Apple gets aggressive - latest OS X Java security update rips out browser support

Filed Under: Featured, Java, Vulnerability

Keeping track of which Java version you have, and whether it's the latest and most secure, can be a bit tricky, especially for Apple users.

Oracle, the custodian of Java, patches its products on Tuesdays, like Microsoft and Adobe. But it uses a different Tuesday, and a different set of months for different products. (Most Oracle products are patched quarterly; for Java, it's three times a year.)

For Your Diary: Oracle Critical Patch Updates

Critical Patch Updates (CPUs) are collections of security fixes, released on the Tuesday closest to the 17th day of the month. For most products, the patches come four times a year:

15 Jan 2013 - 16 Apr 2013 - 16 Jul 2013 - 15 Oct 2013

For Oracle Java SE, the patches come three times a year:

19 Feb 2013 - 18 Jun 2013 - 15 Oct 2013

Fixes deemed too critical to wait for the next CPU are issued ad hoc as Security Alerts.

Once Oracle has patched Java, Apple then sucks the changes into its Java code tree and issues its own updates, but you can never be quite sure how long that's going to take.

Apple infamously took until April 2012 to push out a patch that had been available to everyone else since February, thus leaving a lengthy window of opportunity for malware authors. The crooks used this window (no pun intended) to build a giant-sized botnet of Macs infected with a Trojan known as OSX/Flshplyr-B.

This month, things have been calmer and more predictable. Oracle updated Java on Tuesday 16 October 2012, as expected; Apple followed suit a day later.

The latest versions are:

Vendor Release Current version
Oracle (all OSes) Java SE 7 1.7.0_09-b05
Apple (OS X only) Java SE 6 1.6.0_37-b06

For some time, Naked Security's advice has been to get rid of Java altogether if you don't need it, or to ban it from your browser if you use Java only for running pre-installed applications.

Keeping Java out of your browser removes the risk of hostile applets - special stripped-down Java programs embedded into web pages.

It seems as though Apple has been listening.

First, it stopped shipping OS X with Java pre-installed when OS X Lion (10.7) came out. Lion and Mountain Lion (10.8) include a program stub (/usr/bin/java) that offers to fetch and install Java if ever you try to use it, but it's not installed by default.

Then, Apple issued an update that would tell your browser to turn off Java if you hadn't used it for a while, thus reducing your needless exposure to hostile Java code on the web.

And in its latest security update, Apple has been even more aggressive.

Cupertino's coders not only bumped up their Java version to Oracle's latest release of Java SE 6 (1.6.0_37), but also ripped out the browser plugin component entirely.

So, after you apply the latest OS X Java update - which you only need if you have already chosen to install Java - you will no longer be able to run applets in your browser

That may sound like a bug, but for most users, it's a feature. You'll soon find out if you really need Java in your browser, because Apple adds a placeholder plugin that fills any applet window with a "Missing Plug-in" warning and a download button.

You can then choose whether to install the missing plugin or to learn to live without it.


The only downside is that to acquire the needed applet plugin, you have to install Oracle's Java runtime in parallel with Apple's Java.

This leaves you with twice as much Java on your Mac: Apple's latest version of Java SE 6, and Oracle's latest version of Java SE 7. (You can't get an Oracle Java runtime to match the Apple one - Oracle doesn't build a 1.6.0-flavoured Java for OS X because that's seen as Apple's job.)


The question you'll want answered now is, "Should I get the updates right away, or wait?" (Don't forget that if you're an OS X user, you may need to update from both Apple and Oracle.)

I suggest that you shouldn't wait.

These latest Java updates fix 30 security holes in total; all the holes but one potentially allow remote code execution; and 23 of them are categorised as having what Oracle calls an access complexity of "low". The lower the access complexity, the more likely it is that a working exploit can be found and used.

Oracle has published a detailed Risk Matrix, if you aren't convinced to update already.

For further information, here are some useful links, both general and specific:

• Apple security notification: General landing page (HT1222)

• Apple security notification: Java fixes for October 2012 (HT5549)

• Oracle CPUs and security alerts: General landing page

• Oracle Java SE release notes: General landing page

• Oracle Java SE release notes: 1.6.0_37-b06 (Apple's Oct 2012 version)

• Oracle Java SE release notes: 1.7.0_09-b05 (Oracle's Oct 2012 version)

• Oracle Java SE risk matrix: October 2012 Critical Patch Update

Hope this helps.

