Oracle has announced that it will deprecate the Java browser plugin as part of the JDK 9 release now expected in 2017. The deprecated technology will be completely removed from the Oracle Java Development Kit (JDK) and Java Runtime Environment (JRE) in a future Java release, but Oracle is yet to indicate which one.
The vendor suggests Java Web Start as one alternative to applets for organisations that still need client-side Java, and has published a whitepaper to help with migration.
The plugin certainly won’t be missed by many end users. As well as the large number of security issues it was responsible for, there was a wide variety of “foistware" included with the installer, a practice started by Sun Microsystems in 2005. At various times, the Google toolbar, Microsoft’s MSN toolbar, McAfee security, the Yahoo toolbar and, most infamously, the Ask toolbar were all bundled with Java.
Ask was particuarly difficult to avoid since users had to remember to opt out of installing it every single time they installed an update, with frequent security problems making these updates common. It proved so unpopular that a petition asking Oracle to unbundle it garnered over 21,000 signatures, including from well known industry figures like Joshua Bloch. Oracle partially addressed these concerns in July 2014 by adding a configuration option that suppresses third-party bundled software.
For their part, browser-makers have become wary of plugins with incident after incident highlighting the most well known ones - Java and Flash - as widely exploited attack vectors. Google started deprecating browser plugins in Chrome last April with Mozilla announcing similar plans in July. Microsoft’s latest Edge browser also lacks plugin support.
Oracle’s move is welcome, but until Adobe announces end-of-life for Flash the problems of plugin security will persist.