Oracle ships out-of-band Java fix, Apple follows suit

Filed Under: Featured, Oracle, Vulnerability

Want a big surprise?

Oracle recently published an emergency update for Java, and Apple quickly followed suit for the version of Java it still officially supports.

Want another surprise?

The fix was brought forward from Oracle's regular scheduled patch (the next one is on 16 April 2013) because of its critical importance.

Just like last time, when Oracle pre-empted its official 19 February 2013 update with an emergency fix at the start of the month.

In fact, the vulnerabilities here were ones that Oracle knew about at the start of February but weren't able to patch in time either for the start-of-February emergency update or for the official mid-month release:

Though reports of active exploitation of vulnerability CVE-2013-1493 were recently received, this bug was originally reported to Oracle on February 1st 2013, unfortunately too late to be included in the February 19th release of the Critical Patch Update for Java SE.

The company intended to include a fix for CVE-2013-1493 in the April 16, 2013 Critical Patch Update for Java SE (note that Oracle recently announced its intent to have an additional Java SE security release on this date in addition to those previously scheduled in June and October of 2013). However, in light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert

Oracle certainly seems to be learning the hard way that its old-school patch regimen for Java, just once every four months, doesn't cut the mustard any more.

As you see above, even the April release wasn't originally planned, but was squeezed in between the February and June releases, presumably because June suddenly seemed so far away when February's in-the-wild exploits struck.

Microsoft, as we all know, has a monthly-based scheduled updating process, the well-known Patch Tuesday; Adobe goes quarterly; and so, for that matter, does Oracle for every product other than Java.

So, if you're a wagering type, you might want to bet that Oracle adopts an every-two-months patch cycle for Java on a permanent basis.

Alternatively, bet that Oracle turns its official four-monthly patch cycle into a vehicle for delivering new features and otherwise routine stuff only, and takes to a rolling release system for critical security updates.

In this case, once Oracle had moved to publish its out-of-band patch, Apple was quick to follow.

Apple no longer installs Java by default in OS X. Instead, you get a set of executable stubs so that if you try to run something that needs Java, you are presented with a popup asking you if you want to install it.

One thing to bear in mind if you do have Apple's Java installed is that it's still Java version 6.

And Oracle rather bluntly announced, in this latest security update:

This release is the last of publicly available JDK 6 Updates. Oracle recommends that users migrate to JDK 7 in order to continue receiving public updates and security enhancements.

Sadly, I can't tell you how to remove Apple's flavour of Java after you've installed it.

(I got rid of it as a handy side-effect of reinstalling OS X 10.8, though that might be further than you're willing to go to achieve that result.)

→ An official Java uninstaller sanctioned by Apple for those who want to remove it cleanly, or to switch unequivocally to Oracle's Java 7 build, would be a jolly good idea.

As I'm sure all regular Naked Security readers know, our advice has long been to get rid of Java from your browser if you don't need it.

We still think that's a good idea.

Corporate users don't always agree, especially if they have legacy web applications that rely on Java applets served up from outside their network.

But instead of kicking back at Naked Security for suggesting an end to Java in the browser, why not take the fight to the software vendors who won't give you an alternative?

How about suggesting to software vendors who are still stuck back in the Java-is-for-active-content era that they fast-forward to the brave new world of JavaScript and HTML5?

The HTML5 world, in which web coders can do pretty much everything in your browser that they ever dreamed of doing in Java and more besides, hasn't been anywhere near as plagued by exploits.

Worth thinking about!

NB. This patch bumps the current Java version numbers to Java 7 update 17, and to Java 6 update 43.

, , , , , ,

You might like

16 Responses to Oracle ships out-of-band Java fix, Apple follows suit

  1. And while they're at it, perhaps they could consider putting an end to the opt-out browser toolbar they try to sneak past users who are not expecting Java to come bundled with junk like that...

  2. Nigel · 574 days ago

    "I got rid of it (Java) as a handy side-effect of reinstalling OS X 10.8, though that might be further than you're willing to go to achieve that result."

    Paul: What does reinstalling OS X 10.8 remove from your Mac---Java itself, the Java applet plugin, or both?

    I currently don't have any apps that require Java, so I wouldn’t miss it. However, there are still some websites I (rarely) visit that require the plugin. I can either enable it selectively for those sites, or use a dedicated browser that has the Java plugin enabled, which browser I use only for those sites.

    It’s true enough that reinstalling OS X 10.8 (or, in my case, even installing it in the first place) is an unattractive way to manage Java’s potential for mischief. I use certain specialized technical apps and plugins (some of which are designed for the most recent versions of Apple’s own software applications) that are broken in OS X 10.8, and in some cases even in OS X 10.7, but work just fine in OS X 10.6.8.

    So, there are plenty of compelling reasons NOT to "upgrade" OS X from an older one that works to a newer one that breaks many things (...well, other than the gradual erosion of support for the older system). Disabling the plugin is vastly more attractive than removing Java altogether via a system “upgrade”.

    • Paul Ducklin · 573 days ago

      When you install OS X 10.8, the "Java" you end up with is just the set of stubs I mentioned above. The main command names exist, such as "java", but they merely pop up a dialog to say that Java insn't installed yet, would you like to do so now?

      If you need Java, you can go with Apple's prompted install of Java 6 (the one I don't know how to remove :-), or grab Oracle's Java 7, which doesn't come with an uninstaller but does come with relatively simple instructions for manual removal.

