JAVA - Why?

Question

JAVA – Why?

Very few users actually need to install JAVA.  There are only a few legitimate needs for it, generally speaking.

So, why does almost everyone install this beast that poses such a security risk?

While not a MSE issue, I would like a discussion on this un-necessary piece of software.  It would help users understand that it IS A SECURITY RISK, it is rarely needed, and should be avoided.

It also carries with it un-needed toolbars (ASK) and anti-virus (McAfee) that are checked by default, and thus add more un-necessary software to the users PC.

I have seen web sites report, incorrectly, that they need JAVA installed.

I have seen some webinars – some require JAVA, some do not.  So, let’s say that only a few video apps require JAVA.

Let the discussion begin, and see if we can reduce those 3 BILLION INSTALLS of JAVA by few, eh?

Selt

Answer 1

I only have one answer for the utilization of JAVA : Minecraft.

Answer 2

My own attitude though has been to remove Java from all of the home systems of friends and relatives I support for several years now, with re-installation of the most current version only if an application is discovered that is truly important to the owner of the PC.

 

Rob

Rob, your's is the best advice.  Remove Java, and do not install Java, unless there is an absolute need.

Selt

Answer 3

Rob, your's is the best advice.  Remove Java, and do not install Java, unless there is an absolute need.

Selt

 

With your response you've noticed the most important point within my own.  This is not only true for Java, but actually for all add-on software that you consider installing on your PC.

The core reason for this is exactly the same as with Java, because every application you install will inherently contain bugs and thus vulnerabilities that can eventually be disovered and then exploited by malware.  The only sure way to keep this to a minimum is to not install the additional applications in the first place.

Many PC owners believe that to get the most value from their systems they must install absolutely every free application they can find, creating a cluttered filing system full of uselesss software, most of which is never used or only very rarely at best.  The actual truth is the exact reverse, since finding the fewest applications that will provide everything you really need will not only make the PC more useful, but also provide the most easily secured and managed (updates, upgrades, etc.) system in the long run.

Since many applications today are web based and only require a browser and possibly some on-the-fly browser add-ins to be installed, most consumers really only need a very few installed applications in addition to Windows itself.  Running a system this way not only provides better and easier maintenance and security, it also costs far less in terms of hardware upgrades, since less disk space is wasted.

Typically though, most operate their computer like their car or their home, filling it with lots of useless 'stuff' that simply clutters it and makes it look like a mess to others, rather than a clean streamlined device that provides the improvements in productivity and personal organization that were the original promise of these systems.

The way this is finally being resolved to some extent is the move to the leaner and smaller specific purpose devices like smartphones and tablets, since these inherently don't have the space or to some extent even the ability to install things like additional browsers and other major applications.  These systems are actually far more appropriate for consumers, since they don't require the same level of technical expertise to either operate or maintain that a general purpose PC does, and are also less expensive to own in most cases as a result.

This is really a better direction for most consumer and light business users, which we're already seeing is obvious to many of them due to the popularity they have had recently.

Though this doesn't resolve the specific Java issue that started this thread, the parallel moves of these devices and even Windows itself towards the richer HTML5 and similar enhanced browser capabilities as well as animation and video standards will likely eventually remove the need for Java for these purposes.  This will leave only the issue of cross-platform application support, which many development groups such as banks are resolving by producing their applications directly for the specific popular operating systems such as Android and the iPhone/iPad rather than Java.

Rob

Answer 4

A more complete way of saying all of these things is that Java is a development environment, similar to the Windows Win32 or more specifically the .NET application development environments that can also be added to Windows.

The problem is that over time, various applications such as the OpenOffice that Kosh mentioned and at one time various website applications like games, which often included simple video animations, were developed using Java.  Since the original developer SUN had tried to increase its acceptance for use in business, they also pushed PC manufacturers like DELL and HP to pre-install it on their systems, likely by paying a small royalty for each installation though I'm not certain of that last part.

What this meant was that an additional development environment that was nearly as complex as Windows itself and so inherently contains many bugs (vulnerabilities) became both common on PC based systems and somewhat regularly used on websites that wanted to provide simple games and occaissionally other applications for more important purposes.

