The Web Just Became More Secure: Google Drops Support for Java
When Java was first publicly released in 1995, it was revolutionary.
Developers could write their code once, and (in theory) run it on any computer they wanted without having to make any changes. It was, and still is, incredibly fast. This speed has lead to it being used in time-sensitive contexts, like high frequency trading algorithms on Wall Street.
Java was also incredibly ahead of its time. From its first release, developers could use it as a tool to embed web-app like logic into web pages. These were called Java Applets, and because the code was running in a separate process outside of the web browser, they were perfectly suited for high-intensity tasks like games, visualizations and simulations.
But that was then, and this is now.
It’s safe to say that Java – particularly in the browser – has lost its shine. A large part of this is due to security concerns. The next version of Google Chrome (version 45, scheduled for December) has removed support for it entirely.
Is Java Actually Insecure?
When writing about Java – particularly from the perspective of security – it’s important to differentiate between between the Java Runtime Environment (JRE) and the Java browser plugin.
The Java Runtime Environment (which includes the Java Virtual Machine and some software libraries) is often accused of being insecure, but that’s not necessarily true. Although the JRE has had its share of severe, zero-day vulnerabilities , it’s for the most part a very well-designed, secure piece of software. It runs applications within a “sandboxed” environment, where the potential damage caused by a piece of software is limited. If the program wants to perform actions outside of “the sandbox”, the user is informed and has to approve them.
But in the browser, it’s a slightly different kettle of fish. The Java browser plugin is a notoriously insecure piece of software. According to Kaspersky, it’s responsible for almost 50% of cyber attacks in 2012.
But that’s because, perversely, the Java browser plugin is defective by design. Java applets simply aren’t sandboxed as they should be, and they blindly run any code that’s been signed with a cryptographic signature, without question.
To put this into layman’s terms, if you’ve got a malicious piece of software, and you want to ensure it can run rampant on any computer without any interference, you need only cryptographically sign it. That’s terrifying.
Of course, it doesn’t help that most people are running an insecure version of Java, thanks to its infuriating and broken upgrade process. According to Kaspersky’s 2012-2013 Java Under Attack report, anywhere between 55% and 37% of people use older (and vulnerable) versions of Java.
Perversely, Oracle (and previously Sun Microsystems) have almost de-incentivized people from installing the latest versions of Java by using it as an opportunity to surreptitiously force the installation of the Ask Toolbar (which can be easily removed ), or change their default browser to Yahoo!.
Thankfully, Google’s doing something about it. After September, they’re going to discontinue support for NPAPI (Netscape Platform API) in Google Chrome, which will effectively make it impossible for Java applets to run. It will also break support for older versions of Adobe’s Flash (which has its own security problems), Silverlight (which nobody used), Unity, and the Facebook plugin.
There are rumblings that Firefox will soon join Chome in deprecating NPAPI, but so far nothing has really emerged. And, of course, NPAPI is still enabled on Internet Explorer, Opera and Safari.
Kill Java. Kill It With Fire
Java is an interesting, and startlingly common attack vector for malware to infect your computer. But there’s something you can do about it. It’s simply, and it’s obvious.
You simply delete the entire Java runtime from your system.
If you’re not using it, there’s no real point in having it installed, and deleting it is easier than you think. Here’s how you do it on Linux (Ubuntu – other distros may vary), Mac OS X, and Windows 10.
Removing Java on Linux (Ubuntu)
Removing Java on Linux is simultaneously simple and complicated. It’s simple in the respect that you need only run a few commands. But it’s also complicated, as you need to know what Java runtime you’re removing.
But wait, there’s more than one Java runtime?
Well, yes. You see, there’s the official one that’s produced by Oracle – the developer of Java. But there’s also the OpenJDK, which is an open source implementation released under the GNU General Public License – a permissive software license favored by open source products.
Odds are good that you’ve got the OpenJDK, but it’s easy to check. Just run:
Then, it’s a simple matter of removing the relevant packages with your package manager.
sudo apt-get autoremove openjdk-jre-7
If you’re using an older version of the OpenJDK, change the version number (openjdk-jre-<version>) to correspond with it. If you’re using the Oracle JDK, run:
sudo apt-get remove oracle-java7-installer
Removing Java on Mac OS X
These instructions work for Yosemite; the latest version of OS X. It’s actually surprisingly simple to remove Java here. You merely need root access and a bit of confidence with the command line.
Open a terminal and run the following:
sudo rm -rf /Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin/
sudo rm -rf /Library/PreferencePanes/JavaControlPanel.prefPane
Hurrah! You’ve removed the JRE on your machine.
Removing Java On Windows 10
To remove Java on Windows 10, simply open the Start menu and search for Java. Then right-click it, and click Uninstall. Don’t be afraid if there are more than a few items with Java in the name.
It’s as easy as that. But there’s also an official Oracle app that automates the process of removing Java.
If you’re using Windows 7, you might want to check out this post by former MUO-er, Chris Hoffman, which explains in perfect detail how to disable and remove Java from your PC.
The era of Java applets is long gone. Good riddance.
They were slow, insecure, and quite frankly, there are much better technologies that’ve supplanted them. HTML5, and Canvas in particular, spring to mind. Google should be applauded for finally discontinuing support for them in Windows 10.
Of course, the only way to truly be secure is to remove it entirely.
So with that in mind, is there any real reason to have Java installed on you computer? I didn’t think so, but what do you think? Any thoughts? I want to hear them. Leave me your comments in the box below, and we’ll chat.