I made a similar, recent post on finding a workaround to avoid the actual Java program in terms of adding things to the vanilla of Minecraft. Unfortunately, it seems rather impossible. So, I thought I'd start another thread to get some more knowledge on the subject and discuss the security concerns that Java raises in hopes some people with more knowledge and experience on the matter could shed some light if they can.
I remember Java being a much bigger threat back in 2015-ish, and that there were holes in its security that left it extremely vulnerable.Is that still the case now, as of 2018? Is this worth the concern in terms of just wanting to add some shaders and whatnot to my Minecraft game? Should people be using Java at all?
What are your thoughts? Have you gotten any sort of malware from Java? What do you do to protect yourself as a user with Java?
The security concerns regarding Java are with regards to Java Applets that run inside of Web browsers. With a Java plugin available in the browser, your browser loads in the Java plugin which will then load and execute the Java bytecode.
When running Applets the Java plugin is running in what is known as a "Java sandbox" Certain "normal" java operations are not available. For example, an Applet cannot use JNI (Java Native Interface) to interface with system DLL files, nor can it access local system files.
Java "exploits" are when you can run specially crafted bytecode or otherwise fiddle with that Java plugin component running your applet in order to "trick" it into letting you perform those privileged operations.
The issues with the Java plugin are because you are running untrusted code by default. You are visiting a website, you don't know anything about the software it has, or what it does, so it runs in a restricted environment.
With Client applications, there is nothing to "exploit" in the java runtime. Client Applications written in Java have the same privileges as any other client application written in any other language, And can access all the capabilities that are locked off by design from Java Applets, because by virtue of installing it you have declared your trust for the application.
Applets are a rather outdated technology that has been largely superceded by various other developments that have arisen, making it not particularly useful to have installed.