Oracle recently announced that for the next version of the Java Development Kit, it will deprecate the Java browser...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
plug-in because of the security risks associated with it. From a security perspective, this seems like a good move, but what does this mean for enterprises that have a lot of Java-based applications? And are there security risks we should be aware of when using the Oracle Java browser plug-in alternatives?
Oracle's Java browser plug-in has been the bane of many network administrators' lives. Although it is a popular vector hackers use to install malware or otherwise attack users, many enterprises had developed Java-based business applications and thus require administrators to support it. According to Trustwave, 78% of exploits in 2013 were targeting Java. Although the situation has improved since, it has required constant patching to prevent exploit kits and cyberespionage groups, such as Pawn Storm, from abusing zero-day and other serious vulnerabilities.
These developments, combined with the growing use of mobile device browsers, which typically don't support plug-ins, will eventually force enterprises to update and migrate from applications that rely on the Java browser plug-in. For organizations that still need client-side Java, the first option to explore is migrating from Java Applets, which rely on a browser plug-in, to the plug-in free Java Web Start technology. Java Web Start, included in the Java Platform Standard Edition 7 JDK, does not rely upon a browser, and is considered a safer way to run Java applications, partly because the most current version of the application is always used. One reason Java exploits have been so successful is that many users fail to update their version of Java.
For applets that cannot be converted to a Java Web Start application, developers can explore various alternatives suggested by Oracle in a white paper on migrating from Java applets. These include native Windows/OS X/Linux installers, which do not require a separate JRE application, or JavaFX WebView, which lets an application use an embedded version of WebKit to render HTML5 applications. Whichever option is chosen, developers should receive training in the security aspects of development, configuration and deployment, to prevent needless flaws being introduced into the new app.
Learn how to defend the Silverlight plug-in against drive-by attacks
Find out how enterprises can mitigate browser plug-in threats
Read how the AVG Web TuneUp browser extension exposed user data
Dig Deeper on Web browser security
Related Q&A from Michael Cobb
A technique known as the GhostHook attack can get around PatchGuard, but Microsoft hasn't patched the flaw. Expert Michael Cobb explains why, as well...continue reading
Software developed by the hacking group Platinum takes advantage of Intel AMT to bypass the built-in Windows firewall. Expert Michael Cobb explains ...continue reading
Tensions between the U.S. and Russia have led to source code reviews on security products, but the process isn't new. Expert Michael Cobb explains ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.