It's Time to Get Rid of Java, Feels F-Secure

Posted 12/28/2011 at 7:13am | by Pulkit Chandna

8

Comments

Print

The Java browser plugin is notorious for being wildly popular among malware authors. The ubiquity of Java is not the only reason for this. Rather, the problem seems to lie more in the fact that a sizable chunk of its installed base consists of outdated versions, something that is often attributed to low awareness among users about Java itself and the threat posed by Java vulnerabilities. But according to F-Secure’s Mikko Hypponen, the only thing users need to know about Java is that they don’t need it. Hit the jump for more.

In a recent blog post on F-Secure’s site, Hypponen questioned the very raison d'être of Java and concluded that most people don’t need it anymore. He feels that others too will arrive at the same conclusion once they get down to ditching it.

“The risks of Java are nicely illustrated by the recent Java Rhino vulnerability (aka CVE-2011-3544),” wrote Hypponen. “If you're running Java, but not the latest version, you're vulnerable. So either you have to check at all times that you have the latest version of Java — or get rid of it altogether.”

“And the Java Rhino vulnerability is not theoretical: the most common exploit kits have incorporated this vulnerability in their default exploits, and it seems to be working very well for the online criminals.”

Don’t know about everyone, but certainly those who don't even know their Java from JavaScript don’t need it at all. Hypponen informed these unenlightened souls that the two are completely different things, making it clear that unlike Java “it's hard to use the web without JavaScript”.

For those who only need Java for a specific web application, he has an alternative to completely abandoning it: “Leave Java on your system but remove the Java plugin from your daily browser. Then use another browser that you use only for this one service.”