Apple tries to kill its own Java on most Macs

Pushes users to deal with Oracle, which maintains Java 7 for OS X

Apple yesterday started scrubbing most Macs of older Java browser plug-ins, a move that will force users to download the software from Oracle. The company also patched Java for OS X, the second time Apple synchronized its Java security update with Oracle's, releasing its patches for OS X the same day as the Java software maker.

Along with the Java patches, Apple beefed by OS X security by uninstalling old browser plug-ins for the software.

The update aimed at Lion and Mountain Lion --which collectively accounted for 60% of all Macs last month -- zaps plug-ins provided by Apple via Java 6 and earlier.

"This update uninstalls the Apple-provided Java applet plug-in from all Web browsers," Apple said in a support document.

Apple's Java update for Snow Leopard did something different: "On systems that have not already installed Java for Mac OS X 10.6 update 9 or later, this update will configure Web browsers to not automatically run Java applets," Apple stated.

After the Lion and Mountain Lion update is applied, users who browse to websites that require Java will see the message "Missing plug-in," and can then proceed to the Oracle site to download the newest version of Java 7 and its browser plug-in.

Apple has been ratcheting up efforts to eliminate some plug-ins, notably Adobe's Flash Player and Oracle's Java, after hundreds of thousands of Macs were infected by the Flashback Trojan horse last March and April.

The company reacted with several measures, including blocking older versions of Flash. Earlier, Apple had made similar moves on Java, first blocking automatic execution of the Oracle plug-in, then following that with a patch that automatically disabled the plug-in if it had not been run in the past 35 days.

Wolfgang Kandek, CTO of Qualys, saw Wednesday's plug-in elimination as both a security enhancement and an attempt by Apple to push customers towards Oracle as the distributor of Java.

"[This] might be part of the migration to a Java completely provided by Oracle," said Kandek via instant message today. "It will [also] enhance security, and reduce the number of web-accessible Java installations on Macs."

Apple stopped bundling Java with OS X starting with 2011's Lion; this year's Mountain Lion also omitted Java. The Cupertino, Calif. company is still responsible for patching Java 6 and earlier, but Oracle takes care of OS X users running Java 7.

While Lion and Mountain Lion did not include Java, users may have installed it themselves: When a browser encounters a Java applet, OS X asks for permission to download the Oracle software. People running the older Snow Leopard (2009) and Leopard (2007) have Java installed by default.

Apple took other measures to shove Mac owners towards Oracle, including removing Java options from the Preferences window.

Along with the anti-Java plug-in maneuver, Apple also shipped two Java updates, dubbed Java for Mac OS X 10.6 Update 11 and Java for OS X 2012-006, that patched 20 critical vulnerabilities on OS X Snow Leopard, and OS X Lion and Mountain Lion, respectively.

Oracle patched the same 20 bugs -- and 10 more for good measure -- on Wednesday for Windows. The firm updated Java 5, 6 and 7 for Windows, and Java 7 for OS X.

Adam Gowdiak, founder and CEO of Polish security firm Security Explorations, reported most of the bugs that Oracle patched yesterday.

Gowdiak has found other Java vulnerabilities in the past. Earlier this year he reported more than a dozen. Months later, hackers independently uncovered one of the bugs, then began using it in widespread attacks during August.

But neither Oracle or Apple addressed the critical zero-day vulnerability that Gowdiak submitted to Oracle late last month. The flaw impacted OS X as well as Windows versions of the software.

According to Gowdiak, Oracle told him it had received the bug report as it was wrapping up testing of the Oct. 16 update, and was unable to work up a fix in time. "Oracle confirm[ed] that it is on track to deliver fixes for [this bug] in the next Java SE Critical Patch Update which ships in February 2013," Gowdiak wrote on his firm's bug status website.

In the hope that he could prod Oracle to act quickly last month, Gowdiak had gone public -- albeit minus technical details -- rather than privately reporting it to Oracle and waiting for the company to quietly patch Java. But the strategy came up bust. "[We also asked] for the reason of sticking to Oracle's semi-quarterly patch release schedule, which means [an] additional four months to wait for a patch for a critical security issue in Java," Gowdiak noted. Oracle patches Java approximately every four months. As Gowdiak alluded, the next regularly-scheduled update is slated to ship Feb. 19, 2013.

The last time Apple updated Java was in early September, when it fixed flaws Oracle had addressed weeks earlier with an emergency update that aimed to squash aggressive and widespread attacks exploiting a vulnerability.

Users running Java 6 and earlier can grab the update for their version of OS X by triggering Software Update from the Apple menu. Java 7 can be updated by downloading the new version, Java SE Runtime Environment 7u9, from Oracle's website.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, send e-mail to or subscribe to Gregg's RSS feed .

Read more about mac os x in Computerworld's Mac OS X Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place