Last Friday, I posted a note here about an article and informal survey at Ars Technica, on whether keeping Java on the desktop was a significant security risk; and, if so, whether the risk was worth running. Ars has posted a follow-up article, summarizing the results of their survey. The results are interesting, although likely to disappoint anyone expecting a clear-cut, black and white sort of answer.
There seems to be a consensus of sorts that the most risky part of the Java system is the browser plug-in. Those respondents who had security concerns often focused on mitigating that aspect of risk,
Some users have disabled or uninstalled Java entirely. But the most common solution for those worried about security risks is to leave the Java Runtime Environment in place on the desktop while disabling the browser plugins that allow Java applets to run on websites. Those plugins are often vulnerable to attacks involving remote code execution.
This approach, which I mentioned in an earlier post on getting rid of Java, probably removes the most serious threat, while leaving the Java Runtime Environment available to support features of packages like the open-source office suite, Libre Office (the successor to Open Office). Libre Office can still be installed without Java, but some features will not be available.
Not surprisingly, the responses also indicated that Java still enjoys substantial popularity among developers; one respondent wrote:
I use Java heavily at work because it has the killer combination of: being good enough as a programming language; being cross-platform; having a great set of libraries; running fast.
Java is also used extensively in enterprise environments.
Java has lots of real-world use cases, enough that uninstalling or disabling the platform isn’t realistic for many users. Numerous people report keeping Java enabled in browsers because of banking, government, work, and school-related websites.
For both the developers and enterprise users, a common theme seems to be that Java, while not being perfect for any particular application, offers a practical approach for many things. That it is available and gives decent performance across a variety of platforms is an obvious selling point. Beyond that, it is a reasonably structured language, and much better for sizable projects than a scripting language like Perl.
For the average individual user, I’d recommend the following approach:
- Look through the list of software and Web sites that you use regularly, and see if any of them require Java.
- If none does, then removing Java will reduce your risk at minimal cost. (You can always re-install it if your situation changes, of course.)
- If you have application software, like Libre Office or Minecraft, that requires Java, you can leave the Java environment installed, but remove or disable the browser plugin.
- If you regularly use Web sites that require Java, you can leave the plugin enabled, or disable it, re-enabliing it when you need the Java-dependent site, depending on how frequently that occurs.
As always in security, there are trade-offs, but I hope that making this sort of information available will help people in making choices.