Why is the Java plugin (JRE) disabled in Chrome?

40

4

Why is the Java plugin (JRE) is disabled in Chrome? It is some security concern?

From official Java website:

Chrome no longer supports NPAPI (technology required for Java applets) The Java plug-in for web browsers relies on the cross platform plugin architecture NPAPI, which has been supported by all major web browsers for over a decade. Google's Chrome version 45 (scheduled for release in September 2015) drops support for NPAPI, impacting plugins for Silverlight, Java, Facebook Video and other similar NPAPI based plugins.

But anyone knows why? How it could be dangerous for Chrome user with latest version of Java JRE installed?

Michał Kuliński

Posted 2016-06-13T08:42:02.080

Reputation: 483

8You have answered your question: because Java plugin uses NPAPI and Chrome no longer supports it. – gronostaj – 2016-06-13T14:12:12.917

7Though the official reason sounds good, my personal suspicion is that the fallout between Google and Oracle over Android had much more to do with it than anyone wants to admit. – Devsman – 2016-06-13T14:24:55.873

2Why Java disabled? in first place "why Flash and Java are enabled?" Unless I trust really much a site I even disable Javascript (well in reality I have a desktop short cut for the browser without Javascript) – CoffeDeveloper – 2016-06-13T17:12:21.170

They don't want to. – Thorbjørn Ravn Andersen – 2016-06-14T08:16:27.380

1When posting quotes, please include a link to the source in the future. – None – 2016-06-13T08:55:48.373

Because it's a really good idea given past security holes. Flash RIP in any form as well. – Fiasco Labs – 2016-06-13T15:16:26.923

@Devsman Really doubt it, as the push against plugins was started by Apple against Adobe. – David Mulder – 2016-06-14T13:57:46.967

1@Devsman If it was just Java, your argument might be plausible, but Google is going after all plugins (and so is Mozilla). Silverlight, Acrobat Reader, shockwave, unity, quicktime, real player, etc. have all been hit by the same ban hammer. They were all widely installed and at least occasionally used by large numbers of people over the years. All provided things that couldn't be done in the browser directly 5-20 years ago; but which are either doable by browser intrinsics or HTML5 directly these days... – Dan is Fiddling by Firelight – 2016-06-14T14:25:55.563

Flash is the only exception at present due to its ubiquity; but even it is being squeezed hard with Google having recently announced the use of more intrusive click to play settings to increase the pressure on site maintainers to replace their flash. To mitigate the risks involved from it Google is using a custom build of flash which lets them control patching it (Adobe's updater only checks when your computer is booted) and using a custom API that they can lock down much more tightly than NPAPI. Eventually they'll pull the plug on it as well, although no potential date has been made public. – Dan is Fiddling by Firelight – 2016-06-14T14:26:41.197

Personally, I think it's mostly about security, but also unified experience across different platforms. Android, iOS, PlayStation 4, smart TVs, etc. don't support plugins at all. Websites should rely on standardized APIs (HTML5) that work everywhere. – gronostaj – 2016-06-14T18:02:58.137

By the way, if you want to do something similar to applets, use JNLP to launch an app from a HTML link. – Zan Lynx – 2016-06-14T19:28:05.763

Answers

59

Why is Java disabled in Chrome? It is some security concern?

The reasons prompting the disabling of NPAPI, and therefore Java, include the following according to the Chromium Blog:

  • Increased security
  • Increased speed
  • Increased stability
  • Reduction in code complexity
  • Reduction in crashes
  • Reduction in hangs
  • Lack of support for mobile devices

Note:

  • Firefox is also dropping support for NPAPI - See NPAPI Plugins in Firefox:

    Plugins are a source of performance problems, crashes, and security incidents for Web users.

    Mozilla intends to remove support for most NPAPI plugins in Firefox by the end of 2016.

How it could be dangerous for Chrome users with latest version of Java JRE installed?

Short answer: Zero Day Exploits.

Another source for vulnerabilities is the fact that Java hasn’t released an automatic updater that doesn’t require user intervention and administrative rights. For example, Google Chrome and Flash Player have. This feature allows users to get automatic updates without being prompted to take action, making updates easier.

For lack of an automatic updates system, many users ignore Java updates and even fear installing them, because of malware that used Java updates as an infection vector in the past or similar experiences.

Just know that all these vulnerabilities are what cyber criminals thrive on.

...

Data extracted from our own database confirms that Java is the second biggest security vulnerability that requires constant patching, after Adobe’s Flash plugin.

In 2015 alone, we’ve already deployed 105925 patches for Java Runtime Environment for our clients.

enter image description here

Read the rest of the article for a detailed explanation and commentary.

Source Why are Java’s Vulnerabilities One of the Biggest Security Holes on Your Computer?

The Final Countdown for NPAPI

Last September we announced our plan to remove NPAPI support from Chrome, a change that will improve Chrome’s security, speed, and stability as well as reduce complexity in the code base.

