Oracle and Apple ship critical Java updates - get yours today!

Filed Under: Apple, Featured, Java, Oracle, Security threats, Vulnerability

Both Oracle and Apple published critical updates for Java on Tuesday, 16 April 2013.

The security-beleaguered Java ecosystem usually gets updates just once every four months, in February, June and October.

But this year, Oracle has adapted that schedule a number of times to deal with the exigencies of modern cybercriminality.

• February's planned update was brought forward about two weeks, due to in-the-wild exploits against Java's browser plugin.

• An interim update, curiously and somewhat inaccurately known as out-of-band in patching jargon, appeared in March 2013.

• The latest update, which appeared as announced on 16 April 2013, was slotted into the official cycle in addition to the usual once-every-four-month updates.

You need to update if you are using any of the following now-superseded versions:

The new version numbers you need to look out for are as follows:

As shown above, Oracle's patch advisory points out that the current update fixes holes in Java 5.0 Update 41, but the official download page offers you only Java 7 or Java 6.

If you are still using Java 5, it's time to move on.

Apple has copied Oracle, pushing out its updates for those who are still using the Cupertino-issued flavour of Java 6.

A word of warning if you have Apple's Java installed, and you decide to head over to Apple's Downloads page instead of updating via the App Store: when I wrote this (2013-04-17T07:00Z), the Java-related download links were somewhat confusing.

Apple's Top Ten downloads page offered me:

But when I clicked through to the individual download pages (DL1572 and DL1573), I was offered the older 2013-002 and 10.6 Update 14 versions, which would have left me back on Java 6 1.6.0_43.

Be careful: you need 2013-003 or Update 15 to take you to Java 6 1.6.0_45.

What's fixed?

This update is strongly recommended by Oracle, and by Naked Security, because it patched 42 different vulnerabilities.

All but three of these 42 security holes are categorised by Oracle as "network vector remote exploit without authentication."

Each of these means, in theory at least, a drive-by install, where malware is delivered straight into your browser, and starts running on your computer without warning, or even any visible sign.

What's new?

Oracle has tried to improve the way that the Java 7 browser plugin warns you about potentially risky applets (Java programs than run inside your browser), since malicious applets are the main Java-related threat.

Java applets are sucked directly into your browser from external websites as you surf, and criminally-minded applets were behind recent network compromises at Facebook, Apple and others.

So, Oracle's new applet warning system uses icons and colour-coding, shown above, to advise you about the risk.

There are numerous combinations, and although Oracle has provided a careful explanation of what to look out for, the security ball remains very much in your court.

The Java logo means an applet is signed by a certificate that was itself signed by a trusted certifier, with a blue shield to confirm that the certificate is valid:

Or the applet might have an expired security certificate:

Or not be signed at all:

Or be signed with a certificate that is self-signed, meaning that the signature is vouched for only by the same person who signed the applet itself:

Logo and shield. Triangle and shield. Shield alone. Triangle alone. Confused yet?

You're forgiven if you are, because these dialogs end up asking the very questions that you might reasonably expect Java to answer.

Many users will therefore understandably be tempted to rely on the "Do not show this again" option to deal with these alerts.

A better solution, unless you need Java in your browser, and know you need it, is simply to turn it off.

, , , , , , ,

You might like

12 Responses to Oracle and Apple ship critical Java updates - get yours today!

  1. Nigel · 906 days ago

    As long as the various icons are defined and accompanied by the appropriate textual descriptions, I don't find them particularly confusing, although additional differentiation by colour (e.g., yellow on black, white on red) and symbolic content (say, "!", "!!", "!!!", or "1", "2", "3") would help.

    Nevertheless, the statement, "... the security ball remains very much in your court" is the appropriate take. It has long been true that responsible use of a computer tied to the Internet requires enough security awareness to recognize that running Java where it's not needed is just asking for trouble.

    But I guess that's the problem, isn't it? "Responsible use" is hardly a given among our fellow humanoids, which is why I'm grateful that NakedSecurity if fighting the good fight, and getting the message out.

    • Paul Ducklin · 904 days ago

      Lots of people still confuse Java, which they probably don't need, with JavaScript, which they probably do.

      So they are reluctant to turn Java off because they think it might turn off JavaScript as well.

      Our explanation of how and why they are different is here, in case you need to convince anyone:

  2. Flame · 906 days ago

    Under what circumstances might I need Java? I think I turned it off long ago rather than update. Ought I to update and then turn it off? I've forgotten where to go to turn it off. I'm using Snow Leopard.

    • Jeremy · 905 days ago

      If you don't use it there is no point in updating it providing it is fully disabled/uninstalled.

      • Flame · 905 days ago

        How can I determine if Java is fully disabled or uninstalled (that's different from disabled, yes?) on Snow Leopard?

        • Paul Ducklin · 904 days ago

          I am not sure it's terribly easy to uninstall it. (Can other readers advise? My tired old Snow Leopard Mac Mini turned into a Linux serverette a few months ago...)

          IIRC, Java (the development kit, not just the runtime environment) was part of Snow Leopard and so turns up as part of the OS install.

          But you can nobble the plugins that make it work in the browser, which is what you probably want...see the "turn it off" link above to get started.

        • Nigel · 904 days ago

          The only reason you need Java is to run applications that require it. If you had any, you probably would know it. I've had only one, and that was 10 years ago---a project management software application...and it was a dog. I dumped it and ran Microsoft Project in a virtual machine.

          What's more likely is that you might use websites that need the Java plugin to run various applications. For me, there's only one of those sites (a banking site). Usually, a site that needs the Java plugin will display the coffee cup icon or some other message if the plugin is missing or disabled.

          As far as I know, there's no easy way to remove Java from a Snow Leopard system. The good news is that it won't hurt anything to leave it there, or to keep it updated. It's only there so you can run Java apps, and if you never run any, you have nothing to worry about.

          The Java plugin is a different animal. That's something you can disable in your browser preferences. The method for disabling it varies with each browser. (Google it.) In Safari's Preferences for Snow Leopard, the Security tab should already show that Java is disabled (the box is unchecked) if your software is up to date. If not, go ahead and uncheck the box, and that's all there is to it. (Do NOT uncheck the box for JavaScript. You need to leave that enabled for many websites to work properly.)

  3. Beatlefan · 905 days ago

    I went a step further and not only shut java off 2 months ago, I deleted it from my machine and have not missed it at all!

    • Jeremy · 905 days ago

      I wish, so many websites I use need java to work properly.

  4. Chad · 905 days ago

    I updated oracle java via its system prefs control panel - but apple's "software update" still asks me to download a java update. Should I install it too? Does this mean i have two javas and need to hunt down and get rid of one of them? thanks!

    • Paul Ducklin · 904 days ago

      Apple's Java is tricky to remove. (I recently reinstalled OS X, for reasons I now forget, and used it as an opportunity to live life without Apple's Java, which isn't installed by default any more.)

      Oracle's can be removed, and there are instructions on Oracle's site on how to do it:

      If you don't have Java 7 (try a command prompt and say 'java -version' to fund out) then you might have to dig a little further.

  5. Seth · 879 days ago

    It's good to know that Oracle has come up with critical fixes for Java. I still believe it would be better to disable Java on your browser unless it is absolutely necessary

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog