Oracle updates Java, supports OS X, claims full and timely updates for Apple users

Filed Under: Apple, Java, Malware, Oracle, Vulnerability

Apple and Java have had an on-again, off-again relationship for a while now.

Back in the mists of time - actually, just under three years ago, when OS X 10.6 appeared - Macs came with Java as part of the OS X distribution.

And not just the JRE - the Runtime Environment you need to run other people's Java programs on your computer - but the three-times-the-size, all-singing, all-dancing JDK. That's the Development Kit - the JRE plus the stuff you need to build your own Java software.

Whenever Sun (now Oracle) announced an update to Java - whether for features, security patches or both - most users could head over to the download motherlode on the Sun-now-Oracle site and grab the latest and greatest JRE or JDK.

But not Mac users.

Java updates for OS X were effectively contracted out to Apple, and delivered only via Apple's own Software Update service.

And Apple's updates generally came out later than Oracle's - famously, in April 2012, too late to save Mac users from a drive-by assault by the Flashplayer malware.

More than 600,000 Macs were reportedly infected, thanks to a Java security hole, before Apple cranked out a patch that had been available since February to everyone else.

By OS X 10.7, better known as Lion, Apple had kicked Java out of the default operating system distribution, but that was cold comfort to Java-using Lion users confronted with OSX/FlshPlyr-B.

They'd installed Java as an official add-on from Apple, so they'd understandably assumed that Apple would offer timely patches, given the known risks of unpatched Java installs.

If fact, if ever you try to run Java on Lion, OS X cheerfully reminds you that you don't have it, and helpfully offers to grab it for you automatically.

Today, at least as far as Java installs go, it seems we've come full circle.

Java for OS X is now being published directly by Oracle, and patches are promised for OS X at the same time that they come out on Windows.

[Update: In its own words, Oracle's OS X installer, named Java 7 Update 06.pkg, "is supported only on OS X Lion (10.7.3)".]

Confused? Don't be. (If you are, that's my fault, and I apologise. This was, however, a voyage I felt deserved recounting in some detail.)

Here's what I suggest for OS X users:

1. Work out if you really need Java at all. If you don't, consider removing or at least disabling it. (You can find some suggestions - admittedly untested - in the comments on how to do this.) In this case, your journey ends here.

2. If you aren't sure, remove or disable Java and see how you go for a week or so. If your browsing experience is undiminished, and all the applications you use still work fine, your journey ends here.

3. If you are a Lion user, and have Apple's Java installed, consider replacing it with the new Oracle version. Don't forget that this means you won't get Java updates via your Mac's Software Update. Use Oracle's updates instead. (They can be set to automatic.)

4. After three or four weeks, GOTO 1.

For the record, the latest Java version from Oracle is 7u6, also known as 1.7.0_6. If you don't intend to develop Java programs yourself, stick to the JRE. It's much smaller than the JDK, which reduces what's known in trendy-speak as your attack surface area. That's always a good thing.

This new Java version includes a longish list of bugfixes. These include: a few ominous-sounding ones with more than a whiff of vulnerability about them, such as 7166498 - JVM crash in ClassVerifier; the risky-sounding 7155051 - DNS provider may return incorrect results; and the intriguingly sticky-sounding 7178177 - Debug spewage when applets start up.

With that in mind, I suggest you update as soon as practicable.


-

, , , , , , , , , , ,

You might like

8 Responses to Oracle updates Java, supports OS X, claims full and timely updates for Apple users

  1. @Aeyoun · 797 days ago

    Any news on whether this will include a new Java plug-in for OS X?

  2. Anonymous Coward · 797 days ago

    "If you don't, simply remove it."

    Care to explain how to simply accomplish this? I think you're misleading people by suggesting that this is easy.

    • Paul Ducklin · 797 days ago

      Hmmm. Turns out you have asked an awkward but important question :-)

      My assumption was - sorry - just to remove /System/Library/Java and its subdirectory tree (or at least to move it somewhere out of harm's way and see what the side-effects were). But don't do that on my say-so. It might end in tears.

      I'll remove the word "simply", and mention (without formally recommending it, or even knowing quite how reliable the advice is) this article, which looks like a good - but not, indeed, simple! - place to start:
      http://apple.stackexchange.com/questions/24131/un...

      If you're reluctant to delete anything, here's something else on disabling Java. Once again, your kilometrage may vary:
      http://osxdaily.com/2012/04/07/tips-secure-mac-fr...

      Hope that's enough to be going on with.

  3. @DaanVrolek · 797 days ago

    I find it very interesting that although Oracle has now released their own OS X version, but are not marketing it on Java.com yet: http://java.com/en/download/apple_manual.jsp?locale=us

    • Paul Ducklin · 797 days ago

      Java.com not only omits mention of the just-announced OS X support, it also omits mention of the 7u6 update altogether. It still tells you: "Recommended Version 7 Update 5." (That was the case at 2012-08-15T23:45+10, anyway.)

      I suspect that the reason probably isn't as interesting as you think - what's the bet that the marketing department simply hasn't got round to updating the Java.com site yet :-)

      • Paul Ducklin · 797 days ago

        Answering myself :-) Oracle's press release about this stuff (linked to in the article) says: "Consumers will soon be able to download the JRE for Mac OS X from Java.com, just as they do for all other operating systems."

        So...they just have got a Round Tuit yet.

        Also - and I have updated the article to make this clear - the OS X installer (I have only tried the JRE) published by Oracle _only supports OS X 10.7.3_. Touch luck to Snow Leopard or Mountain Lion users, at least so far...

  4. Dale · 797 days ago

    I updated to the lastest version for windows but I'd like to ask a question.

    In the option tabs, there are a lot of options to choose from & I'll bet I'm not the only person who wouldn't have a clue which options are best for security. I only install Java & Flash because so many sites use it, not because I want it on my system.

    In the options tabs, are they already set up at the safest level, or should they be changed?

  5. Ken Martin · 796 days ago

    Yep! I'd really like to know when the Java version for Snow Leopard 10.6.8 will be updated. Version 9 appears to be current.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog