Oracle and Apple update Java – zapping browser Java would already have blocked 92.5% of the risk


As promised by pre-announcement last week, Oracle shipped its latest Critical Patch Update for Java on Tuesday 18 June 2013.

The officially-patched Java versions are 5, 6, and 7, also (if confusingly) known as 1.5, 1.6 and 1.7, which get bumped-up point release numbers as follows:

Vulnerable up to Also known as Fixed by
Java 7 Update 21 1.7.0_21 Update 25
Java 6 Update 45 1.6.0_45 Update 51
Java 5.0 Update 45 1.5.0_45 Update 51

You can find a giant table of what was fixed in exactly which version by visiting Oracle’s Critical Patch Update Advisory and scrolling down to the handy, if mildly alarming-looking, Risk Matrix:

Apple, which offers its own builds of Java, updated at the same time.

Users of OS X 10.6.8 (Snow Leopard), Apple’s oldest supported version, have a full Java Development Kit included as part of the operating system distribution, and need to grab the download called Java for Mac OS X 10.6 Update 16.

For Lion (OS X 10.7) and Mountain Lion (OS X 10.8), Apple’s Java is an optional download that can be installed as well, or instead of, Oracle’s version; users should head for the Java for OS X 2013-004 download.

If you’re an Apple user who isn’t sure whether you have Java installed or not, you can open a Terminal window and run the command java -version.

You will see your current version number displayed if you have a working Java; if not, you will see an OS X dialog offering to fetch it for you.

(If you don’t have it, and didn’t know, you obviously didn’t miss it much. I recommend you leave it uninstalled.)

If you are interested in knowing what sort of vulnerabilities were fixed this time round, you will find a high-level overview on Oracle’s Software Security Assurance Blog.

For more detail, head back to the Critical Patch Update Advisory and scroll down to the Notes below the Risk Matrix.

Take special note of the vulnerabilities annotated See Note 1 and See Note 2, which account for 37 of the 40 documented security fixes.

These are vulnerabilities that are exploitable by (indeed, according to Oracle, can only be exploited by) sandboxed Java applets, which run inside your browser.

In other words, with Java off in your browser, you’d proactively be shielded against the vast majority of the risk to which the now-patched versions of Java expose you.

Still not convinced that it’s a good idea to get rid of browser-based Java?