Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Oracle Java browser plug-in: How will its death affect enterprises?

Oracle is killing off the Java browser plug-in due to security risks. Expert Michael Cobb explains the next steps for enterprises with Java-based applications.

Oracle recently announced that for the next version of the Java Development Kit, it will deprecate the Java browser...

plug-in because of the security risks associated with it. From a security perspective, this seems like a good move, but what does this mean for enterprises that have a lot of Java-based applications? And are there security risks we should be aware of when using the Oracle Java browser plug-in alternatives?

Oracle's Java browser plug-in has been the bane of many network administrators' lives. Although it is a popular vector hackers use to install malware or otherwise attack users, many enterprises had developed Java-based business applications and thus require administrators to support it. According to Trustwave, 78% of exploits in 2013 were targeting Java. Although the situation has improved since, it has required constant patching to prevent exploit kits and cyberespionage groups, such as Pawn Storm, from abusing zero-day and other serious vulnerabilities.

The Oracle Java browser plug-in will be deprecated in the Java Development Kit 9 release expected in 2017, and it will be completely removed from the JDK and Java Runtime Environment (JRE) in a future Java release. Browser plug-ins like Java, Flash and Adobe Reader originally added greater functionality to browsers at a time when their capabilities were fairly limited, however their security track record is appalling, and browser vendors like Google, Apple and Microsoft are quickly reducing support for plug-ins and encouraging developers to move to standards-based HTML5 technologies and JavaScript.

These developments, combined with the growing use of mobile device browsers, which typically don't support plug-ins, will eventually force enterprises to update and migrate from applications that rely on the Java browser plug-in. For organizations that still need client-side Java, the first option to explore is migrating from Java Applets, which rely on a browser plug-in, to the plug-in free Java Web Start technology. Java Web Start, included in the Java Platform Standard Edition 7 JDK, does not rely upon a browser, and is considered a safer way to run Java applications, partly because the most current version of the application is always used. One reason Java exploits have been so successful is that many users fail to update their version of Java.

For applets that cannot be converted to a Java Web Start application, developers can explore various alternatives suggested by Oracle in a white paper on migrating from Java applets. These include native Windows/OS X/Linux installers, which do not require a separate JRE application, or JavaFX WebView, which lets an application use an embedded version of WebKit to render HTML5 applications. Whichever option is chosen, developers should receive training in the security aspects of development, configuration and deployment, to prevent needless flaws being introduced into the new app.

Next Steps

Learn how to defend the Silverlight plug-in against drive-by attacks

Find out how enterprises can mitigate browser plug-in threats

Read how the AVG Web TuneUp browser extension exposed user data

This was last published in June 2016

Dig Deeper on Web browser security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How does your enterprise plan to migrate from the Java plug-in and applets?
Cancel
if the Java browser plug in is not part of the JDK 9 version because of the Vulnerabilities , then the web applications that are built using Java has to use the JNLP . (but JNLP uses internally Java Plugin), so the meta space that is replacing the Permgen has to load a secure version of the Signature along with which the browser loads the enterprise applications. Each time the application is loaded the Signature will be generated based on the version of java and OS. so that the browsers can accepts the Signature and execute the APPS, The Applets has to reach EOF going forward.
Cancel
While in some ways I approve because it will improve security this is going to cause some major issues in some web based apps that totally rely on the Java Plug.  I have already seen some the issues where the browser has attempted to go away from this and it is not pretty.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close