You can understand this, because for years these plugins have been responsible for vulnerability on top of vulnerability. Their combination of web-facing access and native code execution means that you have maximum exposure and maximum risk concentrated in one place on the machine.
Browser manufacturers have recognised this risk in their own code, and have made great strides in improving security. Plus, you can always switch browsers if you feel one is more secure than another.
An attacker can pretty much assume that their target is running Flash from Adobe, and Java from Oracle. [Microsoft used to have a competing Java implementation, but Oracle sued it out of existence.]
Bugs in those implementations are widely published, and not widely patched, whether or not patches are available.
Users donâ€™t upgrade applications (plugins included) as often or as willingly as they update their operating system. So, while your browser may be updated with the operating system, or automatically self-update, itâ€™s likely most users are running a version of Java and/or Flash thatâ€™s several versions behind.
As you can imagine, the declaration by Oracle that Java plugin support will be removed is a step forward in recognising the changing landscape of browser security, but itâ€™s not an indication that this is an area in which security professionals can relax.
Just the opposite.
With the deprecation of plugin support comes the following:
Itâ€™s not like Oracle are going to reach into every machine and uninstall / turn off plugin support. Even if they had the technical means to do so, such an act would be a completely inappropriate act.
So, what weâ€™re left with, whenever a company deprecates a product, application or framework, is a group of machines â€“ zombies, if you will â€“ that are operated by people who do not heed the call to cull, and which are going to remain active and vulnerable until such time as someone renders those walking-dead components finally lifeless.
If youâ€™re managing an enterprise from a security perspective, you should follow up every deprecation announcement with a project to decide the impact and schedule the actual death and dismemberment of the component being killed off.
Assuming, of course, that you followed through successfully on your plan.
Until then, watch out for the zombies.
The Browsing Dead.