Battle lines drawn in the war on Java

Java's detractors have fresh ammunition in recent Java security fails

Battle lines drawn in the war on Java

While organizers of the JavaOne conference seem oblivious, there's a crescendo of complaints and near-universal agreement among security researchers that the Java Runtime Environment is full of holes, and that Oracle's attempts to shore it up have been ineffective.

Two weeks ago the infosec community breathed a great sigh of relief when Oracle issued Java 7 Update 7. Although the next Java security patch wasn't scheduled until October, Oracle pushed the patch through to cover two security holes with widely distributed zero-day exploits. That sigh of relief turned into gnashing of teeth when -- less than 12 hours after the patch was released -- Polish security firm Security Explorations not only identified an additional, similar hole in the newly patched Java 7, but also claimed that their researchers had warned Oracle about the original zero-day security holes way back in April.

Apple plugged the holes on its platforms a few days later.

Note that the vituperations are directed at the client side of Java -- the programs that run on user's PCs and Web-based applications that invoke Java from inside a browser. The truly lowest common denominator is the Java Runtime.

Who's lined up against Java? Security luminary Brian Krebs has renewed his call on users to uninstall Java from their systems -- a security step he's been advocating for years. Ars Technica's Dan Goodin agrees as does ZDNet's Ed Bott. After years of watching the carnage, I claimed that "It's time to run Java out of town" last April. F-Secure's Mikko Hypponen, who popularized the phrase "Friends don't let Friends run Java," adds, "If you're going to remain among the majority that keep it installed on your primary computer, do also remember that Java (as well as other plugins) can be invoked from applications with banner ads."

Of course, Microsoft wants you to disable Java whenever possible. It has a bit of a vested interest as Microsoft's .Net is -- at least on Windows clients -- a direct competitor to Java. But .Net has its problems, too.

If your shop isn't tied to the Java runtime, your users may be able to give it the heave-ho. While there are thousands of applications that require Java -- NetBeans, the open source HTML editor (which includes a Java IDE); Woopra, the Web traffic tool; the Eclipse programming tool (which also includes a Java IDE); JDownloader, and many others -- they serve niche needs that may have similar Java-free alternatives.

For big applications: LibreOffice itself doesn't require Java but some of its components do, most notably Base, the desktop database front end. Some portions of Adobe Creative Suite require it, although Photoshop and Illustrator on Windows do not. Over on the gaming side, Minecraft and Runescape are still wed to Java.

On the Web... Web analytic site W3Techs says that just 4 percent of all websites use Java, although the numbers don't break out how many sites require client-side JRE. 

Upshot: Most users don't need Java. Unless your company foists it on you, you're better off removing or disabling it.

A quick reading of the JavaOne Conference syllabus didn't turn up any sessions titled "Oracle's plans to get its patching act together." The only session that mentions security involves protecting Java Web apps with secure HTTP.

I'm sure it'll be a fine conference. But unless Oracle starts kicking butt on the security side of Java, attendees may soon find their customers have moved on to a less deficient alternative.

This story, "Battle lines drawn in the war on Java," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2012 IDG Communications, Inc.