June 13, 2012

There must have been some rare planetary alignment yesterday, because the oddest thing happened: Apple and Oracle both shipped software updates for the same Java security flaws on the very same day.

I’ve taken Apple to task several times for its unacceptable delays in patching Java vulnerabilities. Oracle is the official producer of Java, but Apple maintains its own version, and it has consistently lagged months behind Oracle in fixing security bugs. This failure on Apple’s part finally caught up with Mac OS X users earlier this year and turned into a major embarrassment for Apple, when the Flashback malware infected more than 650,000 Mac systems using a vulnerability that Oracle (but not Apple) had patched roughly two months earlier.

Well, it seems that Apple learned a thing or two from that incident. The update Oracle released yesterday, Java 6 Update 33 and Java 7 Update 5, fixes at least 14 security flaws in the oft-attacked software that is installed on more than three billion devices worldwide. Apple’s Java update brings Java on the Mac to 1.6.0_33, and patches 11 of the 14 security vulnerabilities that Oracle fixed in Tuesday’s release. It’s unclear whether those other three flaws simply don’t exist in the Mac version of Java, but we’ll take progress where we can get it.

Regardless of which operating system you use, if you have Java installed, I would advise you to update it, neuter it or remove it as soon as possible. The reason I say this is that Java requires constant patching, and it appears to be the favorite target of attackers these days.

Windows users can find out if they have Java installed and which version by visiting java.com and clicking the “Do I have Java? link. Mac users can use the Software Update feature to check for any available Java updates.

If you primarily use Java because some Web site, or program you have on your system — such as OpenOffice or Freemind — requires it, you can still dramatically reduce the risk from Java attacks just by disabling the plugin in your Web browser. In this case, IΒ  would suggest a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox (from the Add-ons menu, click Plugins and then disable anything Java related, and restart the browser), and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site that requires it.

Apple stopped bundling Java by default in OS X 10.7 (Lion), it offers instructions for downloading and installing the software framework when users access webpages that use it. The latest iteration of Java for OS X configures the Java browser plugin and Java Web Start to be deactivated if they remain unused for 35 days.


29 thoughts on “Apple, Oracle Ship Java Security Updates

  1. Wladimir Palant

    Brian, I read somewhere that Apple gave up on producing Java updates and simply gave Oracle their Mac-specific code so that they can do it themselves. So this Java update comes from Oracle even though it’s being distributed through Apple’s channels. A step that was long overdue IMHO.

  2. infodox

    I still recall, around the time Darkmrkt (or however it is spelled) by Misha Glenny was released, he gave a talk on a national radio station here, and first encouraged people to use OSX as no one was hacking it, then explained that soon people would be hacking it.

    Short while later, FLASHBACK.

    However, it is about time they started patching things on time. Really, apple should leave writing Java patches to oracle, but give them access to the auto update mechanisms so the patches do arrive on time. If the rumor that this is true, is in fact true, it is about damn time!

  3. Debbie Kearns

    Again, thanks for the heads-up! πŸ™‚

  4. Debbie Kearns

    I hate to double-post, but again, as in the previous Java 7 updates, you failed to mention that Java 7 Update 5 would come with JavaFX 2.1.1 and its previous updates! They’re wasting all my computer’s free space! πŸ™

    1. BrianKrebs Post author

      Ah you are right, Debbie. Although, to be fair, I don’t think I’ve been ambiguous about urging people to get rid of this program altogether.

      1. D-Train

        Brian,

        Is an interpreter like Python just as much of a security risk as Java? I’ve seen a few applications developed on Python for the desktop and was curious if they are a better option than Java-based apps.

        Thanks

  5. Jay Wocky

    Not my day, I guess. I opened my Java control panel (on XP/SP3), and checked for updates. When one showed available, I started the process. Got past the download and, I thought, through the uninstallation of the current version. The process then appeared to be over (turned out it wasn’t).

    During the lull, I opened the Java control panel again. Big mistake. A prompt appeared then telling me to close the panel so that the installation process could complete. Shortly thereafter, a window told me the installation could not complete because it was interrupted.

    I went to Java Help (as the window suggested). From there, I went to my add/remove programs to manually uninstall, except the old program no longer showed up there. Nor did the Java Control Panel icon on my control panel. The old program appeared to be gone gone gone.

    I downloaded the “offline” installer for the new program, as instructed. Started it. In no time at all, I had the same failure prompt as before.

    The only reason I have this program at all is to occasionally run a Secunia online scan. At all other times, I disable Java.

    I assume there is still some deep-hidden residue of the old program that is gumming things up. Wouldn’t know where to find it. Any suggestions on how I can get the new version installed?

    1. Jay Wocky

      Never mind. Just successfully installed Java 7 after first rebooting my computer.

      When in doubt, and when all else fails…

      1. JCitizen

        No problem Jay; we all have our days. With my brain damage, I definitely have many more of those days! πŸ˜›

  6. David Carroll

    Also note that if you previously disabled the Java plug-in in Firefox and Seamonkey, the new version will be installed enabled by default, and so require re-disabling.

