How I ditched the security risks and lived without Java, Reader, and Flash

Java, Reader, and Flash are irresistible targets for hacking exploits. So what's it like living without the oh-so-vulnerable trio?

Adobe Flash, Adobe Reader, and Oracle's Java. All three are virtually ubiquitous on modern-day PCs, and all three provide handy-dandy functionality--functionality that, in the case of Flash and Java, can't be directly reproduced by a third-party solution. If we lived in a vacuum, it would be hard to argue that the trio doesn't deserve its spot on computers around the globe.

We don't live in a vacuum, though.

Here in the real world, widespread adoption of the software makes all three irresistible targets for hackers and malware peddlers. The attacks reached a fever pitch in the early months of 2013, with a flood of reports about Flash, Reader, and Java exploits. Three different articles about Java exploits hit PCWorld's homepage this past Monday and Tuesday alone, and Adobe issued three critical Flash updates in February.

But don't yank out that ethernet cable or wrap your desk in a Faraday cage just yet. You don't have to use Java, Flash, and Reader just because everyone else does. I spent more than a week without Reader, Java, Flash, and their respective browser plug-ins to see if it's possible to live without the software and not suffer massive migraines.

My results were mixed, but incredibly illuminating.

Living without Adobe Reader

Let's get the low-hanging fruit out of the way first. Ditching Adobe Reader is almost shockingly easy. While the software may be synonymous with PDFs, it's far from being the only PDF reader on the block. In fact, just last month I outlined three safer, speedier Reader alternatives after Adobe's software suffered from yet another zero-day exploit that hackers were actively using.

The alternatives PDF readers outlined in that article--Sumatra PDFFoxit Reader, and Nitro PDF Reader--not only receive much less malicious attention than Adobe's program, they also perform like greased lightning in comparison.

I've personally settled on Sumatra PDF for my digital document needs. It may not have many bells or whistles, but geez it's fast, and my PDF reading needs are fairly simple. Nitro PDF is great if you need more features, while Foxit Reader's blend of speed and extras falls somewhere between the other two. All three work like a charm.

Living without Java

Java's a bit trickier to abandon. Granted, very few websites use Oracle's software platform on the client side--just 0.2 percent of all sites online, according to W3Techs. Desktop programs that require Java are similarly scarce. As a result, there's a strong chance you don't even need Java on your computer. In fact, when I started this headache-free experiment, I was surprised to discover that it wasn't even installed on my primary work PC, which I built in November.

Here's the rub, though: The websites and programs that do use Java tend to be very high-profile ones, and they're often mission-critical.

As it turns out, many banking and governmental websites rely on Java. If a website you frequent needs Java, then you have to have Java on your PC--it's as simple as that. Likewise, some pretty popular desktop applications are built atop Oracle's software platform, including the OpenOffice productivity suite, Adobe's Creative Suite 6, and the time-suck that is Minecraft.

So most people don't need Java. But if you do, then you really need it. My recommendation? Uninstall it from your computer. No, seriously, go do it now. If you need Java for a particular website or program, that application will bark at you next time you try to use it--at which point you can quickly reinstall Java.

For many people, that bark will never come. And if it comes months down the line when you're visiting a rarely used site, you'll know you can uninstall Java once again when you're done with that particular task. The headache of reinstalling and uninstalling Java once per year is nothing compared to the headache of installing those constant critical patches--or, worse, leaving your computer vulnerable to attack.

Alternatively, if a site you visit on a regular basis requires Java, consider downloading another Web browser (such as Firefox or Chrome), installing the Java plugin for that browser, and then using it only when visiting your beloved destination. That way your primary browser will be Java-free, eliminating the possibility of stumbling across a malicious Java exploit during your day-to-day browsing.

Living without Flash

Even if you can live without Java, trying to banish Flash from your PC may be next to impossible. The headaches begin when you realize that both Google Chrome and Microsoft's Internet Explorer 10 ship with Flash weaved into their very fabric. You simply can't excise Adobe's multimedia player from either of those browsers.

But let's assume you decide to roll with Firefox, or another alternative browser that isn't shackled to Adobe. Is it possible to live a Flash-free existence? It's hard.

Flash has been around so long, it's become a de facto Web standard in function, if not in definition. A ton of websites break without Flash. Hulu won't work without Flash. Neither will Amazon Instant Video. (Netflix runs on Microsoft's Silverlight, so it will.) Farmville  or other Flash games? Fuggedaboutit, if their name didn't clue you in already. Rdio's browser interface? All Flash, all the time. Even once you expand your vision beyond traditional media interests, you'll find that many websites implement Flash in one way or another.

Flash, baby, I just can't quit you. But you, dear reader, might be able to if you aren't as heavily invested in online media as I am--just be prepared for some websites to look wonky or break entirely.

So what's the best option for the security conscious individual who just can't bear to cut Flash out completely? You'll want to stick to a browser other than Chrome or IE 10 as your primary Flash-less surfing tool, and then use Chrome, IE 10, or another browser with the Flash plug-in installed when you stumble across a Flash-centric website. (Bonus points if you install Java's plug-in on your secondary browser; see above.) This strategy will minimize your possible exposure to dirty Flash exploits.

The prospect of abandoning Flash is becoming more viable by the day, though. Adobe recently discontinued Flash on Android, and Apple has never allowed the multimedia software on its iOS devices. And as mobile technology consumes the world, websites are turning away from Flash to embrace HTML5 in droves; W3Techs reports that the number of Flash-bearing sites has plunged in the past year, from just over 25 percent in March 2012 to 20.2 percent in March 2013.

Pandora, YouTube, Revision3, Vimeo, and Scribd have all either introduced HTML5 options or dumped Flash for HTML5 entirely over the past couple of years. With any luck, Flash's final days are just over the horizon.

Trumped, yet hopeful

At the end of my grand experiment, it's apparent that, while leaving Adobe Reader for greener (or at least less-targeted) pastures is relatively easy, you might not be able to quit Java or Flash cold turkey. But even so, you can take precautions to keep your security risks to a minimum. Just slap the Flash and Java plug-ins on a secondary browser and forget they're there unless you absolutely need them.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityadobejavasoftwareflash

More about Adobe SystemsAmazon Web ServicesAppleCreativeGoogleMicrosoftNetflixOpenOfficeOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Brad Chacos

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts