Last call for client-side Java

As browser makers move to block vulnerable plug-ins, Java's future as a client-side platform is uncertain

Java developers hate to hear that their language of choice is becoming the new Cobol, but it already resembles that venerable language in at least one respect: Java is used far more often on the server side than on the client. That trend only seems to be increasing.

Case in point: The Mozilla Foundation announced this week that it's blocking certain versions of the Java plug-in from running in its Firefox browser. However, Firefox isn't alone in squeezing Java out of the browser; the Metro-style version of Internet Explorer 10 won't support plug-ins at all, Java included.

[ Also on InfoWorld: Find out what's in store for Java in Oracle's two-year plan. | Keep up with software development issues and trends with InfoWorld's Developer World newsletter. | Master the latest in Java development with our JavaWorld Enterprise Java newsletter. ]

Plug-ins, including Java and Flash, have been typically used to build rich client-side UIs for Web applications. But with the advent of HTML5 and the modern Web platform, many developers have come to believe that the benefits aren't worth the risks.

Java security under fire
The Java plug-ins blocked by Mozilla share common ground: They all contain a vulnerability that can be used to run arbitrary code on a user's PC. Mozilla has used its blacklist to shut out risky plug-ins before, as when it blocked two Microsoft plug-ins in 2009, but it's never barred so many versions of a plug-in at once.

Mozilla isn't the only one concerned about Java's track record on security. According to Microsoft, Java exploits on Windows machines have been spiking. They now far surpass attacks on other risky technologies, including Adobe PDF and Flash.

Plugging the holes isn't really the problem. For example, Oracle issues regular patches to fix Java security flaws as they're found, and the vulnerabilities cited in the versions on Mozilla's blacklist were patched in February.

The problem is that users don't always get the latest patches, due in part to Java's needlessly cumbersome practices. Though it installs its own updater, the patches don't always download and install automatically. If users get in the habit of dismissing the Java notifications, their JVMs can remain vulnerable months after Oracle releases security fixes.

It doesn't help that Oracle tries to underwrite Java with advertising and other annoyances. One recent Java update for Windows installed McAfee Security Scan Plus on users' PCs unless they opted out. Past versions have bundled browser toolbars. If you want users to take security seriously, the updates themselves shouldn't feel like malware.

A better way to handle it would be to ship Java updates through the normal OS update procedure. However, Microsoft discontinued its JVM for Windows shortly after it settled its lawsuit with Sun Microsystems in 2004.

1 2 Page
Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies