Google Chrome – Why is Java Plugin (JRE) Disabled

google-chromejava

Why is the Java plugin (JRE) is disabled in Chrome? It is some security concern?

From official Java website:

Chrome no longer supports NPAPI (technology required for Java applets)
The Java plug-in for web browsers relies on the cross platform plugin architecture NPAPI,
which has been supported by all major web browsers for over a decade.
Google's Chrome version 45 (scheduled for release in September 2015) drops support
for NPAPI,
impacting plugins for Silverlight, Java, Facebook Video
and other similar NPAPI based plugins.

But anyone knows why? How it could be dangerous for Chrome user with latest version of Java JRE installed?

Best Answer

Why is Java disabled in Chrome? It is some security concern?

The reasons prompting the disabling of NPAPI, and therefore Java, include the following according to the Chromium Blog:

  • Increased security
  • Increased speed
  • Increased stability
  • Reduction in code complexity
  • Reduction in crashes
  • Reduction in hangs
  • Lack of support for mobile devices

Note:

  • Firefox is also dropping support for NPAPI - See NPAPI Plugins in Firefox:

    Plugins are a source of performance problems, crashes, and security incidents for Web users.

    Mozilla intends to remove support for most NPAPI plugins in Firefox by the end of 2016.

How it could be dangerous for Chrome users with latest version of Java JRE installed?

Short answer: Zero Day Exploits.

Another source for vulnerabilities is the fact that Java hasn’t released an automatic updater that doesn’t require user intervention and administrative rights. For example, Google Chrome and Flash Player have. This feature allows users to get automatic updates without being prompted to take action, making updates easier.

For lack of an automatic updates system, many users ignore Java updates and even fear installing them, because of malware that used Java updates as an infection vector in the past or similar experiences.

Just know that all these vulnerabilities are what cyber criminals thrive on.

...

Data extracted from our own database confirms that Java is the second biggest security vulnerability that requires constant patching, after Adobe’s Flash plugin.

In 2015 alone, we’ve already deployed 105925 patches for Java Runtime Environment for our clients.

enter image description here

Read the rest of the article for a detailed explanation and commentary.

Source Why are Java’s Vulnerabilities One of the Biggest Security Holes on Your Computer?

The Final Countdown for NPAPI

Last September we announced our plan to remove NPAPI support from Chrome, a change that will improve Chrome’s security, speed, and stability as well as reduce complexity in the code base.

Source The Final Countdown for NPAPI

Saying Goodbye to Our Old Friend NPAPI

NPAPI’s 90s-era architecture has become a leading cause of hangs, crashes, security incidents, and code complexity. Because of this, Chrome will be phasing out NPAPI support over the coming year. We feel the web is ready for this transition. NPAPI isn’t supported on mobile devices, and Mozilla plans to make all plug-ins except the current version of Flash click-to-play by default.

Source Saying Goodbye to Our Old Friend NPAPI

Related Question