Java's insecurity has doomed it on the desktop
OCTOBER 17, 2013
Java's insecurity has doomed it on the desktop
The latest round of patches for Java comes far too late
to rescue its damaged reputation as a desktop presence
By Serdar Yegulalp | InfoWorldFollow @syegulalp
If Java on the desktop isn't dead yet, its latest
security update should go a long way toward convincing people it should be.
How urgent is this new security update? Urgent enough
that Oracle included patches for Java in its October 2013 Critical Patch Update
(CPU -- what an acronym), as part of the company's efforts to get security
fixes for Java out the door quarterly rather than three times a year.
Of the 127 fixes in this update, slightly fewer than half
-- 50 -- were fixes for remote-exploit issues in Java. And 12 of those were
exploits that could have granted an attacker complete control of the OS. Ouch.
What's more, the vast majority of those Java fixes are
client-only problems -- meaning exploits that happen exclusively on a client
machine, not a server.
If any one thing has been an aggressive contributor to
the decline of Java as a desktop technology, it's the way the product has been
shown time and again to be deeply insecure. Oracle keeps promising it has the
issue under control, even when the vast majority of the security bugaboos that
have been detected go back to before Java changed hands from Sun to Oracle in
2010.
Oracle has used that fact to its advantage, claiming,
"When we acquired Sun, [it] was not in a position to fully fund the
security team," as stated by Cameron Purdy, Oracle vice president of cloud
applications and Java EE (Enterprise Edition) during JavaOne back in September.
Purdy also owned up to not making the Java security team robust enough and
indicated that a major source of problems is when people running older editions
of Java don't update.
Fair enough, but the damage done to Java as a desktop and
client-side technology may well be permanent. Mozilla has been blacklisting older
versions of Java since 2012, and Google is now moving toward ditching support
for such plug-ins entirely. No great loss there -- when was the last time,
apart from a corporate portal or a site based on mid-2000s technology, you
actually needed a Java plug-in to make a site work?
Google's move could also be its way of indirectly
deprecating what is now more than ever a competitor's technology. Google is
doubling down on Go, Native Client, and Dart, and according to my colleague
Galen Gruman may be leaving (the Java-powered) Android behind in favor of
Chrome OS.
None of this is a patch -- pun intended -- on Java as a
server-side technology. The JVM's untapped possibilities have long been one of
its best-kept secrets, and the sheer amount of server-side Java used in
businesses promises it won't be going anywhere for a long time to come.
But Java as a desktop force shows no signs of making a
roaring comeback, and with each hammering-home of the message that it's an
insecure, outdated technology, the odds get a little worse.
Comments
Post a Comment