Source The Final Countdown for NPAPI

Saying Goodbye to Our Old Friend NPAPI

NPAPI’s 90s-era architecture has become a leading cause of hangs, crashes, security incidents, and code complexity. Because of this, Chrome will be phasing out NPAPI support over the coming year. We feel the web is ready for this transition. NPAPI isn’t supported on mobile devices, and Mozilla plans to make all plug-ins except the current version of Flash click-to-play by default.

Source Saying Goodbye to Our Old Friend NPAPI

DavidPostill

Posted 2016-06-13T08:42:02.080

Reputation: 118 938

47The Java installer itself is a vector for crapware as well. The daily Java security update requires you to comb through every page of the installer to make sure Oracle hadn't bundled in some new MacAffee craplet. – None – 2016-06-13T16:57:26.240

2@JS. Maybe I'm missing something but personally I've never seen Java installer offer to install anything else besides Java.

Real reason why Google disables Java? Google doesn't want developers to write software for anything else than what they have control over. – Malcolm – 2016-06-13T19:00:48.560

14

@Malcom: take another look. java.com tells you how to disable sponsor offers; therefore, they are including sponsor offers that people wish to disable. https://www.java.com/en/download/faq/disable_offers.xml

– Ross Presser – 2016-06-13T19:08:31.697

3@RossPresser if you download from oracle you don't get the sponsor offers. – DavidPostill – 2016-06-13T20:05:18.287

7

@Malcolm from 2011-2015 the official Java installer from Oracle included this: https://www.java.com/ga/images/en/ask_offer.jpg

– hobbs – 2016-06-14T07:27:48.737

Right, I was always downloading from Oracle, apparently that's why I never saw it. – Malcolm – 2016-06-14T07:48:24.377

2

@Malcolm : No, the worst thing is that that crapware came "recommended" by Oracle, when downloading from the official site. http://www.zdnet.com/article/a-close-look-at-how-oracle-installs-deceptive-software-with-java-updates/

– leonbloy – 2016-06-14T13:18:58.683

I use Java all the time, but have never used the Java Browser Plugin. Those are two very different terms. – predi – 2016-06-14T13:52:46.613

@predi The question and answer both refer to running Java in a Browser, which uses the JRE (Java Runtime Environment) via a plugin. The JRE can also be installed as part of the Java Development Kit (JDK). It is still Java. – DavidPostill – 2016-06-14T14:35:08.327

1@leonbloy java.oracle.com is an official site also, you should clarify that you mean java.com. When you install JRE, the plugin gets installed as well. – Malcolm – 2016-06-14T15:00:12.687

@DavidPostill, I kindly disagree. People are wrongfully attributing Java for the damage caused by the dreadful Java Browser Plugin. Ever used websites such as ebay, linkedin, amazon and aliexpress? You were indirectly using server-side Java in your browser... Like I said, I've never used the Java Browser Plugin, yet I use Java all the time. They are two different terms. – predi – 2016-06-15T06:27:17.513

1@predi I'm not disagreeing with you. However, this question and answer is about the plugin specifically. – DavidPostill – 2016-06-15T07:25:10.250

4

As explained by Google, the Netscape Plug-in API (NPAPI) was needed in the early days of web browsers to extend their features. Unfortunately, it provided access to the underlying machine. Thus, if the plugin contained a vulnerability and an attacker exploited it, the attacker bypassed the sandboxing of the browser and had access to the machine.

Such attack vectors has been heavily used in the past to infect machines, leading to the advice saying that you should disable Java on your browser. Many features provided by Java plugins are now included by the browser itself (e.g. HTML5) with better performance and security or with extensions running in a sandbox (e.g. NaCL). That's why the decision to no longer support Java plugins has been made: high risk, but no real need for it.

Ronny

Posted 2016-06-13T08:42:02.080

Reputation: 141

2

For a long time there has been a move away from Java, along with other plugins like Flash or Silverlight, on the web. One of the goals with HTML5 was to create a framework where plugins are not needed (hence tags like <audio> and <video>). By now the only reason to support Java is for compatibility with legacy systems that should probably have been retired by now anyway.

So why are plugins like Java a security threat? Because history has proven that there will always be a steady stream of security holes allowing for a multitude of exploits. It is just inherently harder to secure a VM running Java bytecode than it is to sandbox an interpreted script language like JavaScript. Just have a look at these statistics.

As you say, it is a good practice to keep your plugins updated. But that is not enough. First, a lot of people don't. It was recently revealed that even the Swedish equivalent of NSA was running outdated Java plugins with known security vulnerabilities. If they can't get it right, do you expect the average home user to do so? Second, there is no way you can protect yourself from zero days. No matter how fast Oracle produce patches, you will be at risk.

Even Oracle have acknowledged that the era of Java applets is over. From Ars Technica (Jan 2016):

The much-maligned Java browser plugin, source of so many security flaws over the years, is to be killed off by Oracle. It will not be mourned.

Oracle, which acquired Java as part of its 2010 purchase of Sun Microsystems, has announced that the plugin will be deprecated in the next release of Java, version 9, which is currently available as an early access beta. A future release will remove it entirely.

Anders

Posted 2016-06-13T08:42:02.080

Reputation:

Asked: 2016-06-13T08:42:02.080

Viewed: 15 264 times

Active: 2016-06-15T07:33:56.840