  7. CJ Flynn

    The Java site still refers Mac users to use the Mac Software Update to obtain, and to check that you have, the most recent version of Java. This is true at both the “Do I have Java?” linked page and at the “All Java Downloads” page, which has a link for several Windows and Linux versions, but nothing for Mac except the instructions to use the Update feature.

  8. Paolo Milani

    Indeed the apple delays on this have been embarassing. Some time ago in a Java security lecture I explained and demoed CVE-2008-5353. To demo it I used a VM with an old ubuntu image as a victim, but mac OS was still unpatched at the time, 6 months after the vulnerability was made public, with proof-of-concept code available.

    1. Rabid Howler Monkey

      Paolo Milani wrote:
      “in a Java security lecture I explained and demoed CVE-2008-5353. To demo it I used a VM with an old ubuntu image as a victim”

      This should be posted on a large, flashing neon sign. Many desktop Linux enthusiasts would flatly not believe this.

      Of interest with reegard to desktop Linux and Java is that Oracle, awhile ago, stopped allowing distros to manage their proprietary Java (JRE and JDK) software in the distros repositories. Some distros, Ubuntu as an example, automatically removed Oracle’s proprietary Java from their users systems during an update and provided users the option to install OpenJDK which is managed in the repository.

      There may be more than a few desktop Linux users unwittingly using an outdated version of Oracle’s proprietary Java on their systems.

      Fact is that Oracle’s proprietary Java must now be manually downloaded and installed on desktop Linux, just like on Windows. The OpenJDK JRE is a safer option, providing that one’s Java spplications and appletss are fully compatible with it.

  9. gtodon

    Unfortunately, I need Java for certain websites I use. But do I also need JavaFX?

  10. Alphonses

    Hi there,
    Was using jre6-u32. Got on to updating to jre6-u33.
    Was offered jre7-u5 instead. It appears this version
    (jre7-u5) is not compatible with Win XP pro sp3.
    Some unidentifiable error is shown. Removed jre7,
    replaced with jre6-u33. Looks okay now.
    Regards all.

    1. Doug

      Alphonses, vers 7.05 seems to be running without errors on my machines – but maybe the errors are yet to appear.
      My question is: what determines what java version a user is offered when updating?
      Background/my experience so far with six WinXP Pro machines: After patch Tuesday I check various programs for updates including java & flash. Install the updates & make an image, done for a month. On my personal machine I turn off the automatic updating for java & delete the run key entry for jusched.exe. On some other machines I set java to check for updates daily. Almost always Brian notifies us of an update before java does. πŸ™‚ And, as per Brian’s longtime advice, I disable java in my main browser but leave it enabled in IE for the odd time I want to use a java required site (e.g. http://netalyzr.icsi.berkeley.edu) This month, I caught the update in my usual check (using java control panel>check for updates). On my first four machines I was updated to java 7.05 including the JavaFX 2.1.1 install. I assumed that java was abandoning the 6.x line and now moving to 7.x. But on machine number five I was offered vers 6.33!! I believe this update might have been offered by the java update service (tray icon) but unfortunately I’m not positive about this. I’m wondering what will happen on machine six.
      So, does anyone have an answer?

      1. Alphonses

        Doug, I forgot to mention am running IE8 under xp_pro
        sp3 and just patched @ MS update for June 2012. Had a deeper look at the error- seems that the Java plugin for ver
        7.05 isn’t being loaded at IE-tools-add-ons.
        Yep, understand Oracle are phasing out ver6 and diverting
        users to ver7 which is essentially for developers.

  11. sh

    JavaFX is included when updating on java.com? πŸ™

    1. gtodon

      Yes. I should have made that clear in my post: I updated Java via its website and also got JavaFX. My question, again, is this:

      Unfortunately, I need Java for certain websites I use. But do I also need JavaFX?

  12. Charlie

    For Mac users who are still running older system software (Leopard 10.5 or earlier): In mid May, Apple issued a “Flashback Removal Security Update”. This reportedly removes the Flashback malware if it’s been installed on your system, and it disables Java in the Safari preference panel. I’m not sure if it actually patches Java to prevent future infection or not. If you need to use Java for a specific website, you can always turn it back on in the Safari preferences, and it’s not necessary to reboot after turning it back on — just reload the web page that needs Java. And don’t forget to turn Java off again after you’re done using that site.

  13. Jay Pfoutz

    I thought for sure that Java Updates came automatically. I guess I have more reason to urge the use of Secunia PSI, just for backup!

  14. Anonymous

    With the amount of exploits which continue to plague Java (and Microsoft Windows), Java, Windows, and Microsoft software should be blacklisted as malware.

    1. JCitizen

      All platforms but the most high assurance software, are known victims now. Your post is obsolete.

  15. Joseph Laws

    Speaking of plaintext, I continue to receive monthly notices via text from T-Mobile of invoice generation to my mobile phone. They kindly include my web account password in plain text as if I’m incapable of A. remembering it B. using a forgot-my-password feature.

    Great security guys…

Comments are closed.