The officially-patched Java versions are 5, 6, and 7, also (if confusingly) known as 1.5, 1.6 and 1.7, which get bumped-up point release numbers as follows:
|Vulnerable up to||Also known as||Fixed by|
|Java 7 Update 21||1.7.0_21||Update 25|
|Java 6 Update 45||1.6.0_45||Update 51|
|Java 5.0 Update 45||1.5.0_45||Update 51|
Apple, which offers its own builds of Java, updated at the same time.
Users of OS X 10.6.8 (Snow Leopard), Apple’s oldest supported version, have a full Java Development Kit included as part of the operating system distribution, and need to grab the download called Java for Mac OS X 10.6 Update 16.
For Lion (OS X 10.7) and Mountain Lion (OS X 10.8), Apple’s Java is an optional download that can be installed as well, or instead of, Oracle’s version; users should head for the Java for OS X 2013-004 download.
If you’re an Apple user who isn’t sure whether you have Java installed or not, you can open a Terminal window and run the command java -version.
You will see your current version number displayed if you have a working Java; if not, you will see an OS X dialog offering to fetch it for you.
(If you don’t have it, and didn’t know, you obviously didn’t miss it much. I recommend you leave it uninstalled.)
If you are interested in knowing what sort of vulnerabilities were fixed this time round, you will find a high-level overview on Oracle’s Software Security Assurance Blog.
For more detail, head back to the Critical Patch Update Advisory and scroll down to the Notes below the Risk Matrix.
Take special note of the vulnerabilities annotated See Note 1 and See Note 2, which account for 37 of the 40 documented security fixes.
These are vulnerabilities that are exploitable by (indeed, according to Oracle, can only be exploited by) sandboxed Java applets, which run inside your browser.
In other words, with Java off in your browser, you’d proactively be shielded against the vast majority of the risk to which the now-patched versions of Java expose you.
Still not convinced that it’s a good idea to get rid of browser-based Java?