The (Security) Problem With Plugins
A blog from Oracle announced the eventual end-of-life of their Java browser plugin in the Java Development Kit (JDK) 9, as a response to many browser vendors that are now moving away from supporting plugins. The Java plugin will be removed from Oracle JDK and JRE in a future Java Standard Edition (SE) release.
Oracle encourages developers of apps that rely on the Java plugin to consider moving from Java Applets to the plugin-free Java Web Start technology. The company has provided a whitepaper (PDF) for guidance on different migration options.
As Ars Technica reported, Chrome started deprecating browser plugins early last year, and Firefox announced they’d do the same in October. Microsoft’s newest browser, Edge, lacks support for plugins. The company also recently announced the end of support for Internet Explorer versions 10.0 and earlier, which means no more security updates, leaving those users extremely vulnerable.
One of the major reasons that browser vendors have stopped or limited support of plugins may be the ever-growing number of vulnerabilities that continue to plague the Java plugin, in addition to other plugins like Adobe Flash and Microsoft Silverlight.
The Java plugin software is a component of the Java Runtime Environment (JRE). A review of JRE-related vulnerabilities over time in the Common Vulnerabilities and Exposures (CVE) database shows that the number of reported vulnerabilities reached a peak in 2013 at 180 in that year alone. Last year, 80 were reported, a decrease but still significant number, bringing the total number of Java plugin vulnerabilities to 438.
Just last week, Oracle issued a record number of patches - 248 - with the most critical vulnerabilities affecting Java Standard Edition (SE). The majority of the vulnerabilities allowed an attacker to exploit them remotely without authenticating.
Meanwhile, Adobe Flash hit its peak in 2015, with over 300 vulnerabilities listed in the CVE database. A flurry of researcher activity rose up last summer after the Hacking Team hack that revealed the company was selling Flash zero-day exploits to their clients. Many security research teams are dedicated to finding new Flash vulnerabilities, as exploit acquisition company Zerodium exemplified in offering $100k for Flash Player exploit code.
Adobe announced that they would be dropping the Flash name from their newest update, renaming Flash Professional to Adobe Animate CC, moving to HTML5 to support online advertisements and animations. The company still supports Flash for now, as many games and sites rely on it, but it’s clear both Flash and Java are being phased out.
Of course, despite these industry trends, many users will continue to use outdated browsers and plugins, often without knowing it, and often on their own personal devices as they use them for work purposes. That means your company network and, subsequently, company data could be at risk of being exposed to a device running vulnerable software. Duo Access gives you insight into your users’ devices and detects outdated plugins, browsers and operating systems so you can notify our users to update, or create your own custom policies to block outdated devices. Learn more about Endpoint Visibility.