Java's insecurity has doomed it on the desktop

OCTOBER 17, 2013

Java's insecurity has doomed it on the desktop

The latest round of patches for Java comes far too late to rescue its damaged reputation as a desktop presence

By Serdar Yegulalp | InfoWorldFollow @syegulalp

If Java on the desktop isn't dead yet, its latest security update should go a long way toward convincing people it should be.

How urgent is this new security update? Urgent enough that Oracle included patches for Java in its October 2013 Critical Patch Update (CPU -- what an acronym), as part of the company's efforts to get security fixes for Java out the door quarterly rather than three times a year.

Of the 127 fixes in this update, slightly fewer than half -- 50 -- were fixes for remote-exploit issues in Java. And 12 of those were exploits that could have granted an attacker complete control of the OS. Ouch.

What's more, the vast majority of those Java fixes are client-only problems -- meaning exploits that happen exclusively on a client machine, not a server.

If any one thing has been an aggressive contributor to the decline of Java as a desktop technology, it's the way the product has been shown time and again to be deeply insecure. Oracle keeps promising it has the issue under control, even when the vast majority of the security bugaboos that have been detected go back to before Java changed hands from Sun to Oracle in 2010.

Oracle has used that fact to its advantage, claiming, "When we acquired Sun, [it] was not in a position to fully fund the security team," as stated by Cameron Purdy, Oracle vice president of cloud applications and Java EE (Enterprise Edition) during JavaOne back in September. Purdy also owned up to not making the Java security team robust enough and indicated that a major source of problems is when people running older editions of Java don't update.

Fair enough, but the damage done to Java as a desktop and client-side technology may well be permanent. Mozilla has been blacklisting older versions of Java since 2012, and Google is now moving toward ditching support for such plug-ins entirely. No great loss there -- when was the last time, apart from a corporate portal or a site based on mid-2000s technology, you actually needed a Java plug-in to make a site work?

Google's move could also be its way of indirectly deprecating what is now more than ever a competitor's technology. Google is doubling down on Go, Native Client, and Dart, and according to my colleague Galen Gruman may be leaving (the Java-powered) Android behind in favor of Chrome OS.

None of this is a patch -- pun intended -- on Java as a server-side technology. The JVM's untapped possibilities have long been one of its best-kept secrets, and the sheer amount of server-side Java used in businesses promises it won't be going anywhere for a long time to come.

But Java as a desktop force shows no signs of making a roaring comeback, and with each hammering-home of the message that it's an insecure, outdated technology, the odds get a little worse.


Popular posts from this blog

Report: World’s 1st remote brain surgery via 5G network performed in China

BMW traps alleged thief by remotely locking him in car

Visualizing The Power Of The World's Supercomputers