Oracle ships out-of-band Java fix, Apple follows suit

Want a big surprise?

Oracle recently published an emergency update for Java, and Apple quickly followed suit for the version of Java it still officially supports.

Want another surprise?

The fix was brought forward from Oracle’s regular scheduled patch (the next one is on 16 April 2013) because of its critical importance.

Just like last time, when Oracle pre-empted its official 19 February 2013 update with an emergency fix at the start of the month.

In fact, the vulnerabilities here were ones that Oracle knew about at the start of February but weren’t able to patch in time either for the start-of-February emergency update or for the official mid-month release:

Though reports of active exploitation of vulnerability CVE-2013-1493 were recently received, this bug was originally reported to Oracle on February 1st 2013, unfortunately too late to be included in the February 19th release of the Critical Patch Update for Java SE.

The company intended to include a fix for CVE-2013-1493 in the April 16, 2013 Critical Patch Update for Java SE (note that Oracle recently announced its intent to have an additional Java SE security release on this date in addition to those previously scheduled in June and October of 2013). However, in light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert

Oracle certainly seems to be learning the hard way that its old-school patch regimen for Java, just once every four months, doesn’t cut the mustard any more.

As you see above, even the April release wasn’t originally planned, but was squeezed in between the February and June releases, presumably because June suddenly seemed so far away when February’s in-the-wild exploits struck.

Microsoft, as we all know, has a monthly-based scheduled updating process, the well-known Patch Tuesday; Adobe goes quarterly; and so, for that matter, does Oracle for every product other than Java.

So, if you’re a wagering type, you might want to bet that Oracle adopts an every-two-months patch cycle for Java on a permanent basis.

Alternatively, bet that Oracle turns its official four-monthly patch cycle into a vehicle for delivering new features and otherwise routine stuff only, and takes to a rolling release system for critical security updates.

In this case, once Oracle had moved to publish its out-of-band patch, Apple was quick to follow.

Apple no longer installs Java by default in OS X. Instead, you get a set of executable stubs so that if you try to run something that needs Java, you are presented with a popup asking you if you want to install it.

One thing to bear in mind if you do have Apple’s Java installed is that it’s still Java version 6.

And Oracle rather bluntly announced, in this latest security update:

This release is the last of publicly available JDK 6 Updates. Oracle recommends that users migrate to JDK 7 in order to continue receiving public updates and security enhancements.

Sadly, I can’t tell you how to remove Apple’s flavour of Java after you’ve installed it.

(I got rid of it as a handy side-effect of reinstalling OS X 10.8, though that might be further than you’re willing to go to achieve that result.)

→ An official Java uninstaller sanctioned by Apple for those who want to remove it cleanly, or to switch unequivocally to Oracle’s Java 7 build, would be a jolly good idea.

As I’m sure all regular Naked Security readers know, our advice has long been to get rid of Java from your browser if you don’t need it.

We still think that’s a good idea.

Corporate users don’t always agree, especially if they have legacy web applications that rely on Java applets served up from outside their network.

But instead of kicking back at Naked Security for suggesting an end to Java in the browser, why not take the fight to the software vendors who won’t give you an alternative?

How about suggesting to software vendors who are still stuck back in the Java-is-for-active-content era that they fast-forward to the brave new world of JavaScript and HTML5?

The HTML5 world, in which web coders can do pretty much everything in your browser that they ever dreamed of doing in Java and more besides, hasn’t been anywhere near as plagued by exploits.

Worth thinking about!

NB. This patch bumps the current Java version numbers to Java 7 update 17, and to Java 6 update 43.