Javas Insignificant on the
Client, Anyway"> Microsofts plan has to be that (as of next January) it wont be shipping its Java VM or anyone elses. My own guess is that OEMs will arrange with Sun to ship their VM with Windows, although I dont know of any who have done this yet. If OEMs dont ship the Sun VM, Windows users will have to go and download it themselves, assuming they find a need for it. Lately, the only client-side Java I ever find myself running is live baseball-statistics applets like ESPN Gamecast and Yahoo! Sports Gamechannel. The best of that bunch, MLB.coms Gameday, uses Flash. So few (if any) users will notice if Java is no longer a default feature of Windows. As for server products, downloading and installing the latest VM from java.sun.com is trivial work compared with setting up any serious Java system, like a J2EE server. Its ridiculous to claim that not having the VM bundled imposes a burden on the user.I can understand why Microsoft doesnt want to make things easier for Sun, especially after their history, but its all so unimportant in the big picture. Java failed on the client (and yes, it is a miserable failure on the client) for reasons completely unrelated to the differences between Microsofts VM and Suns. It failed because Java applets and applications were slow and clunky. Microsofts VM was, in its heyday, the fastest and least clunky, so if anything, it boosted Javas chances. Including Suns VM in Windows isnt going to do anything to change this fate; the market has made up its mindat least for the foreseeable futurethat client-side code in Java is a loser. Shipping Microsofts VM would, on the other hand, take another security monkey off Microsofts back. Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Most of the vulnerabilities in the Microsoft VM have involved a malicious applet that would have to be on a Web page to which the user would be enticed to visit. Even though such vulnerabilities are labeled "critical" because its possible for them to result in arbitrary code running, I doubt much of this happens in the real world. Even if pages do exist that contain malicious Java applets (and few enough pages exist anymore with any Java applets on them), these are going to be obscure pages to which normal users arent likely to go. Yes, its possible for HTML e-mail to include Java applets, but its been almost three years since Microsoft patched Outlook and Outlook Express not to run such code by default. Anyone running such an old version probably has "HACK ME" tattooed on their forehead.