Java on XP: Take Your ChancesOracle Extends Lifeline, But Stops Formal Support
Warning for Windows XP users: Future Java updates may no longer be compatible with your operating system, because Oracle has stopped officially offering support for Java running on Windows XP.
See Also: Top 50 Security Threats
But the company signals that at least for the moment, it doesn't plan to disenfranchise XP users. "There are a few compatibility issues with Java 8 on Windows XP, since it is not an officially supported configuration. We are looking at ways to resolve these," Henrik Stahl, vice president of product management at Oracle, says in a press statement. "For now, we will keep Java users on Windows XP secure by updating them to the most recent Java 7 security update on an ongoing basis. Java users on more recent Windows versions can choose between Java 7 and 8, and depending on their choice will be kept up to date with the most recent Java 7 or 8 security update respectively."
That's good news for Java and XP users, after reports surfaced July 3 that the test versions of the next Java 7 and Java 8 browser plug-ins -- 7u65 and 8u11 -- would install on PCs running Windows XP, but fail to execute.
"All of our local sources confirm the same thing -- that it won't work with XP," Morten Kjaersgaard, CEO of information security firm Heimdal Security in Copenhagen, Denmark, tells Information Security Media Group. Of course, that would have serious endpoint security consequences for the hundreds of millions of PCs estimated to still be running the 13-year-old operating system. They would be stuck with an outdated and vulnerable of the plug-in.
Given Oracle's promise to continue making Java 7 work with Windows XP, however, it looks like whatever compatibility problems there may currently be with the beta version of the Java 7 version 65 update, Oracle plans to resolve them before July 15. Officially, however, Oracle's Windows XP and Java FAQ says the company stopped supporting Windows XP on April 8, 2014, when Microsoft dropped support. "Users may still continue to use Java 7 updates on Windows XP at their own risk, but support will only be provided against Microsoft Windows releases Windows Vista or later," Oracle's FAQ says, adding that XP users won't be able to install Java 8.
Despite the promised XP lifeline, Oracle's Stahl urges anyone who's still using the operating system to adopt a newer one. "As you know, Microsoft no longer supports Windows XP and recommend their users to upgrade to more recent versions in order to maintain a stable and secure environment," he says. "Oracle makes the same recommendation to our users running Java on Windows, and also has a standing recommendation that users stay current with the most recent Java security baseline -- currently available for the public for Java 7 and 8."
According to June 2014 statistics from Net Applications, 25 percent of all computers still run Windows XP, placing it behind Windows 7 (51 percent), but ahead of Windows 8 and 8.1 (13 percent), versions of Mac OS X (7 percent), Vista (3 percent) and Linux (2 percent). Heimdal Security, meanwhile, cites statistics showing that 82 percent of those Windows XP users also have some version of Java installed.
Risk of Exploitation
With Microsoft having ceased support for most versions of XP -- unless organizations pay for expensive extended-support contacts -- it's no surprise other vendors are following suit, says Seattle-based Al Hilwa, program director for software development research at IDC. "Given that XP is officially out of standard support and given the Microsoft approach at this point, I think Java and other similar technologies are justified in not formally supporting XP," he says.
Still, Oracle signaling that it plans to continue to create up-to-date versions of Java 7 for XP users -- although for how long remains unclear -- is good news, not least from an information security standpoint. Many malware infections today stem from automated exploit toolkits, which frequently target known vulnerabilities in outdated versions of Java that businesses and consumers have failed to patch. According to Websense, furthermore, many current Java installations are months or years out of date, which gives attackers plenty of vulnerable PCs to exploit and add to botnets.
Expect the list of newly discovered, exploitable Java vulnerabilities to continue piling up, which puts anyone who's not using the latest version of Java 7 or Java 8 at risk. "The general problem that we see is that Java has more security problems than XP: there were more vulnerabilities in Java in 2013 than there are in the entire Windows XP operating system," says Heimdahl's Kjaersgaard. Indeed, 131 vulnerabilities were detected in Java in 2013, compared to 88 vulnerabilities in Windows XP.
While many businesses and consumers continue to cling to Windows XP, the overriding consensus from the information security community is that it's time to practice some tough love. "Microsoft has been accommodating, but they cannot support historic technology forever -- you don't see Ford still making parts for the Model T, for example, even though, for some, that was all they needed," says London-based Andrew Rose, a principal analyst for security and risk at Forrester Research. "Users of Windows XP who are reluctant to move have to be aware that they are now on a downward spiral when it comes to security, and they should not be surprised if the next version of Java doesn't support their outdated systems."
Businesses shouldn't be surprised when Oracle -- officially and unofficially -- finally pulls the plug on XP support. "Get used to it -- next it will be Flash, then Acrobat, then everything else," says Rose. "There is no happy ending here, XP is no longer supported; work through your stages of grief as rapidly as possible and, for the sake of your enterprise, move to a supported platform."
Dan Kaminsky, chief scientist of White Ops, who consulted for Microsoft for six years, helping the company design its post-XP operating systems, likewise argues that it's time to let XP die. "It's so hard to take a system designed for a previous era and patch it up to still be safe. So I understand where Microsoft is coming from, and where Oracle is coming from for them to say, look, my God, it's a different world now -- you asked us to fix this stuff, and we did it," he says. "It took three generations of Windows, but my goodness, they pulled it off."