Oracle Java Plug-in Security: Why Is It Still Enabled?
The Java Security Vulnerability in 2013
In 2013, Java was implicated in a staggering 91 percent of all computer security breaches. A significant contributing factor was the widespread use of an outdated and insecure Java browser plug-in by many users.
The Problem with the Java Plug-in
The majority of individuals not only had the Java browser plug-in activated, but were also operating versions that contained known vulnerabilities. This presented a substantial risk to their systems.
It is crucial for Oracle to take action and disable this plug-in by default to mitigate these risks.
Oracle's Acknowledgment and Response
Oracle is fully aware of the severity of the security issues surrounding the Java plug-in. They have effectively abandoned efforts to maintain the security sandbox.
This sandbox was initially implemented to shield users from potentially harmful Java applets.
Current Access Levels of Java Applets
With the default configurations currently in place, Java applets running on the web are granted unrestricted access to the user's entire system. This poses a significant security concern.
Consequently, the current state of the Java plug-in represents a considerable vulnerability that requires immediate attention.
The Java Browser Plug-in: A Significant Security Risk
Those who advocate for Java often protest when reports highlight its security vulnerabilities. They frequently assert that the issue lies solely with the browser plug-in, acknowledging its flawed nature. However, this vulnerable browser plug-in is activated by default in every Java installation. The data clearly demonstrates the extent of the problem.
Even among visitors to How-To Geek, a substantial 95 percent of those accessing the site from non-mobile devices have the Java plug-in enabled. This is despite consistent recommendations from our website to uninstall Java or, at the very least, disable the plug-in.
Widespread Vulnerability
Across the internet, research consistently reveals that a majority of computers with Java installed are running outdated and vulnerable browser plug-ins. These outdated versions are readily exploited by malicious websites.
A 2013 study conducted by Websense Security Labs indicated that 80 percent of computers possessed outdated, susceptible versions of Java. Even the more optimistic assessments are concerning, generally showing over 50 percent of Java plug-ins are not current.
Java as a Target for Attacks
Cisco’s 2014 annual security report revealed that a staggering 91 percent of all attacks in 2013 targeted Java. Oracle has even been criticized for capitalizing on this issue.
The company bundles unwanted software, such as the Ask Toolbar and other junkware, with Java updates – a questionable practice, to say the least.
- Key Takeaway: The default-enabled, insecure Java browser plug-in remains a major security concern for a large percentage of users.
The Demise of Sandboxing in Oracle's Java Plug-inThe Java plug-in executes Java programs, often referred to as "Java applets," directly within a web browser environment. This functionality mirrors the operation of technologies like Adobe Flash. Initially, the plug-in was engineered to operate within a secure sandbox. This was intended to isolate the Java programs and prevent potential harm to the user’s system.
However, this security model proved flawed in practice. A continuous flow of security vulnerabilities emerged, enabling Java applets to bypass the sandbox and gain unrestricted access to the underlying system.
Recognizing the ineffectiveness of the sandbox, Oracle has essentially abandoned its maintenance. Consequently, Java now defaults to refusing execution of “unsigned” applets. If the security sandbox were reliable, this wouldn't pose a significant issue, much like the current situation with Adobe Flash content.
Java will now, by default, only load applets that are digitally signed. While this appears to be a positive security enhancement, it carries a substantial drawback. Signed applets are automatically considered "trusted" and are therefore exempt from the protective confines of the sandbox.
The Implications of Trusted Applets
As Oracle’s own warning message indicates, applications running with unrestricted access can potentially compromise both your computer and your personal data.
"This application will run with unrestricted access which may put your computer and personal information at risk."
Remarkably, even Oracle’s own Java version check applet – a simple tool designed to verify your Java installation and prompt updates – necessitates this level of full system access. This is a significant and concerning design choice.
In essence, Oracle has effectively relinquished the sandbox security feature. Users are now presented with a binary choice: either refrain from running a Java applet altogether, or execute it with complete access to their system. Utilizing the sandbox requires manual adjustments to Java’s security configurations.
The sandbox has become so unreliable that all Java code encountered online is treated as requiring full system privileges. Downloading and running a Java program directly may, therefore, offer no less security than relying on the browser plug-in, which no longer provides the intended protective layer.
A Java developer articulated this situation succinctly, stating that Oracle is “intentionally killing off the Java security sandbox under the pretense of improving security.”
Browser-Initiated Disablement of Java
Fortunately, modern web browsers are proactively addressing the security concerns stemming from Oracle’s lack of consistent updates. Despite having the Java browser plug-in installed and activated, both Chrome and Firefox refrain from automatically loading Java-based content.
Instead, these browsers employ a "click-to-play" mechanism for Java applications, enhancing user security. This means users must explicitly authorize the execution of Java content.
Currently, Internet Explorer remains the only major browser that still defaults to automatically loading Java content. However, improvements have been made; with the release of the "Windows 8.1 August Update" (also known as Windows 8.1 Update 2) in August 2014, Internet Explorer began blocking outdated and vulnerable ActiveX controls.
It’s important to note that Chrome and Firefox implemented similar protections considerably earlier. Consequently, Internet Explorer lags behind its competitors in providing this crucial security feature.
Disabling the Java Plug-in for Enhanced Security
Individuals with Java installed are strongly advised to disable the browser plug-in through the Java Control Panel. Modern Java versions allow users to access configuration settings by pressing the Windows key, typing "Java," and selecting the "Configure Java" shortcut.
Within the Java Control Panel, navigate to the Security tab and deselect the "Enable Java content in the browser" option. This action will prevent Java applets from running within web browsers.
Impact on Applications
Disabling the plug-in will not affect the functionality of applications like Minecraft or other desktop programs that rely on Java. The change solely restricts the execution of Java applets embedded in webpages.
The Declining Use of Java AppletsDespite being a fading technology, Java applets can still be encountered, particularly on internal corporate networks where older applications may utilize them. However, their presence on the public web is diminishing rapidly.
Java applets once aimed to rival Flash technology, but ultimately proved less successful. Even users who require Java for specific purposes may not necessarily need the browser plug-in.
A Legacy Compatibility Feature
Enabling the Java browser plug-in should be a deliberate choice made by users or organizations with a specific need. It should be treated as a compatibility feature for legacy systems.
Access to enable the plug-in should require manual configuration within the Java Control Panel, rather than being enabled by default. This approach prioritizes security by minimizing the attack surface.