Sophos Cloud Optix
Both Oracle and Apple published critical updates for Java on Tuesday, 16 April 2013.
The security-beleaguered Java ecosystem usually gets updates just once every four months, in February, June and October.
But this year, Oracle has adapted that schedule a number of times to deal with the exigencies of modern cybercriminality.
• February’s planned update was brought forward about two weeks, due to in-the-wild exploits against Java’s browser plugin.
• An interim update, curiously and somewhat inaccurately known as out-of-band in patching jargon, appeared in March 2013.
• The latest update, which appeared as announced on 16 April 2013, was slotted into the official cycle in addition to the usual once-every-four-month updates.
You need to update if you are using any of the following now-superseded versions:
The new version numbers you need to look out for are as follows:
As shown above, Oracle’s patch advisory points out that the current update fixes holes in Java 5.0 Update 41, but the official download page offers you only Java 7 or Java 6.
If you are still using Java 5, it’s time to move on.
Apple has copied Oracle, pushing out its updates for those who are still using the Cupertino-issued flavour of Java 6.
A word of warning if you have Apple’s Java installed, and you decide to head over to Apple’s Downloads page instead of updating via the App Store: when I wrote this (2013-04-17T07:00Z), the Java-related download links were somewhat confusing.
Apple’s Top Ten downloads page offered me:
- Java for OS X 2013-003 for Lion and Mountain Lion (OS X 10.7 and 10.8) in the file JavaForOSX2013-003.dmg
- Java for Mac OS X 10.6 Update 15 for the older Snow Leopard release (OS X 10.6) in JavaForMacOSX10.6.Update15.dmg
But when I clicked through to the individual download pages (DL1572 and DL1573), I was offered the older 2013-002 and 10.6 Update 14 versions, which would have left me back on Java 6 1.6.0_43.
Be careful: you need 2013-003 or Update 15 to take you to Java 6 1.6.0_45.
What’s fixed?
This update is strongly recommended by Oracle, and by Naked Security, because it patched 42 different vulnerabilities.
All but three of these 42 security holes are categorised by Oracle as “network vector remote exploit without authentication.”
Each of these means, in theory at least, a drive-by install, where malware is delivered straight into your browser, and starts running on your computer without warning, or even any visible sign.
What’s new?
Oracle has tried to improve the way that the Java 7 browser plugin warns you about potentially risky applets (Java programs than run inside your browser), since malicious applets are the main Java-related threat.
Java applets are sucked directly into your browser from external websites as you surf, and criminally-minded applets were behind recent network compromises at Facebook, Apple and others.
So, Oracle’s new applet warning system uses icons and colour-coding, shown above, to advise you about the risk.
There are numerous combinations, and although Oracle has provided a careful explanation of what to look out for, the security ball remains very much in your court.
The Java logo means an applet is signed by a certificate that was itself signed by a trusted certifier, with a blue shield to confirm that the certificate is valid:
Or the applet might have an expired security certificate:
Or not be signed at all:
Or be signed with a certificate that is self-signed, meaning that the signature is vouched for only by the same person who signed the applet itself:
Logo and shield. Triangle and shield. Shield alone. Triangle alone. Confused yet?
You’re forgiven if you are, because these dialogs end up asking the very questions that you might reasonably expect Java to answer.
Many users will therefore understandably be tempted to rely on the “Do not show this again” option to deal with these alerts.
A better solution, unless you need Java in your browser, and know you need it, is simply to turn it off.
As long as the various icons are defined and accompanied by the appropriate textual descriptions, I don't find them particularly confusing, although additional differentiation by colour (e.g., yellow on black, white on red) and symbolic content (say, "!", "!!", "!!!", or "1", "2", "3") would help.
Nevertheless, the statement, "… the security ball remains very much in your court" is the appropriate take. It has long been true that responsible use of a computer tied to the Internet requires enough security awareness to recognize that running Java where it's not needed is just asking for trouble.
But I guess that's the problem, isn't it? "Responsible use" is hardly a given among our fellow humanoids, which is why I'm grateful that NakedSecurity if fighting the good fight, and getting the message out.
Lots of people still confuse Java, which they probably don't need, with JavaScript, which they probably do.
So they are reluctant to turn Java off because they think it might turn off JavaScript as well.
Our explanation of how and why they are different is here, in case you need to convince anyone:
http://nakedsecurity.sophos.com/java-is-not-javas…
Under what circumstances might I need Java? I think I turned it off long ago rather than update. Ought I to update and then turn it off? I've forgotten where to go to turn it off. I'm using Snow Leopard.
If you don't use it there is no point in updating it providing it is fully disabled/uninstalled.
How can I determine if Java is fully disabled or uninstalled (that's different from disabled, yes?) on Snow Leopard?
I am not sure it's terribly easy to uninstall it. (Can other readers advise? My tired old Snow Leopard Mac Mini turned into a Linux serverette a few months ago…)
IIRC, Java (the development kit, not just the runtime environment) was part of Snow Leopard and so turns up as part of the OS install.
But you can nobble the plugins that make it work in the browser, which is what you probably want…see the "turn it off" link above to get started.
The only reason you need Java is to run applications that require it. If you had any, you probably would know it. I've had only one, and that was 10 years ago—a project management software application…and it was a dog. I dumped it and ran Microsoft Project in a virtual machine.
What's more likely is that you might use websites that need the Java plugin to run various applications. For me, there's only one of those sites (a banking site). Usually, a site that needs the Java plugin will display the coffee cup icon or some other message if the plugin is missing or disabled.
As far as I know, there's no easy way to remove Java from a Snow Leopard system. The good news is that it won't hurt anything to leave it there, or to keep it updated. It's only there so you can run Java apps, and if you never run any, you have nothing to worry about.
The Java plugin is a different animal. That's something you can disable in your browser preferences. The method for disabling it varies with each browser. (Google it.) In Safari's Preferences for Snow Leopard, the Security tab should already show that Java is disabled (the box is unchecked) if your software is up to date. If not, go ahead and uncheck the box, and that's all there is to it. (Do NOT uncheck the box for JavaScript. You need to leave that enabled for many websites to work properly.)
I went a step further and not only shut java off 2 months ago, I deleted it from my machine and have not missed it at all!
I wish, so many websites I use need java to work properly.
I updated oracle java via its system prefs control panel – but apple's "software update" still asks me to download a java update. Should I install it too? Does this mean i have two javas and need to hunt down and get rid of one of them? thanks!
Apple's Java is tricky to remove. (I recently reinstalled OS X, for reasons I now forget, and used it as an opportunity to live life without Apple's Java, which isn't installed by default any more.)
Oracle's can be removed, and there are instructions on Oracle's site on how to do it:
http://www.java.com/en/download/help/mac_uninstal…
If you don't have Java 7 (try a command prompt and say 'java -version' to fund out) then you might have to dig a little further.
It's good to know that Oracle has come up with critical fixes for Java. I still believe it would be better to disable Java on your browser unless it is absolutely necessary