Why Java Is Less of a Security Risk Now on Windows Mac and Linux
MUO
Why Java Is Less of a Security Risk Now on Windows Mac and Linux
Most people know Java is insecure, but is it still the most dangerous piece of desktop software? Can it still cause problems on Windows, macOS and Linux? Let's take a look and find out. Java, once a vital component of the web, has dropped in popularity over the past several years. Most modern browsers block Java by default, and the majority of home users don't need to install it anymore. We've long heard that Java is the single most insecure piece of software for desktop computers, especially Windows. But is this still true? Let's dig in and find out. The Historical Problems With Java
The main reason that Java has become such a popular target for attack is how widespread it is. Because Java was designed for maximum compatibility, it runs on a host of devices. In addition to computers, Java powers Blu-ray players, printers, parking payment systems, lottery devices, and much more. It's the opposite of : a major platform provides the best payoff for an attack. Of course, we're concerned with Java on the desktop. And there, the worst offense is that Java doesn't automatically update itself. Unlike most other modern programs, Java simply asks the user to install updates when available. Even worse, by default, Java only checks for updates once a week or even once a month. That's dangerous for an app with so many security vulnerabilities. Many people see the update prompt and ignore it, resulting in them running an outdated version of Java. And with new versions offered regularly, even those who install some updates may get frustrated and ignore further ones. In some cases, even when users install a new version, they leave the old copy of Java installed as well. This widens their vulnerability to attack. Of course, we can't forget Java's long-running saga of including . Every time you installed or updated Java, you had to remember to uncheck a box or it would include that piece of junk. While not an exploit, this left a bad taste in users' mouths. Modern Java
So that's what was wrong with Java in the past, but what about recently? In October 2017, Veracode found [No Longer Available] that 88 percent of Java applications contain at least one vulnerable component. In early 2016, Oracle announced that . If an attacker placed a DLL file with a specific name in your Downloads folder, it would trigger an infection when you ran the Java installer. And in general, due to Java's popularity, you would only need to that took advantage of your outdated copy of Java to be infected. While this means that Java is far from safe, there's good news, too. In early 2016, that it plans to deprecate the Java browser plugin (which is the source of most problems) in JDK 9, which is available now. Modern browsers have left Java behind, too. in late 2015, and in early 2017. Microsoft's Edge browser, included with Windows 10, . This means that if you really need to use Java in a browser, you'll have to stick with Internet Explorer. The Biggest Vulnerabilities
Since Java is dropping off in popularity, what's taken its place as the most insecure desktop software? , from Q1 2017, reveals that 7.8% of programs on the average PC have reached the end of their life. It ranks the top 10 most exposed programs, based on market share multiplied by percentage of users who aren't patched: iTunes 12.x Java 8.x VLC Media Player 2.x Adobe Reader XI 11.x Adobe Shockwave Player 12.x Malwarebytes Anti-Malware 2.x Kindle for PC 1.x Adobe Acrobat Reader DC 15.x uTorrent 3.x iCloud for Windows 6.x This list may surprise you. While Java isn't the most risky program, it's still the second. Other programs that we don't typically associate with security risks, like VLC and Malwarebytes, hold a spot too. This illustrates the importance of keeping all your software up to date, not just the popular ones. We can see more by examining . It lists the top 10 most out of date programs on its users' PCs: Java 6, 7, and 8 Adobe Air Adobe Shockwave VLC Media Player iTunes Firefox 7-Zip WinRAR QuickTime Adobe Flash Player When you include the older versions, it seems that Java still tops the least-updated software. Adobe's plugins are also big culprits, and we see iTunes and VLC made this list as well. Conversely, , Chrome comes out on top for updated apps. When surveyed, 88% of users running Chrome had the latest version installed. This shows how silent automatic updates make a huge difference, compared to the nagging update prompts used by Java and Adobe runtimes. Don t Forget OS Updates Too
Another vital component of update to remember is OS updates. Remember that users who had automatic updates installed were spared from . Even if you keep software like Java up to date, your computer is still at risk if you don't install Windows updates. , but those on Windows 7 might have disabled them. And those still using Windows XP nearly four years after its end of life are putting themselves at major risk. How Dangerous Is Java Really
Taken all together, can we still say that Java is the biggest security risk for desktops? Not really. On the negative side, people still continue to run outdated versions of Java even though they really don't need it. This opens them up to security vulnerabilities. However, since most browsers don't support Java anymore, they aren't open to attack like they once were. The weak link in your computer's security comes from the most popular piece of software you don't keep updated. If you have the newest version of Java but still haven't , that's a big risk. Having an outdated version of Flash, Adobe Reader, or iTunes could open you up to attack too. We can glean from the data above that programs without automatic updates are typically the least secure. For example, iTunes constantly asks users to update, which is annoying. This leads people to ignore the updates and leave an insecure version installed. What About Mac and Linux
We've focused on Java for Windows above, but it's worth quickly mentioning how this affects Mac and Linux users too. Surprisingly, while Apple doesn't let plugins run by default in Safari, the browser still supports the old plugins like Java and Silverlight. While you should uninstall Java on your Mac unless you need it for a specific reason, Java hasn't caused as many problems for Mac users as it has on Windows. Lately, most security holes in macOS have been . Linux hasn't seen any unique Java vulnerabilities either. If you need a browser that supports Java on Linux, you can try the . Firefox provides this version for business environments; it provides the latest security updates but waits longer to roll out feature updates. The current version, 52, supports Java and other legacy plugins will be available until sometime in Q2 2018. A Plugin-Free Future
The good news is that you don't need most of these installed anymore. Very few websites use Java, and the major program that people kept Java installed for---Minecraft---. Other plugins aren't necessary either. Microsoft deprecated Silverlight years ago, and you'd be hard-pressed to find a site with Shockwave content. . Most browsers still support it due to its popularity, but . Until then, take care to make sure you update Flash on your PC. Chrome does so automatically, so you may not even have it installed anymore (which is great). So in short: Java is still insecure but poses less of a risk thanks to browsers disabling it. You should uninstall programs you don't need (including old plugins), keep the software on your computer updated, and apply OS updates. If you do this, you'll be well-off. Image Credit: avemario/