Oracle's killing a favorite security hole for attackers: the Java browser plug-in
The browser plug-in will be retired in Java 9, but older versions will likely linger on for years
Oracle will retire the Java browser plug-in, frequently the target of Web-based exploits, about a year from now. Remnants, however, will likely linger long after that.
“Oracle plans to deprecate the Java browser plugin in JDK 9,” the Java Platform Group said in a blog post Wednesday. “This technology will be removed from the Oracle JDK and JRE in a future Java SE release.”
The Java Development Kit (JDK) 9, the reference implementation for the next version of Java SE, is expected to reach general availability in March 2017. By then, however, most modern browsers will no longer accept the Java browser plug-in anyway.
Mozilla announced in October that it plans to remove support for plug-ins in Firefox by the end of 2016. Chrome disabled support in September for plug-ins that, like Java and Silverlight, use the old Netscape Plugin Application Programming Interface (NPAPI) standard. Microsoft’s Edge browser doesn’t support plug-ins either.
With Internet Explorer and Safari the only browsers set to still accept traditional NPAPI plug-ins after 2016, Oracle is pretty much forced into this decision, even though Chrome does support a new plug-in technology called PPAPI (Pepper Plug-in API).
“Oracle does not plan to provide additional browser-specific plugins as such plugins would require application developers to write browser-specific applets for each browser they wish to support,” the company said in a white paper that outlines migration options for developers. “Moreover, without a cross-browser API, Oracle would only be able to offer a subset of the required functionality, different from one browser to the next, impacting both application developers and users.”
The main alternative proposed by the company is to switch from Java Applets to Java Web Start applications. This type of application can be launched from the Web without the need for a browser plug-in.
From a security perspective though, Java Web Start applications can be used as an attack vector for exploiting vulnerabilities in the Java runtime, just like Applets.
Even after the Java plug-in is retired, it’s likely that many computers will continue to have it installed for years to come. This is especially true in business environments where custom built Web-based Java applications are common and cannot be easily replaced or rewritten.
Even now, for application compatibility reasons, there’s a large number of computers in business environments that continue to use Java 6 or Java 7, versions that no longer receive public security updates.