  3. Re: "But instead of kicking back at Naked Security for suggesting an end to Java in the browser, why not take the fight to the software vendors who won't give you an alternative?"

    Really? You think this is going to work ... in the real world?

    Here's an example, if you care to hear it (I doubt you will, but here goes). One of our clients is a shop that manufactures parts for a major aerospace company. The aerospace company provides its contractors with files needed to do their work via a Java-powered Web site. Do you seriously propose that my client "take the fight" to said major aerospace company and order them to use something other than Java? On what basis do you think my client can force the major aerospace firm to change how it works? What makes you think a multi-billion dollar global corporation would even listen to such a demand? Would you rather my client refuse to do business with them at all if Java is required to work for them? How reasonable a business decision do you think that would be?

    If you think my client has anywhere near the power to make the aerospace firm work any differently, you're sadly mistaken. Telling them to "fight" a mega-corporation is not useful or realistic advice. It sounds all nice and defiant, but it just ain't gonna work.

    • Paul Ducklin · 573 days ago

      I *do* want to hear stories like this and I feel your client's pain.

      I asked, semi-rhetorically, "why not take the fight to those who force you to use Java when you don't want to," but it was only semi-rhetorical. In this case, you've given the answer: "The reason why not is that the fight is one-sided."

      But there is a proverb about "the journey of 1000 miles starts with a single step."

      Could yout client at least *ask* the megacorp why they force Java into the browser to retrieve files?

      If enough people ask, it might at least create *some* publicity or awareness.

      If no-one does anything, the result we can be sure of is nothing.

      • Re: "Could yout client at least *ask* the megacorp why they force Java into the browser to retrieve files?"

        Whom, exactly, would you like them to "ask"? A support tech manning the aerospace firm's corporate help desk? What kind of answer would they give? What kind of pull do you think that person has within the mega-corporation? What makes you think the mega-corporation's CTO (or equivalent) is available to speak with my client? What do you suggest my client say or do to penetrate the corporate bureaucracy to reach him or her? And what then would you suggest they say or do to convince him or her to get rid of Java? How far would you like them to push the issue?

        Honestly, my client has better things to do with their time than engage in a pushback campaign, on your orders, with a mega-corporation they do business with and need to satisfy.

        Someday, security honchos will come up with a better solution to Java's troubles than just demand that no one use it. One of them would be to convince Oracle to do a better job of keeping Java secure. If you find that doesn't work ... because Oracle's a big, powerful company that can do what it wants and can safely ignore you ... then perhaps you now finally understand the position my client, and a lot of other users and businesses, find themselves in.

        • Paul Ducklin · 573 days ago

          "Whom, exactly, would you like them to ask?"

          Brian Krebs might be a start :-)

          I'm not "ordering your client to engage in a pushback campaign", as you seem to think.

          Just a suggestion.

          Some people need Java in the browser, and some of them probably want it there. Sobeit.

      • Larry M · 573 days ago

        Paul,

        The in-house app developers and support staff are about the lowest level of programmers that exist. Java is probably the only language they know,

  4. guess · 573 days ago

    "An official Java uninstaller sanctioned by Apple for those who want to remove it cleanly, or to switch unequivocally to Oracle's Java 7 build, would be a jolly good idea."

    How to remove Java cleanly?

    May I knwo what is that official Java uninstaller?

    • Paul Ducklin · 573 days ago

      That's the whole thing - I don't think there is a clean way to go back after installing Apple's build of Java.

      As I said, I reinstalled OS X 10.8 for other reasons, but was conscious that by doing so I would also be able to go back on my earlier decision to say "Yes" when OS X asked me if I wanted to install it.

      If any reader knows of a reliable (and preferably supported) way to do it...please let @guess and me know!

  5. Phil · 573 days ago

    "Why not take the fight to the software vendors who won't give you an alternative?"

    'Cos they don't listen.

    My users have to deal with a certain bank; and the only way they can do that is through a site which requires java in the browser. The bank's IT service team tell me that sure, there are problems with java, but any software can have bugs.

    Mind you, this is the same bank that provides two-token authentication in the form of a credit-card sized, err, card with a number matrix printed on it. Seems they haven't come across photocopiers before...

  6. Larry M · 573 days ago

    Paul wrote: "This release is the last of publicly available JDK 6 Updates. Oracle recommends that users migrate to JDK 7 in order to continue receiving public updates and security enhancements."

    Ummm, Paul, that's the JDK, not the JRE. Only developers are affected by that announcement, not end users.

  7. Stuart · 573 days ago

    The comment about exploits for HTML 5 might be a little premature in the same way that people used to say "Mac's DONT get viruses!" when infact they do, there just wernt enough of them in the business world to warrent a virus programmer to bother with programming the platform. Im not saying HTML5 isnt going to be more secure, just a note to as the popularity increasess so will the exploits. I'm a big fan of removing Java, Also check out the NoScript add-on for FireFox

  8. Mark · 573 days ago

    I am not so sure about JDK/JRE, of course Java doesn't use that terminology, but their regular end-user download site says "After February 2013, Oracle will no longer post updates of Java SE 6 to its public download sites." so it appears the public runtimes are going 7-only.

  9. redwolfe_98 · 572 days ago

    another vulnerability in java has been found.. java doesn't check certificates to make sure that they are valid.. consequently, cyber-criminals can use fraudulent certificates to bypass java's security features..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog