Oracle on Tuesday shipped an update for Java 6 and Java 7 to patch up to 42 bugs – the number depends on the version and platform – for Windows and OS X. Because Apple maintains Java 6 for OS X – unlike Java 7, which Oracle handles – it followed with its own update.
The Apple update was important beyond the fact that it fixed 21 Java flaws.
Not all Mac users can upgrade to the newest version, Java 7, which requires OS X Lion, or its successor, Mountain Lion. OS X Snow Leopard users are stuck on Java 6, and must rely on Apple to provide patches for that version.
Fortunately, Oracle has reversed an earlier commitment to halt security updates for Java 6 – the end for Java 6 was originally slated for February, but Oracle extended it to early March when it shipped ‘out-of-band’, or emergency, patches – and continues to support 2006’s Java 6.
That meant Apple had access to the Java 6 patches and could, as Computerworld speculated last month, keep serving fixes to Snow Leopard.
The Oracle/Apple move was smart: According to web metrics firm Net Applications, Snow Leopard accounted for 27 percent of all copies of OS X used to access the internet in March. The 2009 operating system has resisted retirement and, in fact, powered more Macs last month than OS X Lion, its 2011 successor.
If Oracle and Apple had not continued to support Snow Leopard with Java patches, the percentage of unprotected Mac users would have jumped from the current nine percent to a whopping 36 percent, or more than a third of the installed base.
End date not certain
Oracle did not say how long it will continue to provide patches for Java 6 to Windows users, and thus how long Apple will be able to issue security updates to its customers still running Snow Leopard.
But Apple could do so for months to come. Even after Oracle halts support for Java 6, it will still distribute patches to enterprises that have negotiated contract support plans. Apple will probably have access to those only-for-corporate-customers patches and will use them to draft updates for its own users.
The last public patches for Java 5, for example, shipped in November 2009, but Apple continued to issue Java 5 updates for OS X Leopard until June 2011, or 20 months later.
Tuesday’s update to Java included fixes for the four vulnerabilities exploited by researchers at last month’s Pwn2Own hacking contest. Each researcher (or, in one instance, team of researchers) was awarded US$20,000 by HP TippingPoint, which co-sponsored the challenge.
With Oracle’s patches for Pwn2Own’s Java vulnerabilities, only Microsoft has yet to close a hole uncovered at the challenge. French bug broker Vupen exploited Internet Explorer 10 (IE10) on Windows 8 at Pwn2Own. Some experts anticipated IE10 fixes for the Pwn2Own flaws last week on April’s Patch Tuesday, but Microsoft disappointed.
Also on Tuesday, Apple refreshed Safari 6 for OS X Lion and Mountain Lion, and Safari 5 for Snow Leopard to add a new security tool. The browser now lets users closely manage Java permissions by selecting which sites can execute the software. Users comfortable with changing security settings can now allow Java to run on trusted websites – an online banking site, for example – while blocking it from executing on other domains.
Apple has published a support document outlining how the new site-by-site Java permission manager operates.
The new Safari tool may come in handy: hackers have turned up the heat on Oracle in the past year, exploiting a succession of Java vulnerabilities, including several so-called ‘zero-day’ bugs, or unpatched – and, in some cases, even unknown – flaws.
A year ago, for instance, cybercriminals infected more than600,000 Macs in the widespread ‘Flashback’ malware campaign by exploiting a Java vulnerability that Oracle had fixed, but Apple had not. It was easily the biggest-ever security event on OS X, and a major embarrassment for Apple, which, in response, changed its Java patch cadence to match Oracle’s.
OS X Lion and Mountain Lion users running Java 7 will also see new messages that appear in their browser of choice when attempting to launch a Java applet. Those messages, which were called confusing by UK-based security vendor Sophos, display small icons or badges that represent various risks.
The next scheduled Java security update is set for release by Oracle on 18 June.
Unless Apple changes its mind on Snow Leopard, it will also issue patches the same day for that version of OS X as well as for Lion and Mountain Lion.
by Gregg Keizer, Computerworld