Andrea Danti - Fotolia

Oracle closing an attack vector by deprecating the Java browser plug-in

Oracle announced plans to deprecate the Java browser plug-in, a noted attack vector, though the choice was not entirely its own.

Oracle announced that when it releases the next version of its Java Development Kit, it will deprecate the Java browser plug-in and has asked developers to begin transitioning Java applets to its new Java Web Start technology.

Oracle made it clear that this move is not exactly by choice, noting that "many browser vendors have either removed or announced timelines for the removal of standards based plugin support, eliminating the ability to embed Flash, Silverlight, Java and other plugin based technologies." Oracle made no reference to security hardening software like Microsoft's Enhanced Mitigation Experience Toolkit (EMET) that has long offered options to block browser plug-ins like Java's because they are used as attack vectors.

Oracle said that the plug-in would be deprecated with version nine of its Java Development Kit (JDK), and advised developers to migrate applets to Java Web Start, which allows Java applets to be started in the browser without a plug-in. However, Oracle noted that if migrating to Java Web Start doesn't work, developers could also create native installers for the apps or use a feature called WebView, which enables applications to use an embedded version of WebKit to render HTML5 content.

Morey Haber, vice president of technology at BeyondTrust, warned that there could be huge challenges for developers with this migration.

"I am aware of many financial and healthcare applications that are pure Java and will have to adapt to the alternatives," Haber said. "While there is a transition path, legacy applications for professionals like radiologists or financial planners will require older browsers, continue to be vulnerable, and represent an exponential risk to the user and data until they migrate to a new version or vendor."

Even worse, Haber said that Web Start might not be any better in terms of security.

"Java Web Start vulnerabilities can be leveraged just like applets," Haber said, "so even after plug-in support is EOL, users are still required to update Java to mitigate vulnerabilities."

Oracle has not announced an end-of-life date for the Java browser plug-in and experts estimated that most companies will not transition to Web Start for one or two years, and some could take as long as 10 years to switch.

Tod Beardsley, security research manager at Rapid7, urged companies to start efforts to transition to Java Web Start sooner rather than later because threat actors may renew assaults on the Java browser plug-in attack vector.

"Just like when Microsoft stopped support for Windows XP, we can't expect that the end of support for Java plug-ins will instantly eradicate the applications that rely on it. While Java plug-ins have fallen out of favor on the general, public Internet, there are still plenty of internal networks that need Java plug-ins to run their internal applications," Beardsley said. "Organizations working through this transition should be extra vigilant, as anyone currently sitting on an undisclosed vulnerability for this technology will be motivated to use it now -- before the majority of companies have switched over."

Next Steps

Learn more about writing Java Web Start applications.

Learn how to avoid Java security problems outside the browser.

Learn how to mitigate browser plug-in threats.

Moving past the Java browser plug-in.

Dig Deeper on Application and platform security