Oracle and Apple update Java - zapping browser Java would already have blocked 92.5% of the risk

Filed Under: Apple, Featured, Oracle, Vulnerability

As promised by pre-announcement last week, Oracle shipped its latest Critical Patch Update for Java on Tuesday 18 June 2013.

The officially-patched Java versions are 5, 6, and 7, also (if confusingly) known as 1.5, 1.6 and 1.7, which get bumped-up point release numbers as follows:

Vulnerable up to Also known as Fixed by
Java 7 Update 21 1.7.0_21 Update 25
Java 6 Update 45 1.6.0_45 Update 51
Java 5.0 Update 45 1.5.0_45 Update 51

You can find a giant table of what was fixed in exactly which version by visiting Oracle's Critical Patch Update Advisory and scrolling down to the handy, if mildly alarming-looking, Risk Matrix:

Apple, which offers its own builds of Java, updated at the same time.

Users of OS X 10.6.8 (Snow Leopard), Apple's oldest supported version, have a full Java Development Kit included as part of the operating system distribution, and need to grab the download called Java for Mac OS X 10.6 Update 16.

For Lion (OS X 10.7) and Mountain Lion (OS X 10.8), Apple's Java is an optional download that can be installed as well, or instead of, Oracle's version; users should head for the Java for OS X 2013-004 download.

If you're an Apple user who isn't sure whether you have Java installed or not, you can open a Terminal window and run the command java -version.

You will see your current version number displayed if you have a working Java; if not, you will see an OS X dialog offering to fetch it for you.

(If you don't have it, and didn't know, you obviously didn't miss it much. I recommend you leave it uninstalled.)

If you are interested in knowing what sort of vulnerabilities were fixed this time round, you will find a high-level overview on Oracle's Software Security Assurance Blog.

For more detail, head back to the Critical Patch Update Advisory and scroll down to the Notes below the Risk Matrix.

Take special note of the vulnerabilities annotated See Note 1 and See Note 2, which account for 37 of the 40 documented security fixes.

These are vulnerabilities that are exploitable by (indeed, according to Oracle, can only be exploited by) sandboxed Java applets, which run inside your browser.

In other words, with Java off in your browser, you'd proactively be shielded against the vast majority of the risk to which the now-patched versions of Java expose you.

Still not convinced that it's a good idea to get rid of browser-based Java?

, , , , , , , ,

You might like

15 Responses to Oracle and Apple update Java - zapping browser Java would already have blocked 92.5% of the risk

  1. S. Guidry · 407 days ago

    I'm totally unknowledgeable in this subject but I thought computers had to have java??? I play games, watch videos, etc. don't I HAVE to have java to do this?

    • Paul Ducklin · 407 days ago

      Very few games these days need Java. Videos don't generally rely on Java. (YouTube doesn't, and never has, for example.)

      You may be confusing Java with JavaScript. The latter isn't a variant of Java - it's just that when JavaScript it was invented, Java was the bees' knees, so it ended up with the characters "Java" in its name. Similar, I suppose, to the way that many Coca-Cola competitors end up called Something Cola.

      See:
      http://nakedsecurity.sophos.com/2013/01/16/java-i...

      • Jeremy · 407 days ago

        I have seen the odd game on pogo games using java and videos too. I should use a separate browser but instead I play it a little more risky and turn the security level up and make java only work when I approve java for the page. + Always update it when a patch comes out.

    • Akboss · 407 days ago

      Nope.
      I removed Java from all but 1 of my computers. That one runs several applications that are Java based.

      If something needs Java I use Chrome as it has it built into the browser.

      • Mark · 405 days ago

        The Java applications you use are not likely to need to use the browser plugin to which this issue refers (unless you mean "applets" - applications that run in the browser).

        You can have the Java Runtime on your desktop for running Java applications without having the Java plugin used for running applets in the browser. This security issues only relate to the plugin running in the browser.

        Also, Chrome does not have Java built into the browser as you say. It can't. (Don't confuse Java with JavaScript - they are totally different things). The Java technology and the Chrome browser technology are owned by two different companies who supply their software separately. Chrome can only utilise Java via a plugin. That is not to say both companies don't work together to make it easier for users to use both technologies together.

  2. I play Pogo games and it always tells me to update my Java......is this the same?

    • Paul Ducklin · 407 days ago

      I just tried Pogo games (mentioned above by @Jeremy)...I clicked through to one of the puzzle games and after bombarding me with "work from home" ads for 15 seconds or so during an animated countdown, the website decided I needed Flash to continue.

      So I'll assume that the site needs a mixture of Flash *and* Java...

      If you want to use the Pogo site, it seems you will have to enable both Flash and Java in your browser, depending on which games you want to play. Is if worth the security risk?

      I can't answer that. For me, it's not. I like puzzles, and there are plenty of puzzle sites than need neither Java nor Flash. (Naked Security crosswords, for example, are done using JavaScript only.)

    • Best bet for playing Pogo is to uninstall Java from your computer. Then install the latest Java version. Then when you go to Pogo to play a game that uses Java, it will probably prompt you to update plug-in or ActiveX (click ok). I believe the risk on Pogo is far less than other sites. I haven't played on Pogo in quite some time, but I keep other family computers up to date, so they can play.

  3. Whatever.Fischer · 407 days ago

    Yeah I removed Java ages ago.

  4. Veemp · 407 days ago

    Some of us can't remove Java. I use a configuration management application whose update installers require Java. But now that it's off by default in OS X, it's not a big deal to launch the Java Preferences utility, enable Java, run the installer, and then disable Java. And I've disabled the browser plug-in, so there's really no problem. I just install the updates when they come around, and enable Java only when I need it. No biggie.

  5. Paula Howard · 407 days ago

    I currently have Java deactivated on my Dell Netbook. I honestly only use my netbook for facebook, searching for books on BN, looking for reading levels for school library books on the Renaissance Learning site and checking e-mail. Is it safe for me to simply delete it from my netbook?

    • Paul Ducklin · 406 days ago

      Uninstall Java and see what happens. If nothing happens, you just saved yourself from needless security exposure. If it turns out you do need Java, then you can always reinstall it. (That way, you'll also get a clean install of the latest download.)

  6. Keith · 406 days ago

    Paul, you indicate Java 6 fixed by update 51 but looking at Java's site they indicate no further public updates after u45...

    'Java SE 6 End of Public Updates
    Oracle no longer posts updates of Java SE 6 to its public download sites. All Java 6 releases up to and including 6u45 have been moved to the Java Archive on the Oracle Technology Network, where they will remain available but not receive further updates. Oracle recommends that users migrate to Java 7 in order to continue receiving public updates and security enhancements.'

  7. MikeP · 406 days ago

    I tried uninstalling Java but so many web-based applications didn't work! Even some updating services rely on Java, and I mean real Java and not Javascript!
    So I found Java is essential though I have tried to set the FF browser security settings as moderately high as I can commensurate with what I need to do.
    I don't like Chrome so won't use it and there are still stories of information being collected 'on the quiet', though I don't know how valid they are. Just another worry we can do without.
    I don't use IE at all because of security risks but you can't uninstall it from a Windows system so we're stuck with it being present. And you have to have it available to run MS Updates! That won't run in FF at all unless you use something like IE Tab which uses the engine in IE. Or you stay 'at risk' by not updating Windows!

  8. Rich · 406 days ago

    Looking at my Safari Preferences, after Web content, I only have "Enable JavaScript" and "Block pop-up windows." I am wondering about for Internet plug-ins? I have "Allow Java" and "Allow all other plug-ins" checked. Do I need to uncheck the "Allow Java plug-ins"?

    TIA

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog