The Java browser plugin is infamous for its security problems. It is a common entry point for trojans and other attacks on Windows computers and Macs alike, and security experts frequently recommend disabling it entirely. Even the US Department of Homeland Security told people to turn the plugin off to protect their data.
Oracle has always patched problems, but never quickly enough to satisfy security experts. So browsers started to force the issue, by removing the plugin capability from their products entirely.
Oracle’s announcement comes after Mozilla’s Firefox, Google’s Chrome, and Microsoft’s new Edge browser all indicated the end of support for browser plugins that use the ancient Netscape Plugin Application Programming Interface (NPAPI). This means that, even if Oracle kept updating their browser plugin, only Apple’s Safari and Microsoft’s legacy Internet Explorer browsers would support it.
Responding to this, Oracle announced the end of the plugin in a blog post.
“With modern browser vendors working to restrict and reduce plugin support in their products, developers of applications that rely on the Java browser plugin need to consider alternative options,” the post said, adding that the company “plans to deprecate the Java browser plugin in JDK 9” later this year.
With or without support, it’s likely that the Java browser plugin will live on in corporate environments. Many custom-built applications used by businesses and government still depend on the plugin to function, and can’t be easily replaced. Oracle’s announcement means people at those companies will need to keep the plugin around, without the security of software patches.
At the same time, knowing that the security patches will stop working a year from now — and that major browsers will also stop working with legacy versions of the plugin — might be just enough motivation to finally replace the software.
