Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Oct 22, 2011

Update Java — or just remove it

Oracle recently released an update to its Java software, fixing more than 20 critical security issues in the software. Krebs has a good post on the update, briefly discussing the vulnerabilities and the fact that Java vulnerabilities are exploited for real.

I have to say that in recent years I've installed Java more due to habit than because of an actual need for the software. So when I got the update bubble in the corner of my screen, I figured "of course". I knew they, among other things,  fixed the same-origin-policy bypass used in the BEAST attack (You'll find a straight forward explanation of the Java vulnerability here, and links to resources on BEAST here). So I started the update process, and this was one of the first screens I was presented.

Oracle is clearly working to improve the image of Java:
Java provides safe and secure access to the world of amazing Java content.
Does it now? And they go on to claim:
Java makes your internet experience come to life.
 We'll see about that. Why? Because clicking "Install" took me to the next screen:

This is an unwelcome blast from the past. Not only is this free add-on stuff an extra step that clutters the update process — the direct opposite of what e.g. the browser vendors are working towards these days. This step also changes your default search provider and installs new and unrelated software that probably needs to be updated too. Ten years ago I was used to click through two or three screens with "do you want this free and amazing add-on?" during a software installation. Now it feels more like malware.

Being asked to install the Ask browser add-on depleted my patience. I cancelled the update, went to the control panel and removed the Java installation. It'll be interesting to see how it goes the next couple of week since I now risk that my internet experience won't "come to life".

Even though I don't have Java installed anymore, many people have and many people actually need it installed. To keep these users safe I would urge Oracle to:

  • Keep fixing security vulnerabilities in Java
  • Work towards a smoother update process, like the rest of the big players do
  • Stop polluting browsers with "free add-ons" in the process
It should be hassle free for users to keep your software safe and secure.


  1. No Java, no Internet banking in Norway for you. (Unless you are using BankID on your mobile phone, something only a minority as access to). Please, prove me wrong. :-)

  2. No Java means limited options for Internet banking in Norway, there we agree. And just for the record, my intention is not to start a mass "uninstall Java" movement with this post. :)

    Since many users actually need Java installed, because of e.g. online banking applications, I hope Oracle will put some effort into streamlining the update procedure. A natural first step would be to stop pushing the add-ons! :)

  3. Oracle? Smooth install? You must be kidding..


Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2015. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts