Apple gets aggressive – latest OS X Java security update rips out browser support

Keeping track of which Java version you have, and whether it’s the latest and most secure, can be a bit tricky, especially for Apple users.

Oracle, the custodian of Java, patches its products on Tuesdays, like Microsoft and Adobe. But it uses a different Tuesday, and a different set of months for different products. (Most Oracle products are patched quarterly; for Java, it’s three times a year.)

For Your Diary: Oracle Critical Patch Updates

Critical Patch Updates (CPUs) are collections of security fixes, released on the Tuesday closest to the 17th day of the month. For most products, the patches come four times a year:

15 Jan 2013 - 16 Apr 2013 - 16 Jul 2013 - 15 Oct 2013

For Oracle Java SE, the patches come three times a year:

19 Feb 2013 - 18 Jun 2013 - 15 Oct 2013

Fixes deemed too critical to wait for the next CPU are issued ad hoc as Security Alerts.

Once Oracle has patched Java, Apple then sucks the changes into its Java code tree and issues its own updates, but you can never be quite sure how long that’s going to take.

Apple infamously took until April 2012 to push out a patch that had been available to everyone else since February, thus leaving a lengthy window of opportunity for malware authors. The crooks used this window (no pun intended) to build a giant-sized botnet of Macs infected with a Trojan known as OSX/Flshplyr-B.

This month, things have been calmer and more predictable. Oracle updated Java on Tuesday 16 October 2012, as expected; Apple followed suit a day later.

The latest versions are:

Vendor Release Current version
Oracle (all OSes) Java SE 7 1.7.0_09-b05
Apple (OS X only) Java SE 6 1.6.0_37-b06

For some time, Naked Security’s advice has been to get rid of Java altogether if you don’t need it, or to ban it from your browser if you use Java only for running pre-installed applications.

Keeping Java out of your browser removes the risk of hostile applets – special stripped-down Java programs embedded into web pages.

It seems as though Apple has been listening.

First, it stopped shipping OS X with Java pre-installed when OS X Lion (10.7) came out. Lion and Mountain Lion (10.8) include a program stub (/usr/bin/java) that offers to fetch and install Java if ever you try to use it, but it’s not installed by default.

Then, Apple issued an update that would tell your browser to turn off Java if you hadn’t used it for a while, thus reducing your needless exposure to hostile Java code on the web.

And in its latest security update, Apple has been even more aggressive.

Cupertino’s coders not only bumped up their Java version to Oracle’s latest release of Java SE 6 (1.6.0_37), but also ripped out the browser plugin component entirely.

So, after you apply the latest OS X Java update – which you only need if you have already chosen to install Java – you will no longer be able to run applets in your browser

That may sound like a bug, but for most users, it’s a feature. You’ll soon find out if you really need Java in your browser, because Apple adds a placeholder plugin that fills any applet window with a “Missing Plug-in” warning and a download button.

You can then choose whether to install the missing plugin or to learn to live without it.

The only downside is that to acquire the needed applet plugin, you have to install Oracle’s Java runtime in parallel with Apple’s Java.

This leaves you with twice as much Java on your Mac: Apple’s latest version of Java SE 6, and Oracle’s latest version of Java SE 7. (You can’t get an Oracle Java runtime to match the Apple one – Oracle doesn’t build a 1.6.0-flavoured Java for OS X because that’s seen as Apple’s job.)

The question you’ll want answered now is, “Should I get the updates right away, or wait?” (Don’t forget that if you’re an OS X user, you may need to update from both Apple and Oracle.)

I suggest that you shouldn’t wait.

These latest Java updates fix 30 security holes in total; all the holes but one potentially allow remote code execution; and 23 of them are categorised as having what Oracle calls an access complexity of “low”. The lower the access complexity, the more likely it is that a working exploit can be found and used.

Oracle has published a detailed Risk Matrix, if you aren’t convinced to update already.

For further information, here are some useful links, both general and specific:

• Apple security notification: General landing page (HT1222)

• Apple security notification: Java fixes for October 2012 (HT5549)

• Oracle CPUs and security alerts: General landing page

• Oracle Java SE release notes: General landing page

• Oracle Java SE release notes: 1.6.0_37-b06 (Apple’s Oct 2012 version)

• Oracle Java SE release notes: 1.7.0_09-b05 (Oracle’s Oct 2012 version)

• Oracle Java SE risk matrix: October 2012 Critical Patch Update

Hope this helps.