Oracle updates Java, supports OS X, claims full and timely updates for Apple users

Apple and Java have had an on-again, off-again relationship for a while now.

Back in the mists of time – actually, just under three years ago, when OS X 10.6 appeared – Macs came with Java as part of the OS X distribution.

And not just the JRE – the Runtime Environment you need to run other people’s Java programs on your computer – but the three-times-the-size, all-singing, all-dancing JDK. That’s the Development Kit – the JRE plus the stuff you need to build your own Java software.

Whenever Sun (now Oracle) announced an update to Java – whether for features, security patches or both – most users could head over to the download motherlode on the Sun-now-Oracle site and grab the latest and greatest JRE or JDK.

But not Mac users.

Java updates for OS X were effectively contracted out to Apple, and delivered only via Apple’s own Software Update service.

And Apple’s updates generally came out later than Oracle’s – famously, in April 2012, too late to save Mac users from a drive-by assault by the Flashplayer malware.

More than 600,000 Macs were reportedly infected, thanks to a Java security hole, before Apple cranked out a patch that had been available since February to everyone else.

By OS X 10.7, better known as Lion, Apple had kicked Java out of the default operating system distribution, but that was cold comfort to Java-using Lion users confronted with OSX/FlshPlyr-B.

They’d installed Java as an official add-on from Apple, so they’d understandably assumed that Apple would offer timely patches, given the known risks of unpatched Java installs.

If fact, if ever you try to run Java on Lion, OS X cheerfully reminds you that you don’t have it, and helpfully offers to grab it for you automatically.

Today, at least as far as Java installs go, it seems we’ve come full circle.

Java for OS X is now being published directly by Oracle, and patches are promised for OS X at the same time that they come out on Windows.

[Update: In its own words, Oracle’s OS X installer, named Java 7 Update 06.pkg, “is supported only on OS X Lion (10.7.3)”.]

Confused? Don’t be. (If you are, that’s my fault, and I apologise. This was, however, a voyage I felt deserved recounting in some detail.)

Here’s what I suggest for OS X users:

1. Work out if you really need Java at all. If you don't, consider removing or at least disabling it. (You can find some suggestions - admittedly untested - in the comments on how to do this.) In this case, your journey ends here.

2. If you aren't sure, remove or disable Java and see how you go for a week or so. If your browsing experience is undiminished, and all the applications you use still work fine, your journey ends here.

3. If you are a Lion user, and have Apple's Java installed, consider replacing it with the new Oracle version. Don't forget that this means you won't get Java updates via your Mac's Software Update. Use Oracle's updates instead. (They can be set to automatic.)

4. After three or four weeks, GOTO 1.

For the record, the latest Java version from Oracle is 7u6, also known as 1.7.0_6. If you don’t intend to develop Java programs yourself, stick to the JRE. It’s much smaller than the JDK, which reduces what’s known in trendy-speak as your attack surface area. That’s always a good thing.

This new Java version includes a longish list of bugfixes. These include: a few ominous-sounding ones with more than a whiff of vulnerability about them, such as 7166498 – JVM crash in ClassVerifier; the risky-sounding 7155051 – DNS provider may return incorrect results; and the intriguingly sticky-sounding 7178177 – Debug spewage when applets start up.

With that in mind, I suggest you update as soon as practicable.

–