John and Amy sit down with their morning coffee and start browsing the news. Unfortunately, they both get served an advertisement with a malicious applet inside. John’s computer is passively infected with a virus which spreads inside his company’s network but Amy’s computer is unaffected and her company is safe. What’s the difference between John and Amy? John is using IE11 as mandated by his company’s IT department with NPAPI enabled; allowing the malicious applet access to his computer. Amy is using MS Edge which doesn’t allow the applet access. It’s safe to say that any business would rather have Amy than John in this situation.
Why are we talking about John and Amy? It’s because a plugin-free web is coming and organizations may not understand what this means for their IT security. Oracle has announced that they will deprecate the NPAPI (Netscape Plugin API – which allows Java applets to run in a browser context) with the release of Java 9 and many browser vendors have removed support for standards-based plugins entirely. The situation with John and Amy is a real risk for organizations that is only growing and these announcements are important because they may require organizations to update their systems in order to eliminate security risks.
The current landscape may lull some organizations into a false sense of security. Internet explorer through version 11 and Firefox versions 53 and lower still support Java applets, so businesses that rely on applets for document viewing and annotations may feel like change is still years away. The risk in this philosophy does not lay with the applets or browsers themselves, but instead with the NPAPI that allows the applets to run in the browser.
Currently, applets represent security risks due to that fact that, if there is a vulnerability in an applet, the attack surface for malicious code is large because any web page can access the applet when it is running. This security risk is exacerbated with the deprecation of the NPAPI because that eliminates the possibility of remediation for any future vulnerability in applet-based functionality. Simply put, if someone wants to rob you and they find the door to your house open, you cannot shut the door and the robber can walk in with all of his friends.
Your business can eliminate this security risk by moving to other technologies in lieu of applets before the release of Java 9 (looking like late July 2017). In the content management world, a specific example is that many organizations are moving to an HTML5 document viewer instead of the traditional Java applet viewer for image viewing and annotations. The two options have similar functionality but an HTML5 viewer eliminates the security risk now presented by the Java applet viewer.