Java on XP? Is it still supported, and what should you do about it?

Graham Cluley

Well done to Oracle, which has successfully managed to confuse everyone about what the situation is regarding whether Java (a development platform with a long history of security holes) will continue to be properly supported on Windows XP (an operating system with a long history of security holes, that Microsoft has recently killed off after many years of trying).

As Lumension described last week, Oracle had announced with the demise of Windows XP that support for Java on XP had reached the end of the road:

“Users may still continue to use Java 7 updates on Windows XP at their own risk, but support will only be provided against Microsoft Windows releases Windows Vista or later… Windows XP users will be unable to install Java 8 on their systems. Windows users must upgrade to Windows Vista or later to install Java 8.”

It didn’t take long for the media to report on the story, with headlines like “Java support over for Windows XP”, “Windows XP: Java is Dead to Me” and “Big Java security fixes on the way – but not so fast, Windows XP users”.

After that, it would be pretty reasonable to assume that Oracle had just given you another reason to switch your computers from Windows XP, right?

And that would be a good thing, as Windows XP is no longer supported by Microsoft, is no longer receiving security patches from the security team at Redmond, and cannot be considered a safe place to be.

Well, hold your horses.

Because Oracle has issued a statement entitled “The future of Java on Windows XP”, attempting to clarify its position.

In a nutshell, here are the facts as I understand them:

  • Oracle expects “all versions of Java that were supported prior to the Microsoft de-support announcement to continue to work on Windows XP for the foreseeable future. In particular, we expect that JDK 7 will continue to work on Windows XP.”
  • JDK 8 won’t currently install on Windows XP, and may never install properly on Windows XP. But that’s okay, because – according to Oracle – you can “unpack it manually and it will likely run fine”.
  • If you carry on using Windows XP (despite all the warnings from security vendors), then you will continue to receive updates for JDK 7 until at least April 2015 – the currently scheduled end of the roadmap for public updates to JDK 7. So, yes, you will get the JDK 7 security updates scheduled for release this week.
  • Oracle might, in the future, try to make it easier to install JDK 8 on Windows XP. But it’s making no promises. In their own words – “if you are on Windows XP it’s not clear that it’s worth updating to Java 8 without also updating the OS.”

In short, Oracle says, “don’t believe everything you read on the internet.”

Here’s my own, personal guide for those still wondering what they should do about Windows XP and Java:

1. As soon as possible, switch away from Windows XP. It’s no longer secure and you are putting your data and company at risk by using it. It’s not as though the issue hasn’t been publicised. If switching to a more modern version of Windows is too expensive or requires a pricey hardware upgrade, consider an alternative operating system.

2. If at all possible, stop using Java. At the very least, consider whether you really need Java enabled in your users’ web browsers, or limit its usage to specific sites to lower the attack surface.

3. If you’re still running Windows XP and Java – good luck with that. Oracle is clearly not putting resources into testing Java on the XP platform, and XP must be considered an insecure operating system. It may be painful shifting, but doing so sooner rather than later is probably a sensible idea.

4. Whatever you decide to do, continue to keep your anti-virus software up-to-date and minimise the potential for vulnerabilities to exploit your systems by keeping on top of security patches.

And finally, next time you chat with someone at Oracle ask them this: Isn’t it time Oracle gave us monthly security updates for Java?

This article originally appeared on the Lumension blog.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.