Pull the Plug on Java Before It's Too Late

This week's zero-day exploit is the latest evidence suggesting that client-side Java is past its prime, not to mention dangerously insecure. It's time for consumers and enterprises to pull the plug on Java before Oracle sells it off and leaves it for the vultures of cyberspace.

By Rob Enderle
Fri, January 18, 2013

CIO — Client-side Java really never did make sense—not that it wasn't a good idea, more that it didn't make sense for a company such as Sun Microsystems, which largely made money selling expensive servers and workstations, to create it.

Sun had no real business inventing and then owning a largely free client-based platform that mostly ran in browser plug-ins. Java was created to hurt Microsoft under an incredibly foolish strategy to accelerate the commoditization of hardware and software. Since hardware commoditized first, Sun went to that great corporate graveyard in the sky, and Oracle took over.

Oracle is now an enterprise-class, revenue- and profit-focused, back-office vendor and Java is still largely an in-browser, free, client platform. It appears the only reason Oracle is keeping it is in the eventual hope it can get a ton of money out of Google for breaching its license—an effort that seems to have become a money hole rather than a money source.

Write Once, Read Everywhere a 9/11 Cyber Attacker's Dream

One of the best protections against an international catastrophic security breach or systems crash along the lines of the digital 9/11 the Department of Defense has been warning against is that most critical systems don't talk to each other and the related application platforms are very different.

Analysis: Does a Cyber-9/11 Loom?
Commentary: The Government's Cybersecurity Plan Will End in Catastrophe

Java falls short of its write-once, run-anywhere goal, but it came darn close to it. That provides a common platform that a hostile entity can use to gain access to client systems such as cellphones to PCs. Java can also be running on the systems used as administrative consoles, suggesting it would be an ideal first target if a hostile entity wanted to do massive damage to a company—or country.

Were Java to stick around, a massive security effort would be needed to assure that such an attack was identified quickly and mitigated near instantly once discovered. The chance for an exploit to move to a global scale is simply too great.

The Java Security Danger Is Real

The security exposure is not only real, it is known to attackers. We realized this last week when the second zero-day Java exploit in less than a year emerged. A security warning hit the TV networks, and even the Department Homeland Security issued a warning to immediately disable the code on its systems to avoid losing confidential data.

Oracle appeared to act quickly, but advice emerging suggests that Java is too unsafe to continue to use, partly because Oracle's patch appears to be inadequate.

Continue Reading

Our Commenting Policies