HOME

Friday, March 8, 2013

How I ditched the security risks and lived without Java, Reader, and Flash


Adobe Flash, Adobe Reader, and Oracle's Java. All three are virtually ubiquitous on modern-day PCs, and all three provide handy-dandy functionality—functionality that, in the case of Flash and Java, can't be directly reproduced by a third-party solution. If we lived in a vacuum, it would be hard to argue that the trio doesn't deserve its spot on computers around the globe.
We don't live in a vacuum, though.
Here in the real world, widespread adoption of the software makes all three irresistible targets for hackers and malware peddlers. The attacks reached a fever pitch in the early months of 2013, with a flood of reports about Flash, Reader, and Java exploits. Three different articles about Java exploits hit PCWorld's homepage this past Monday and Tuesday alone, and Adobe issued three critical Flash updates in February.
But don't yank out that ethernet cable or wrap your desk in a Faraday cage just yet. You don't have to use Java, Flash, and Reader just because everyone else does. I spent more than a week without Reader, Java, Flash, and their respective browser plug-ins to see if it's possible to live without the software and not suffer massive migraines.
My results were mixed, but incredibly illuminating.

Living without Adobe Reader



Let's get the low-hanging fruit out of the way first. Ditching Adobe Reader is almost shockingly easy. While the software may be synonymous with PDFs, it's far from being the only PDF reader on the block. In fact, just last month I outlined three safer, speedier Reader alternatives after Adobe's software suffered from yet another zero-day exploit that hackers were actively using.
The alternatives PDF readers outlined in that article—Sumatra PDFFoxit Reader, andNitro PDF Reader—not only receive much less malicious attention than Adobe's program, they also perform like greased lightning in comparison.
I've personally settled on Sumatra PDF for my digital document needs. It may not have many bells or whistles, but geez it's fast, and my PDF reading needs are fairly simple. Nitro PDF is great if you need more features, while Foxit Reader's blend of speed and extras falls somewhere between the other two. All three work like a charm.

Living without Java

Java's a bit trickier to abandon. Granted, very few websites use Oracle's software platform on the client side—just 0.2 percent of all sites online, according to W3Techs. Desktop programs that require Java are similarly scarce. As a result, there's a strong chance you don't even need Java on your computer. In fact, when I started this headache-free experiment, I was surprised to discover that it wasn't even installed on my primary work PC, which I built in November.
Here's the rub, though: The websites and programs that do use Java tend to be very high-profile ones, and they're often mission-critical.
As it turns out, many banking and governmental websites rely on Java. If a website you frequent needs Java, then you have to have Java on your PC—it's as simple as that. Likewise, some pretty popular desktop applications are built atop Oracle's software platform, including the OpenOffice productivity suite, Adobe's Creative Suite 6, and the time-suck that is Minecraft.

Minecraft is awesome, but its reliance on Java is not.

So most people don't need Java. But if you do, then you really need it. My recommendation? Uninstall it from your computer. No, seriously, go do it now. If you need Java for a particular website or program, that application will bark at you next time you try to use it—at which point you can quickly reinstall Java.
For many people, that bark will never come. And if it comes months down the line when you're visiting a rarely used site, you'll know you can uninstall Java once again when you're done with that particular task. The headache of reinstalling and uninstalling Java once per year is nothing compared to the headache of installing those constant critical patches—or, worse, leaving your computer vulnerable to attack.
Alternatively, if a site you visit on a regular basis requires Java, consider downloading another Web browser (such as Firefox or Chrome), installing the Java plugin for that browser, and then using it only when visiting your beloved destination. That way your primary browser will be Java-free, eliminating the possibility of stumbling across a malicious Java exploit during your day-to-day browsing.

Living without Flash

Even if you can live without Java, trying to banish Flash from your PC may be next to impossible. The headaches begin when you realize that both Google Chrome and Microsoft's Internet Explorer 10 ship with Flash weaved into their very fabric. You simply can't excise Adobe's multimedia player from either of those browsers.
But let's assume you decide to roll with Firefox, or another alternative browser that isn't shackled to Adobe. Is it possible to live a Flash-free existence? It's hard.

No Flash? NO HULU FOR YOU!

Flash has been around so long, it's become a de facto Web standard in function, if not in definition. A ton of websites break without Flash. Hulu won't work without Flash. Neither will Amazon Instant Video. (Netflix runs on Microsoft's Silverlight, so it will.) Farmville or other Flash games? Fuggedaboutit, if their name didn't clue you in already. Rdio's browser interface? All Flash, all the time. Even once you expand your vision beyond traditional media interests, you'll find that many websites implement Flash in one way or another.
Flash, baby, I just can't quit you. But you, dear reader, might be able to if you aren't as heavily invested in online media as I am—just be prepared for some websites to look wonky or break entirely.
So what's the best option for the security conscious individual who just can't bear to cut Flash out completely? You'll want to stick to a browser other than Chrome or IE 10 as your primary Flash-less surfing tool, and then use Chrome, IE 10, or another browser with the Flash plug-in installed when you stumble across a Flash-centric website. (Bonus points if you install Java's plug-in on your secondary browser; see above.) This strategy will minimize your possible exposure to dirty Flash exploits.

chrome
Chrome keeps Flash updated.

The prospect of abandoning Flash is becoming more viable by the day, though. Adobe recently discontinued Flash on Android, and Apple has never allowed the multimedia software on its iOS devices. And as mobile technology consumes the world, websites are turning away from Flash to embrace HTML5 in droves; W3Techs reports that the number of Flash-bearing sites has plunged in the past year, from just over 25 percent in March 2012 to 20.2 percent in March 2013.
Pandora, YouTube, Revision3, Vimeo, and Scribd have all either introduced HTML5 options or dumped Flash for HTML5 entirely over the past couple of years. With any luck, Flash's final days are just over the horizon.

Trumped, yet hopeful

At the end of my grand experiment, it's apparent that, while leaving Adobe Reader for greener (or at least less-targeted) pastures is relatively easy, you might not be able to quit Java or Flash cold turkey. But even so, you can take precautions to keep your security risks to a minimum. Just slap the Flash and Java plug-ins on a secondary browser and forget they're there unless you absolutely need them.
Source

No comments: