If you haven't heard about the recent travails of Oracle's Java Runtime Environment (JRE), then you've probably had your head in the sand. The JRE -- the client-side version of Java -- has recently experienced a string of security vulnerabilities so severe that the US Department of Homeland Security has advised people to turn it off in their browsers. And even though Oracle eventually got around to issuing a patch, it was largely lambasted as being inadequate to plug all the holes in the JRE.
As I'm sure many of you did, I disabled Java support in my browsers. And an interesting thing happened as a result. Nothing. I've been working for weeks now and I've yet to run into a single Web site that didn't work because I had my Java support turned off. Given that the downside of leaving Java running is allowing hackers to take over my computer, and the downside of keeping it turned off is apparently nothing at all, I'm hard-pressed to come up with a good reason to ever turn Java back on, even when (or if!) Oracle ever releases a patch that truly fixes all the vulnerabilities.
Not so fast. It's taken months for Oracle to pin down the current vulnerabilities with the JRE, and even after they issued a patch, vulnerabilities remained. Who's to say Java Enterprise Edition or Java Micro Edition or any other flavor of Java isn't similarly easy to break and hard to fix? Today, Java has become so bloated and long in the tooth that the recent JRE hullabaloo should be a warning for any Java fan. Try turning off all the Java in your environment and see what happens. The answer just might be nothing at all.
browser security, Java Runtime Environment 1.7