Oracle announces Java plugin deprecation, death

With a short post by a member of the Java strategy team, Oracle has announced the approaching death of the hated Java plugin.

“Oracle plans to deprecate the Java browser plugin in JDK 9. This technology will be removed from the Oracle JDK and JRE in a future Java SE release,” they shared their plan.

JDK 9 is currently in beta and available for testing. The final version is set to be released in September 2016.

For years, the Java plugin was a favorite among attackers, because of its widespread use and the fact that it was a hotbed of zero-day vulnerabilities. Exploits were successfully wielded by APT groups and cyber crooks, sometimes as standalone attack code, and sometimes incorporated in for-sale exploit kits.

But maybe Oracle wouldn’t have yet given up on the plugin were it not for the fact that browser vendors stopped supporting plugins or announced that they will do that soon.

“By late 2015, many browser vendors have either removed or announced timelines for the removal of standards based plugin support, eliminating the ability to embed Flash, Silverlight, Java and other plugin based technologies,” Oracle noted.

“With modern browser vendors working to restrict and reduce plugin support in their products, developers of applications that rely on the Java browser plugin need to consider alternative options such as migrating from Java Applets (which rely on a browser plugin) to the plugin-free Java Web Start technology.”

For those who have yet to move away from Java (corporations, mostly), the company has helpfully compiled a whitepaper detailing migration options.