, , , , , , , , , , ,

You might like

14 Responses to Apple gets aggressive - latest OS X Java security update rips out browser support

  1. steve · 713 days ago

    So in light of this discovery, get a browser with a selection of security add-ins that allows you complete control of all non-html code, stopping everything in its tracks until you make your own whitelist. Make similar tools available for mobile browsers as well.

    • Paul Ducklin · 713 days ago

      Lynx not good enough for you, eh :-) Who needs non-HTML code?

      • Jason · 713 days ago

        How'd you post your comment over Lynx? ;-)

        • Paul Ducklin · 712 days ago

          Darn! Busted!

          I cheated. I used an AWK script and cURL.

          Actually, I used Firefox. Bit of a cop-out. All I can say in my own defence is that I at least have lynx installed:

          duck@ret:~$ lynx --version
          Lynx Version 2.8.7rel.1 (05 Jul 2009)
          . . . .

          (I find the "-dump -width=x" feature very handy. Great for quickly converting online documentation into fixed-width text I know will be perfectly legible on my phone for easy one-handed perusal on the bus.)

  2. Chas Large · 713 days ago

    I agree and use FireFox with NoScript to block unwanted scripts.

    What pees me off about the Java Updates is having to OPT-OUT of the install "Ask Toolbar". Other users in the office ignore this then complain their browser has been modified and home page changed by someone else and I have to go round explaining and uninstalling that toolbar.

    Lots of bits of software do similar things now too and I think they should all be OPT-IN nor OPT-OUT.

    As for Apple? what's that then apart from a bit of fruit? ;-D

    • Nigel · 713 days ago

      ...er, this article is a about Java. NoScriipt affects JavaScript, which is something completely different.

      • Paul Ducklin · 713 days ago

        NoScript, despite its name, gives you control over more than just JavaScript.

        From NoScript's own website (noscript.net): "The NoScript Firefox extension...allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank)."

  3. Larry Seltzer · 713 days ago

    I've applied the latest update:

    java -version
    java version "1.6.0_37"
    Java(TM) SE Runtime Environment (build 1.6.0_37-b06-434-11M3909)
    Java HotSpot(TM) 64-Bit Server VM (build 20.12-b01-434, mixed mode)

    And Java applets still run in my OS X Firefox (current version 16.0.1)

    Did I misunderstand the posting?

    • Paul Ducklin · 713 days ago

      No...Apple's claim is clear, that the update "uninstalls the Apple-provided Java applet plug-in from all web browsers."

      When I applied the update, both Firefox and Safari stopped handling applets. (Hmmm. Now I'm doubting myself. Let me say, "I'm 92.8% sure I tried both FF and Safari immediately after the update and neither would run applets, though both had done so before.")

      Did you already have Oracle Java installed as well? And are you on Lion or Mountain Lion, or on Snow Leopard, which got the security fix via a different update package?

      Have a look at this directory:

      /Library/Internet Plug-Ins/JavaAppletPlugin.plugin

      (How I despise spaces in filenames! But I digress...)

      Is it a directory of its own, including its own plugin code? Or is it a symlink to:

      /System/Library/Java/Support/CoreDeploy.bundle/Contents/JavaAppletPlugin.plugin

      The latter directory now seems to include - at least on my post-update 10.8 system - what I describe in the article as the "placeholder plugin that fills any applet window with a 'Missing Plug-in' warning and a download button."

      If I delete my Oracle-installed JavaAppletPlugin.plugin bundle, then my browsers stop running applets. Using javatester.org (as in the article) produces "Missing Plug-in" where the applet should be. If I then create a JavaAppletPlugin.plugin symlink , as above, I get ""Missing Plug-in [Downloadicon]".

      • Larry Seltzer · 712 days ago

        Both of those JavaAppletPlugin.plugin directories have only a subdirectory named Contents. Both of those have only these in them:

        Info.plist
        MacOS
        Resources
        version.plist

        Actually, the /System... one also has _CodeSignature in it

        I'm on Lion

      • Larry Seltzer · 712 days ago

        Is there an Apple Software Update log somewhere? I could go back and check what the update was that I applied

        • Larry Seltzer · 712 days ago

          According to Software Update, I installed "Java for OS X 2012-006" version 1.0. That's the one that removes what you're talking about.

          Not sure how to tell if I have the Oracle Java installed, but Firefox says I have the "Java Plug-in 2 for NPAPI browsers 14.4.0" (last updated December 18, 2011)

  4. Michael Horowitz · 713 days ago

    This article applies only to Lion and Mountain Lion. Users of OS 10.6 Snow Leopard have a simpler life, their only option is Java 6 from Apple.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog