Java's insecurity has doomed it on the desktop

Latest round of patches addresses mostly client-side vulnerabilities

If Java on the desktop isn't dead yet, its latest security update should go a long way toward convincing people it should be.

How urgent is this new security update? Urgent enough that Oracle included patches for Java in its October 2013 Critical Patch Update (CPU -- what an acronym), as part of the company's efforts to get security fixes for Java out the door quarterly rather than three times a year.

Of the 127 fixes in this update, slightly fewer than half -- 50 -- were fixes for remote-exploit issues in Java. And 12 of those were exploits that could have granted an attacker complete control of the OS. Ouch.

What's more, the vast majority of those Java fixes are client-only problems -- meaning exploits that happen exclusively on a client machine, not a server.

If any one thing has been an aggressive contributor to the decline of Java as a desktop technology, it's the way the product has been shown time and again to be deeply insecure. Oracle keeps promising it has the issue under control, even when the vast majority of the security bugaboos that have been detected go back to before Java changed hands from Sun to Oracle in 2010.

Oracle has used that fact to its advantage, claiming, "When we acquired Sun, [it] was not in a position to fully fund the security team," as stated by Cameron Purdy, Oracle vice president of cloud applications and Java EE (Enterprise Edition) during JavaOne back in September. Purdy also owned up to not making the Java security team robust enough and indicated that a major source of problems is when people running older editions of Java don't update.

Fair enough, but the damage done to Java as a desktop and client-side technology may well be permanent. Mozilla has been blacklisting older versions of Java since 2012, and Google is now moving toward ditching support for such plug-ins entirely. No great loss there -- when was the last time, apart from a corporate portal or a site based on mid-2000s technology, you actually needed a Java plug-in to make a site work?

Google's move could also be its way of indirectly deprecating what is now more than ever a competitor's technology. Google is doubling down on Go, Native Client, and Dart, and according to my colleague Galen Gruman may be leaving (the Java-powered) Android behind in favor of Chrome OS.

None of this is a patch -- pun intended -- on Java as a server-side technology. The JVM's untapped possibilities have long been one of its best-kept secrets, and the sheer amount of server-side Java used in businesses promises it won't be going anywhere for a long time to come.

But Java as a desktop force shows no signs of making a roaring comeback, and with each hammering-home of the message that it's an insecure, outdated technology, the odds get a little worse.

This story, "Java's insecurity has doomed it on the desktop," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2013 IDG Communications, Inc.