itself.

Linux hasn’t seen any unique Java vulnerabilities either. If you need a browser that supports Java on Linux, you can try the ESR (Extended Support Release) version of Firefox. Firefox provides this version for business environments; it provides the latest security updates but waits longer to roll out feature updates. The current version, 52, supports Java and other legacy plugins will be available until sometime in Q2 2018.

A Plugin-Free Future

The good news is that you don’t need most of these potentially dangerous and annoying plugins Think Flash Is the Only Insecure Plugin? Think Again Flash isn't the only browser plugin that presents a risk to your online privacy and security. Here are three more plugins that you probably have installed in your browser, but should uninstall today. Read More installed anymore. Very few websites use Java, and the major program that people kept Java installed for—Minecraft—includes a safe bundled version of Java now How to Install the Full Version of Minecraft on a Linux PC Minecraft is one of the biggest games in the world, and runs on virtually every platform. Want to get it running on your Linux computer? We'll show you how. Read More . Other plugins aren’t necessary either. Microsoft deprecated Silverlight years ago, and you’d be hard-pressed to find a site with Shockwave content.

Flash is the lone exception Die Flash Die: The Ongoing History of Tech Companies Trying to Kill Flash Flash has been in decline for a long time, but when will it die? Read More . Most browsers still support it due to its popularity, but Adobe will kill it off in 2020. Until then, take care to make sure you update Flash on your PC. Chrome does so automatically, so you may not even have it installed anymore (which is great).

So in short: Java is still insecure but poses less of a risk thanks to browsers disabling it. You should uninstall programs you don’t need (including old plugins), keep the software on your computer updated, and apply OS updates. If you do this, you’ll be well-off.

Image Credit: avemario/Depositphotos

Related topics: Computer Security, Java.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Doog
    April 21, 2019 at 8:06 am

    I had outdated Java installed on my system for a while because a) All the browsers I used blocked it b) Everything else on my system was kept up to date c) There seemed to be no quick way of just removing it like everything else that was easily removable on my system.

    I’m now a bit concerned that some hidden nasty has still made its way onto my MacBook despite all of this. Does anyone know if it is still possible for a Mac to get infected even with both a) and b) above? Thanks

  2. John IL
    March 24, 2019 at 1:47 pm

    I am a diabetic and was excited when my new glucose meter allowed me to download monthly stats to my PC. I was then disappointed when their app ran in Java SE. I will have to pass on installing Java just for that one application I may use once or twice a month. Yes, its probably less of a issue now that none of the browsers support it with a plugin. But I am still skeptical of its security given all the past associated with Java. Neither the app for my meter or Java seem to be well supported or updated regularly.

  3. Tony
    October 25, 2018 at 10:20 pm

    Thanks for sharing this.

    I want to use Freemind mind-map software from Sourceforge. Feemind insists on the installation of Java. I use Firefox Quantumn 63.0 on my 8 year old windows 7 laptop, with Bitdefender TS 2019 and have Sumo to check once a week (ish) for software updates. I want to use Freemind but will NOT compropmise my security. Can I use Java safely with Freemind? Should I use a sandbox? Is Firefox 63.0 with Ublock origin and Smart HTTPS suficient? In a world where it seems impossible to find simple "definitive" advice on Tech security, any guidance would be welcome.