F-Secure on Java

F-Secure generated a lot of traffic in the blogosphere with their post declaring Java harmful and better to not be installed on computers.   To me the only surprising part is the discussions this generated.   Isn’t this old news?   Principle of least privilege says to remove it if you don’t need it.   So when you’re regularly updating an application for security fixes it may be time to consider alternatives.

F-Secure links Larry Seltzer’s month without Java from 2010.   Brian Krebs posted a blog article around the same time recommending Java be removed.   I couldn’t find an earlier article, but I thought Krebs had been banging this drum for much longer.

Removing software you don’t need certainly lowers the attack surface area.   At work, I’d caution that you’re likely to find groups of users using Java for internal applications.   If you don’t put Java on your system image, they are going to install the ancient version of Java supplied by their application developer.   I found a couple users with Java 1.6.0 update zero.   When I removed that and installed the latest Java 1.6, the application still worked fine.    If you’re actively patching your environment having Java installed may not be that bad.

The articles liked mention alternatives such as only allowing Java to run on specific sites.   Sometimes I install Java only for use on my non-day-to-day browser.   I’m not sure either solution scales into the enterprise where you have to account for all sorts of computer literacy.