Industry Trends

Java Browser Plugin is Dead, Long Live HTML5!

By David Maciejak | February 05, 2016

A few days ago, Oracle announced on their blog that they plan to kill the Java browser plugin in their next major version of JDK, scheduled for release in Q1 2017.

What does this mean? Should we worry about our browsing experience?

This really just means that it won’t be possible to run Java applets in the browser anymore. The infamous “applet” is a technology that was developed by Sun Microsystems in the 90’s and went on to be acquired by Oracle.

This technology was still popular in many exploit kits over the last two years but in the last year alone we saw a sudden shift where kits removed Java support in favor of embedding more Adobe Flash exploits and direct browser exploits. 

So, for an average user, the impact of this sudden passing will be pretty minimal. Most average users might not realize that the majority of web browsers have already done away with support for the API needed to run the Java plugin.

For business users that still need to run Java in the browser, Oracle is advising that you move to a plugin-free technology like java Web Start. Note, the existing applets will not only need to be switched but it will require new porting.

From the security perspective, we wholeheartedly welcome the decision. As we stated before, despite seeing less attacks targeting this particular component, it is still better to reduce the web browser attack surface that is exposed publicly on Internet.

In fact, in a perfect world, the decision to squash Java should have come much sooner.

Now that HTML5 is mature enough, developers can provide rich applications without using third-party plugins like Java. It is pretty obvious to follow this trend and assume that Adobe Flash is next on the chopping block. Some would say, and rightly so, that this decline in third-party API reliance is closely linked with the growing usage of smartphones that natively do not support them.

Some skeptics may wonder if HTML5 is mature enough to provide a real and practical user experience.
In fact, HTML5 is not enough by itself to replace these plugins. But, coupled with CSS3 and JavaScript, developers can now achieve what was impossible even just some months ago. Thanks to enhancements of the JavaScript engine embedded in our web browsers, web pages are even more dynamic and fast to load than ever before. We now experience the web with animations, moving canvases, and even mobile haptic feedback. 

All these new APIs are opened and distributed by the W3C, web browser software providers can then develop new features based on their recommendations. This means they have end to end control of the implementation of these features. Even if a vulnerability is found they can push a hot fix within a couple of hours or days. From a security point of view, end-users will be safer as they will not have to deal with cumbersome manual updates any longer. 

UPDATE: 11/02/2016

Still more and more Flash exploits are embedded in exploit-kits, CVE-2015-8651 was found embedded in Neutrino as stated here:

We predicted that Flash would be the next phase out. It seems that Flash will meet its maker sooner rathe than later as Google recently published a timeline stating that Flash ads will be not allowed starting Jan 2017.

Adobe is still preparing the switch and, according to their recent actions, will adopt HTML5.

-= FortiGuard Lion Team =-