January 2, 2013 4:58 PM
New Year resolution 2013 - ditch Java
We’ve written about Java and its security problems before and certainly the update addresses some of the concerns that have been an issue for years and years. For a start, anyone installing the new version will from now on get a dialogue box warning when the plug-in is out of date and a control panel allowing various types of Java application to be assigned one of four security levels.
But, in truth, very few consumers really need Java; most of the improved security in JDK 7u10 will benefit the real customers of Java, namely business users running applications written to use it.
Perhaps the biggest Cause for Java anxiety is not simply that it is still one of the most targeted types of software on PCs but that Oracle, the company now tending its development, is still seen as tardy.
In the words of nCircle director of security, Andrew Storms:
“The Java 7u10 includes a number of new features designed to bolster security, but when I make a list of software people should uninstall, Java is always near the top. New features notwithstanding, Oracle still has a long way to go to improve security.”
“Oracle has done lousy job addressing Java security throughout 2012 and there’s no reason to expect they will change their approach in 2013. They don’t communicate with their users about zero-day threats and are consistently slow delivering patches,” he added.
Another possibility - raised by Wolfgang Kandek of Qualys in 2012 - would be for Oracle to make whitelisting (i.e restricting which sites it can be used with) easier to access regardless of browser.
Let’s see. More likely, the legacy of poor Java security and the fact that it sits on millions of PCs in a vulnerable state will still be a discussion point for several New Years to come.