As Plug-ins Disappear, Browsers Gain Security, Lose Functionality
Oracle's Java plug-in is the latest to fall, as browser developers look to simplify their code bases to improve security.In late January, Oracle announced that the company would stop supporting its ubiquitous Java plug-in, which would be, in developer terminology, "deprecated" in the next version of the Java software development kit, slated for release in 2017. The announcement comes not as a surprise but a recognition of a trend among browser developers toward removing the ability of third parties to add code—and potentially security flaws—to their software and users' systems. Attackers have often exploited vulnerabilities in the two most popular plug-ins—Java and Adobe's Flash—building attacks into popular hacking tools known as exploit kits. "With modern browser vendors working to restrict and reduce plugin support in their products, developers of applications that rely on the Java browser plugin need to consider alternative options," Oracle stated in its Jan. 27 announcement. For two decades, browsers have supported the addition of plug-ins through the use of a standard application programming interface, known as the Netscape Plugin API, or NPAPI. The ability to add plug-ins allowed developers to boost the functionality and interactivity of browsers. Video streaming, interactivity and games all started as plug-ins.
Yet, the hazards posed by bugs introduced by developers and the inconsistent updating of plug-ins by developers and end users leave many systems vulnerable to attack. Browser makers took the first steps to exorcise plug-ins from their software in 2013, when Google and then Mozilla started phasing out support.