Do you really need Java in your browser?
A new, Java-related malware threat makes its way around Twitter, prompting some bloggers to question whether we really need Java in the browser anymore.
Mikko Hypponen has posted a warning regarding a Twitter-based malware link that delivers malware via a Java applet, prompting him to ask “Do you really need Java in your browser?”
This question has been picked up by Larry Seltzer, who concludes that Java is no longer absolutely necessary in the browser, as most graphical uses of Java have been replaced by Flash.
He’s not alone in his stance in the Flash vs. Java argument, with Timo Ernst simply stating that Flash is “better than Java” and that it has the potential to become “the next-gen Java-replacement for Desktop applications.”
But, even if Java is no longer necessary for a graphical web experience, is Java dangerous? One of the big drawbacks of Java, are old, unpatched versions that may still be installed on user systems and recently, Java received bad press for a bug in its Java Deployment Toolkit, which allowed arbitrary parameters to be passed to the Java Web Start utility. Tavis Ormandy filed a report claiming this bug provided enough functionality to allow the error to be exploited. Days later, his prediction came true, when it was revealed that a song lyrics website was already unwittingly redirecting users to an attack server in Russia, which exploited this vulnerability.
Alexander Sotirov expressed surprise that this bug was affecting so many people. “Why are people still running Java in the browser?” he asked “I uninstalled Java more than a year ago and haven’t had a single problem with any website.”
Oracle did issue a patch, but that wasn’t enough for Mozilla, who reacted by disabling the vulnerable versions of the Java Deployment Toolkit plugin for Firefox users. However, this proved to be a controversial, with several visitors to the related Bugzilla flaming Firefox for deciding “to turn off my software running on my computer,” proving that there are plenty of people out there who do still run Java in their browsers, and do not take too kindly to Java plugins being disabled for them.
Maybe Alexander Sotirov was happy going Java-less, but this clearly isn’t the case for everyone.