As reported by Gizmodo recently the world has rejoiced at news of Oracle’s decision to deprecate the much-maligned Java Plug-In. It will still be around for a while but this announcement marks the beginning of the end of this vulnerable browser plugin. For the last decade the Java Plug-In has been one of the top pieces of software attacked and its death will surely cut off a primary exploit vector from our adversaries.
Back in 1995 Java began as a much-hyped language due to its “write-once, run anywhere” mantra combined with a set of elegant design principles and a fun Duke mascot to jump around in our browsers. Included was a security model built in from the beginning – like we always preach how it should be done. But as its popularity spread, decisions were made that weakened its original security sandbox concept in order to allow additional functionality.
I tried to live without the Java Plug-In once upon purchasing a new computer but VPN and screen sharing providers ruined my plans within a few hours. But that was way back in 2012 and a lot has changed since then. Browser manufacturers and websites have slowly embraced HTML5 and with these changes the requirement for Java in the browser has steadily declined.
But the death of the Java in the browser will not necessarily stymie attackers from successfully attacking browsers in other ways. They will move on to exploit other browser complexities, perhaps even HTML5 itself, and the results could even be worse. As usual the industry has finally succeeding in elevating the bar a littler however our adversaries will unfortunately rise to the occasion. In the meantime enjoy a temporary reprieve in successful attacks until the next great vulnerable platform arises to replace the Java Plug-In.
Today’s post pic is from JavaCodeGeeks.com. See ya!