For nearly everyone, it’s time to dump Java. Once promising, it has outlived its usefulness in the browser, and has become a nightmare that delights cyber-criminals at the expense of computer users.
Java Today
Sun Microsystems released Java in 1995 as a technology for building applications that could run on any platform, including Windows, Macintosh and Linux. In its heyday, major browsers embraced Java for running applets within pages. All anyone needed was a browser plug-in for executing programs.
Today, that plug-in has become a top security risk, along with Adobe Flash. Partly to blame for the problem is Oracle, which acquired Sun and its invention in 2009. The database vendor has heightened the risk by failing to launch timely patches.
The latest security meltdown is a case in point. Despite being warned in April of critical vulnerabilities, Oracle did not get around to releasing an emergency patch until last week, after reports that cyber-criminals were exploiting the flaws. Security Explorations, the Polish firm that first reported the vulnerabilities to Oracle, later said the patch contained a flaw that could be used to circumvent the fix.
The Latest Threats
In the meantime, criminals are having a field day. Atif Mushtaq, security researcher at FireEye, says the number of computers infected with malware exploiting the flaws is growing. As of Tuesday, up to a quarter-million computers had been infected. Hackers are at an advantage because computers users are laggards when it comes to applying Java patches. Up to 60 percent of Java installations are never updated to the latest version, according to security vendor Rapid7.
Over the just-past Labor Day weekend, the SANS Institute’s Internet Storm Center and Websense reported finding separate phishing campaigns trying to lure people to malicious sites capable of exploiting the vulnerabilities. SANS discovered link-carrying emails that copied a recent Microsoft message about service agreement changes. Websense found emails disguised as order verification messages from Amazon.
Security experts rate the latest flaws as critical, because hackers can use them to commandeer a computer and take whatever data they want. Risking that kind of damage for a technology with little purpose makes no sense.
What Security Experts Advise
Security experts are hard pressed to say what Java does for most people. While some online games and business applications need a Java plug-in to run, nearly all modern sites, including Facebook and Twitter, use JavaScript, XML and HTML 5, which run natively in the browser. Therefore, people could happily surf the Web for years without ever running Java.
Those who are using a Java application, should run it in a dedicated browser that’s used for nothing else, Patrik Runald, director of security research at Websense, says. Another browser should be used for daily Web surfing. “I’ve run a browser with Java disabled for years,” he said.
Supporters once believed that Java would play a significant role in running Web applications. That never happened. Instead, browsers became the operating system for the Web. “(Java) never took off the way it was anticipated,” Runald said.
So the verdict is clear. Disable Java plug-ins in all browsers, whether Firefox, Chrome or Internet Explorer. Java’s glory days are over and it’s time to pull the plug.
Image courtesy of Shutterstock.