Both Oracle and Apple published critical updates for Java on Tuesday, 16 April 2013.
The security-beleaguered Java ecosystem usually gets updates just once every four months, in February, June and October.
But this year, Oracle has adapted that schedule a number of times to deal with the exigencies of modern cybercriminality.
• February’s planned update was brought forward about two weeks, due to in-the-wild exploits against Java’s browser plugin.
• An interim update, curiously and somewhat inaccurately known as out-of-band in patching jargon, appeared in March 2013.
• The latest update, which appeared as announced on 16 April 2013, was slotted into the official cycle in addition to the usual once-every-four-month updates.
You need to update if you are using any of the following now-superseded versions:
The new version numbers you need to look out for are as follows:
If you are still using Java 5, it’s time to move on.
Apple has copied Oracle, pushing out its updates for those who are still using the Cupertino-issued flavour of Java 6.
A word of warning if you have Apple’s Java installed, and you decide to head over to Apple’s Downloads page instead of updating via the App Store: when I wrote this (2013-04-17T07:00Z), the Java-related download links were somewhat confusing.
Apple’s Top Ten downloads page offered me:
- Java for OS X 2013-003 for Lion and Mountain Lion (OS X 10.7 and 10.8) in the file JavaForOSX2013-003.dmg
- Java for Mac OS X 10.6 Update 15 for the older Snow Leopard release (OS X 10.6) in JavaForMacOSX10.6.Update15.dmg
But when I clicked through to the individual download pages (DL1572 and DL1573), I was offered the older 2013-002 and 10.6 Update 14 versions, which would have left me back on Java 6 1.6.0_43.
Be careful: you need 2013-003 or Update 15 to take you to Java 6 1.6.0_45.
This update is strongly recommended by Oracle, and by Naked Security, because it patched 42 different vulnerabilities.
All but three of these 42 security holes are categorised by Oracle as “network vector remote exploit without authentication.”
Each of these means, in theory at least, a drive-by install, where malware is delivered straight into your browser, and starts running on your computer without warning, or even any visible sign.
Oracle has tried to improve the way that the Java 7 browser plugin warns you about potentially risky applets (Java programs than run inside your browser), since malicious applets are the main Java-related threat.
So, Oracle’s new applet warning system uses icons and colour-coding, shown above, to advise you about the risk.
There are numerous combinations, and although Oracle has provided a careful explanation of what to look out for, the security ball remains very much in your court.
The Java logo means an applet is signed by a certificate that was itself signed by a trusted certifier, with a blue shield to confirm that the certificate is valid:
Or the applet might have an expired security certificate:
Or not be signed at all:
Or be signed with a certificate that is self-signed, meaning that the signature is vouched for only by the same person who signed the applet itself:
Logo and shield. Triangle and shield. Shield alone. Triangle alone. Confused yet?
You’re forgiven if you are, because these dialogs end up asking the very questions that you might reasonably expect Java to answer.
Many users will therefore understandably be tempted to rely on the “Do not show this again” option to deal with these alerts.
A better solution, unless you need Java in your browser, and know you need it, is simply to turn it off.