Unfortunately, the rich development environment of Windows iteself also lends itself to similar problems of large numbers of vulnerabilities and in fact to some extent then this adds to and amplifies the potential for vulnerabilities for the combination of the two.  So even if Windows itself doesn't have a specific vulnerability, the combination of the two might result in an otherwise relatively minor bug in Java creating a more dangerous vulnerability when installed on Windows.

Since Java itself is a relatively portable environment, it can be developed to run on most other operating systems, so it often has, especially on those that are much less rich to start with than Windows.  This portability makes cross platform development of software for different hardware somewhat easier, which is obviously an aid for those wanting to run their programs on as many systems as possible and has only increased its popularity.  However, some bad blood in the history between Google and SUN may have lessened its compatibility on the Android platform to some extent.

http://www.zdnet.com/blog/bott/the-real-history-of-java-and-android-as-told-by-google/3924

Though Kosh's points cover some of the possible specific cases to some extent, the true issue is far more complex and still mixed up in the situation that virtually no other development platform will run on almost all of the currently popular hardware platforms out there today, including Apple's. 

Until either Oracle backs off it's push to keep the platform running on most major hardware (not likely) or another method of cross-platform development becomes available on at least most popular hardware, Java is likely to remain the choice of many who develop for different hardware and operating system platforms.

The question of whether many consumer users will continue to need Java, or in fact ever really did in the first place, is far more difficult to answer.  Though it can be answered for a specific user at a point in time, there's no simple absolute rule that can be stated, some of which is brought to light in Kosh's comments above and very much of which isn't.

My own attitude though has been to remove Java from all of the home systems of friends and relatives I support for several years now, with re-installation of the most current version only if an application is discovered that is truly important to the owner of the PC.

Rob

Answer 5

Hi Selt,

The add-ons can be avoided with a bit of care.  Java isn't the only download that uses that trick (so does Adobe and Google and host of others).  That's a separate issue that I belive we should exclude as it distracts from the main point.

I agree if there's no reason to have it that there are quite a few reasons NOT to have it (uninstall it if installed or don't install it unless a legitimate reason comes up).

But there are some situations where it can't be avoided:

1.  In my case, my wife sometimes uses my computer to login to her heavy domain enterprise office system with all sorts of different needs from a variety of servers for different things (Lotus Notes, file sharing servers, DOD-level security (including stuff she can't even let me see)) and they absolutely mandate Java on computers remoting into the system.  It's not a maybe it'll be OK without Java - the connection will simply either be impossible or will crash mid-session when a Java-related thing comes up.  So I have absolutely no choice.  Yes, it's only on her profile on the PC, but it's installed nonetheless.

2.  I'm 99.9999% sure but not positive as I dont use it myself, but I believe that people using the free OpenOffice (rather than MS Office or in addition to some parts of MS Office) need Java.

3.  I'm not into HD Blue-Ray disks or videos (like from the Sony site), but I believe that either the devices or the software to use that functionality - or the ability to view that type of quality through a computer requires Java.  I don't know why and and I don't know if there are ways around it (I don't do that myself), but I've read that there are situations where the full features cannot be utilized or accessed without Java.

4.  Some websites do seem to need Java - but not as many as most people think.  I suppose one could disable Java and visit all their important sites and see if they get errors or get blocked or have problems - then activate Java and see if the problem goes away.  If so, then Java may truly be needed if those sites are truly needed.

5.  Installing Java on one user profile only and switching to it when the need for Java comes up and closing that profile when the need is over might be helpful (though perhaps annoying depending on how often the need arises).  While having it installed at all is partially problematic, if it's installed only for a specific profile that is not opened unless needed that should provide some level of resistance to java-based problems.  It would be better not to need it, but if you do, I'd try to set it up this way.

6.  Browser settings can be set to higher Java security.  Java can be disabled at startup and only enabled if/when needed.  Again, not as good as not being installed, but it may help some if there's no other choice but to have it installed.

7.  If you must have Java, be sure that where it's installed is kept updated with the latest version and older versions are removed.  I use Secunia PSI to help me keep me aware of update status but if you have it in a special profile, then you need to check it periodically to make sure you're current.  I also recommend periodically clearing the Java cache.

Those are just some initial thoughts.  I may add more, but those were the ones that immediately came to mind.  And keep in mind, if you use more than one browser that needs Java, keeping it updated and controlling things just becomes that much more difficult.

I hope this helps.

Kosh