How to kill Java dead, dead, dead

Client-side Java is an outdated technology that now does more harm than good -- and must be eliminated despite its widespread use

Once again, flaws in Java are creating big holes that hackers exploit to victimize users and, even worse, sabotage or spy on many of the computers that run key business processes at utilities, banks, hospitals, and government agencies. Enough already. Wake up and smell the coffee: Client-side Java needs to go, and fast. Even if the current bugs can be fixed, there will be more.

The problem is that Java is widely used and embedded in the apps that we use every day at work and at home. It just can't be turned off, though the federal government's Homeland Security Department team has recommended we all do so even with Oracle's Monday patch installed. Sure, you can disable Java in your browser, which Apple did via remote control for OS X Lion and Mountain Lion users. And you can uninstall Java on your PC or Mac. But you'll end up turning it back on again because you have little choice.

Java on the client side has turned into a malicious hacker's best friend, and developers really don't need it anymore. In fact, it's causing them more problems than it's worth. Although using Java lets a developer avoid writing custom code for the various versions of Windows and OS X, whether for native apps or browser client functions, the fact is that apps get tied to a specific Java version. Developers have a version-management problem anyway.

You'd think that IT organizations would have stomped out client-side Java long ago. I regularly hear IT folks moan about how they can't upgrade some users to Internet Explorer 8 because some specialty app they're running only works with the Java supported by IE6. I even know some who've had to give users two PCs because one app uses a Java version supported only by IE7 and another app uses Java supported only by IE8, which both can't be installed on the same PC. Java is the problem.

Of course, I also hear developers say things like the current Java 7 vulnerability is no big deal because their app uses an older version -- so the madness continues.

The feds recommended that users disable Java in the browser, and they should. But that still leaves Java on the desktop where it can be exploited, as Mac users found out a couple of years ago to Apple's chagrin. Apple's response was to deprecate Java in OS X Lion so that it was no longer installed as part of the operating system.

But when an app needs Java, users get a prompt to download and install it. Many popular apps do, such as Adobe's Creative Suite and even Symantec Anti-Virus. Oh, the irony that an antimalware app requires the use of one of the biggest malware conduits to function!

Apple had the right idea but didn't go far enough. It should prevent Java from ever running in OS X. Microsoft should do the same in Windows. Apple did that from the get-go in iOS, and few people noticed. The Metro (aka Modern) part of Windows 8 also doesn't support Java, which is a partial step in the right direction. Even the Java-based Android OS won't run Java apps or Web plug-ins.

Websites that still use Java, such as some banks, telcos, and airlines, will quickly adjust once more operating systems block it, just as websites have largely done after Apple blocked Flash in iOS. Today, only BlackBerry 7 OS runs unrestricted Flash on the mobile side, and the world is none the worse off.

Of course, despite Adobe's attempt to make Flash the common front-end UI technology for mission-critical apps such as ERP and CRM, Flash essentially was used only for video playback. The various codecs such as H.264 in HTML5 easily replaced Flash for that decidedly nonmission-critical purpose.

1 2 Page
From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies