Time for MS to Throw in the Java Towel?

By Larry Seltzer  |  Posted 2003-04-17

Time for MS to Throw in the Java Towel?

There was a time when Microsofts objectives toward Java were relatively clear. Security was always a priority in the Java VM, but security issues were basically theoretical. In the past few years, though, Microsofts Java VM has stagnated under an agreement with Sun, and the only news we hear about it is when yet another security hole is found.

The latest legal stupidity between the companies has been Suns civil antitrust case against Microsoft, in which Sun was awarded an injunction, immediately stayed by court and under scrutiny by an appeals court, ordering Microsoft to ship Suns Java VM with Windows.

Personally, I find this order to be legally moronic, and I have a hard time believing that it will ever go into effect, but it and the latest flaw in the Microsoft VM got me thinking: Why is Microsoft fighting back on this point? Why not just ship the Sun VM and let it be Suns problem? Microsofts agreement with Sun prohibits the company from even providing security fixes for the Microsoft VM after Jan. 2, 2004, and if forced to ship Suns VM, Microsoft would clearly (and quite reasonably) be under no obligation to support it.

Im sure that Microsoft is concerned to some extent about disrupting the operations of customers who have come to rely on its VM, but the company cant be all that concerned. Its been clear for some time that Microsoft wants to withdraw the VM altogether, and what could be more disruptive than that? Anyone who relies on the Microsoft VM and has not yet made sure that their apps run on the Sun VM deserves whatever they get. Even Microsoft warns users not to keep using its VM.

Javas Insignificant on the

Client, Anyway">

Microsofts plan has to be that (as of next January) it wont be shipping its Java VM or anyone elses. My own guess is that OEMs will arrange with Sun to ship their VM with Windows, although I dont know of any who have done this yet. If OEMs dont ship the Sun VM, Windows users will have to go and download it themselves, assuming they find a need for it. Lately, the only client-side Java I ever find myself running is live baseball-statistics applets like ESPN Gamecast and Yahoo! Sports Gamechannel. The best of that bunch, MLB.coms Gameday, uses Flash.

So few (if any) users will notice if Java is no longer a default feature of Windows. As for server products, downloading and installing the latest VM from java.sun.com is trivial work compared with setting up any serious Java system, like a J2EE server. Its ridiculous to claim that not having the VM bundled imposes a burden on the user.

Most of the vulnerabilities in the Microsoft VM have involved a malicious applet that would have to be on a Web page to which the user would be enticed to visit. Even though such vulnerabilities are labeled "critical" because its possible for them to result in arbitrary code running, I doubt much of this happens in the real world. Even if pages do exist that contain malicious Java applets (and few enough pages exist anymore with any Java applets on them), these are going to be obscure pages to which normal users arent likely to go. Yes, its possible for HTML e-mail to include Java applets, but its been almost three years since Microsoft patched Outlook and Outlook Express not to run such code by default. Anyone running such an old version probably has "HACK ME" tattooed on their forehead.

I can understand why Microsoft doesnt want to make things easier for Sun, especially after their history, but its all so unimportant in the big picture. Java failed on the client (and yes, it is a miserable failure on the client) for reasons completely unrelated to the differences between Microsofts VM and Suns. It failed because Java applets and applications were slow and clunky. Microsofts VM was, in its heyday, the fastest and least clunky, so if anything, it boosted Javas chances. Including Suns VM in Windows isnt going to do anything to change this fate; the market has made up its mind—at least for the foreseeable future—that client-side code in Java is a loser.

Shipping Microsofts VM would, on the other hand, take another security monkey off Microsofts back.

Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Rocket Fuel