Coffee, in one case a vital component of the web, has dropped in popularity over the by several years. Nigh mod browsers block Java past default, and the majority of dwelling users don't demand to install it anymore.

Nosotros've long heard that Java is the single nearly insecure slice of software for desktop computers, especially Windows. But is this still true? Let'due south dig in and find out.

The Historical Problems With Java

The main reason that Java has get such a pop target for set on is how widespread it is. Because Java was designed for maximum compatibility, it runs on a host of devices. In addition to computers, Coffee powers Blu-ray players, printers, parking payment systems, lottery devices, and much more. It's the opposite of security through obscurity: a major platform provides the best payoff for an attack.

Of form, we're concerned with Java on the desktop. And there, the worst offense is that Coffee doesn't automatically update itself. Unlike most other mod programs, Java only asks the user to install updates when available. Even worse, by default, Java merely checks for updates once a week or even once a calendar month. That'southward dangerous for an app with and then many security vulnerabilities.

Many people see the update prompt and ignore it, resulting in them running an outdated version of Coffee. And with new versions offered regularly, even those who install some updates may get frustrated and ignore further ones. In some cases, even when users install a new version, they leave the onetime re-create of Java installed equally well. This widens their vulnerability to attack.

Of course, nosotros tin't forget Java'southward long-running saga of including the terrible Ask Toolbar. Every fourth dimension you installed or updated Coffee, you had to remember to uncheck a box or it would include that piece of junk. While not an exploit, this left a bad taste in users' mouths.

Modern Java

So that's what was incorrect with Java in the past, simply what nearly recently?

In October 2017, Veracode found [No Longer Available] that 88 percent of Java applications contain at least 1 vulnerable component. In early 2016, Oracle announced that fifty-fifty the Coffee installer was vulnerable. If an attacker placed a DLL file with a specific name in your Downloads binder, it would trigger an infection when you ran the Java installer. And in full general, due to Java's popularity, you would simply need to visit a compromised website that took advantage of your outdated re-create of Java to be infected.

While this means that Coffee is far from safe, at that place's good news, too. In early 2016, Oracle announced that it plans to deprecate the Java browser plugin (which is the source of most problems) in JDK 9, which is available now. Modernistic browsers accept left Coffee behind, too. Chrome dropped support for Java in tardily 2015, and Firefox stopped supporting it in early 2017. Microsoft's Edge browser, included with Windows ten, doesn't support Java at all.

This means that if you really need to utilise Java in a browser, you lot'll have to stick with Internet Explorer.

The Biggest Vulnerabilities

Since Java is dropping off in popularity, what's taken its identify as the nearly insecure desktop software?

Flexera's latest information, from Q1 2017, reveals that 7.8% of programs on the average PC have reached the finish of their life. It ranks the top 10 nigh exposed programs, based on market share multiplied by percentage of users who aren't patched:

  1. iTunes 12.x
  2. Coffee 8.x
  3. VLC Media Player two.10
  4. Adobe Reader XI 11.x
  5. Adobe Shockwave Player 12.x
  6. Malwarebytes Anti-Malware 2.10
  7. Kindle for PC one.x
  8. Adobe Acrobat Reader DC 15.ten
  9. uTorrent 3.ten
  10. iCloud for Windows half-dozen.10

This list may surprise yous. While Java isn't the most risky program, information technology's still the second. Other programs that we don't typically associate with security risks, similar VLC and Malwarebytes, hold a spot besides. This illustrates the importance of keeping all your software up to appointment, not just the pop ones.

We can meet more past examining Avast'due south Q3 2017 security study. It lists the acme 10 most out of date programs on its users' PCs:

  1. Coffee 6, seven, and eight
  2. Adobe Air
  3. Adobe Shockwave
  4. VLC Media Thespian
  5. iTunes
  6. Firefox
  7. 7-Zip
  8. WinRAR
  9. QuickTime
  10. Adobe Flash Player

When you include the older versions, information technology seems that Java nevertheless tops the least-updated software. Adobe'southward plugins are as well big culprits, and we see iTunes and VLC made this listing likewise.

Conversely, according to TechRadar, Chrome comes out on height for updated apps. When surveyed, 88% of users running Chrome had the latest version installed. This shows how silent automatic updates brand a huge deviation, compared to the nagging update prompts used by Java and Adobe runtimes.

Don't Forget OS Updates Too

Another vital component of update to remember is OS updates. Remember that users who had automatic updates installed were spared from the terrible ransomware attack in mid-2017. Even if you keep software similar Java upwardly to date, your computer is all the same at risk if yous don't install Windows updates.

Windows 10 makes these automatic updates easy, but those on Windows 7 might accept disabled them. And those nonetheless using Windows XP near four years later its stop of life are putting themselves at major take a chance.

How Dangerous Is Java, Actually?

Taken all together, can we still say that Java is the biggest security risk for desktops? Not really. On the negative side, people still proceed to run outdated versions of Java even though they actually don't need information technology. This opens them upward to security vulnerabilities. However, since virtually browsers don't back up Java anymore, they aren't open to attack like they once were.

The weak link in your computer's security comes from the most popular piece of software you don't keep updated. If you have the newest version of Java but still haven't uninstalled the unsupported QuickTime for Windows, that'due south a big take chances. Having an outdated version of Flash, Adobe Reader, or iTunes could open you up to assault too.

Nosotros can glean from the data higher up that programs without automatic updates are typically the least secure. For example, iTunes constantly asks users to update, which is annoying. This leads people to ignore the updates and leave an insecure version installed.

What About Mac and Linux?

We've focused on Java for Windows above, simply information technology's worth speedily mentioning how this affects Mac and Linux users likewise.

Surprisingly, while Apple tree doesn't allow plugins run by default in Safari, the browser even so supports the old plugins like Coffee and Silverlight. While you should uninstall Coffee on your Mac unless yous need it for a specific reason, Java hasn't caused as many problems for Mac users equally it has on Windows. Lately, most security holes in macOS take been thanks to oversights from Apple tree itself.

Linux hasn't seen any unique Java vulnerabilities either. If you lot need a browser that supports Java on Linux, you tin can try the ESR (Extended Support Release) version of Firefox. Firefox provides this version for business environments; it provides the latest security updates but waits longer to whorl out characteristic updates. The current version, 52, supports Java and other legacy plugins will be available until onetime in Q2 2018.

A Plugin-Free Future

The good news is that you lot don't need most of these potentially dangerous and annoying plugins installed anymore. Very few websites utilize Coffee, and the major programme that people kept Java installed for---Minecraft---includes a rubber bundled version of Coffee now. Other plugins aren't necessary either. Microsoft deprecated Silverlight years ago, and you'd be hard-pressed to detect a site with Shockwave content.

Flash is the lone exception. Almost browsers still support it due to its popularity, but Adobe will kill information technology off in 2020. Until and then, accept care to make sure you update Wink on your PC. Chrome does and so automatically, so y'all may non even accept information technology installed anymore (which is keen).

So in short: Java is however insecure but poses less of a hazard thanks to browsers disabling it. You should uninstall programs you lot don't need (including old plugins), go along the software on your computer updated, and utilise OS updates. If you do this, you'll be well-off.

Image Credit: avemario/Depositphotos

15 Windows Command Prompt (CMD) Commands You Must Know

Read Next

About The Author

Ben Stegner (1808 Articles Published)

Ben is the Editor in Main at MakeUseOf. He left his IT job to write full-time in 2016 and has never looked back. He'south been covering tech tutorials, video game recommendations, and more as a professional writer for over 8 years.

More From Ben Stegner