FTC ruling against Oracle shows why it's time to dump Java

The FTC says Oracle hasn't been uninstalling older, insecure versions of Java. It's time for users to ditch client-side Java altogether

When it comes to Java, some things never change. Consider the constant upgrading: Because attackers target flaws in Java to gain control over victim computers, users need to install the latest updates right away.

But according to a Federal Trade Commission complaint, Oracle left older copies of Java -- the ones with the flaws -- still running on machines after updating, meaning the updates didn't keep users safe.

So let's skip the Java headache and get rid of client-side Java altogether.

While Oracle regularly released updates to fix vulnerabilities in Java, it did not inform its users that the update mechanism removed only the most recent prior version of the Java SE software, the FTC alleged in its complaint. Up until August 2014, the Java update did not uninstall Java SE more than two versions old, or any versions released after a certain date. 

Staying on top of Java patches means nothing if you're merely installing a new version and leaving the older, still-vulnerable version on the machine. Considering that Java was the most targeted platform in 2014 and the second most targeted (behind Flash) in 2015, it's really, really tempting to simply uninstall Java from user machines.

Opt out of Java's woes

Java SE lets users run various Java applications, such as chatrooms, online games, and small widgets, on their computers. For a while, Java was used everywhere, making it a lucrative platform to attack. In recent years, attackers have increasingly targeted vulnerabilities in Java to hijack user computers and download malware or intercept data. As a result, Java requires constant patching.

While still widely used, Java is not as ubiquitous as it once was. For a significant number of people, that means they can uninstall Java from their computers and never miss it. Many users don't even know they have Java installed on their computers because they never use it.

Thus, the easiest way to reduce the attack surface is to uninstall client-side Java altogether, and install it only if the user discovers he or she needs it.

To be fair, Oracle has built stronger security controls into Java. For example, Java 8 requires code-signing or other user interaction before it will run. Most major Web browsers also automatically block older versions of the Java Runtime Environment. Even so, there is no reason to have unnecessary software running.

Though Oracle told users to remove older versions, it never indicated the update process did not automatically remove all older versions of Java SE. Under the proposed terms of its settlement with the FTC, Oracle is required to inform users if they have outdated, insecure copies of Java installed on their computers, and provide an easy mechanism for uninstalling those vulnerable versions. 

Some applications, such as online games, educational tools, and certain collaboration platforms, still require Java, which means organizations need to continue staying on top of the updates. While Oracle has to start notifying users of older versions and provide tools to remove it, the settlement hasn't been finalized yet.

Why wait? Manually check what versions are installed, and use the uninstall tool on Java's website to remove vulnerable ones. Clean up your systems; it will keep attackers at bay.


Copyright © 2015 IDG Communications, Inc.

How to choose a low-code development platform