Going Java-less

Do you really need Java in your browser?

Jessica Thornsby

A new, Java-related malware threat makes its way around Twitter, prompting some bloggers to question whether we really need Java in the browser anymore.

Mikko Hypponen has posted a warning regarding a Twitter-based malware link that
delivers malware via a Java applet, prompting him to ask “Do you
really need Java in your browser?”

This question has been picked up by Larry Seltzer, who concludes that Java is no
longer absolutely necessary in the browser, as most graphical uses
of Java have been replaced by Flash.

He’s not alone in his stance in the Flash vs. Java argument,
with Timo Ernst simply stating that Flash is “better than Java” and that it has the
potential to become “the next-gen Java-replacement for Desktop

But, even if Java is no longer necessary for a graphical web
experience, is Java dangerous? One of the big drawbacks of Java,
are old, unpatched versions that may still be installed on user
systems and recently, Java received bad press for a bug
in its Java Deployment Toolkit, which allowed arbitrary parameters
to be passed to the Java Web Start utility. Tavis Ormandy filed a
report claiming this bug provided enough functionality to allow the
error to be exploited. Days later, his prediction came true, when
it was revealed that a song lyrics website was already
unwittingly redirecting users
to an attack server in Russia,
which exploited this vulnerability.

Alexander Sotirov expressed surprise that this
bug was affecting so many people. “Why are people still running
Java in the browser?” he asked “I uninstalled Java more than a year
ago and haven’t had a single problem with any website.”

Oracle did issue a patch, but that wasn’t enough for Mozilla,
who reacted by
the vulnerable versions of the Java Deployment
Toolkit plugin for Firefox users. However, this proved to be a
controversial, with several visitors to the related Bugzilla flaming Firefox for deciding “to turn
off my software running on my computer,” proving that there are
plenty of people out there who do still run Java in their browsers,
and do not take too kindly to Java plugins being disabled for

Maybe Alexander Sotirov was happy going Java-less, but this
clearly isn’t the case for everyone.

comments powered by Disqus