Oracle to stop patching Java 6 in February 2013

Presents problems for Mac owners running Snow Leopard and earlier versions of OS X

Java 6 will be retired from security support in less than two months, and users and businesses should prepare now for its demise, experts said today.

Oracle will publicly patch Java 6 for the last time on Feb. 19, 2013. After that date, only enterprises with contract support plans will receive security updates, according to the Java support roadmap.

That means consumers and most businesses should upgrade to Java 7 as soon as possible, said security professionals Wednesday.

"If you're not able to upgrade [to Java 7], you'd better have some pretty deep in-depth defenses in place," warned Jason Miller, manager of research and development at VMware.

Miller has a point: In 2012, Java vulnerabilities were widely targeted by exploit writers and hackers. Last March, for example, approximately 2% of all Macs were infected with Flashback, malware that exploited a Java bug that Apple was sluggish in patching, even though Oracle had issued fixes for other platforms.

Apple continues to maintain Java 6 for OS X users but ceded responsibility for Java 7 to Oracle in 2010.

Miller thought there was more to Oracle's decision to push aside the 2006 software than Java 6's longer-than-usual life. "Java 6 was Sun's Java," Miller noted. "Java 7 is Oracle's first. It's Oracle's product now."

Oracle acquired Sun Microsystems in late 2010 after it offered $7.4 billion for Java's creator the year before. Oracle released Java 7 in July 2011.

Although Oracle extended Java 6's EOL, for "end-of-life," twice this year -- first from July to November 2012, then again from November 2012 to February 2013 -- Miller was certain that this time the date would stick.

"At some point, they just have to say it's retired," said Miller, comparing Oracle's situation to that of Microsoft, which has delayed Windows XP's retirement, but now seems ready to stand by an April 2014 expiration date.

While individuals may have little trouble upgrading to Java 7, enterprises face a bumpier road.

IT administrators and Java developers are the most at risk of not making the deadline, said Miller. "They really need to test their [Java] apps," said Miller, and if necessary, rebuild or modify their in-house and public apps.

The bright spot is that users and enterprises have six months to dump Java 6 before they'll miss a bug fix. After the Feb. 19 update, the next Java patches will be released June 18, 2013. "Between now and June, enterprises should be testing [Java 7] and deploying it," Miller recommended.

Java 6's support death presents special problems for Mac users. While Java 7 runs on all current editions of Windows, including the 11-year-old Windows XP, it requires OS X 10.7, aka Lion, or its successor, Mountain Lion, on Macs.

That will leave a significant portion of Mac users without the means to run an up-to-date Java next year. According to Web metrics company Net Applications, approximately 41% of all Macs still run versions of OS X older than Lion.

Apple will presumably issue the final OS X patches for Java 6 in February alongside Oracle's update.

But some security researchers are unconvinced that upgrading to Java 7 is a good idea.

On Tuesday, Polish researcher Adam Gowdiak, who reported scores of Java vulnerabilities to Oracle this year, told the IDG News Service, "Our research proved that Java 7 was far more insecure than its predecessor version. We are not surprised that corporations are resistant when it comes to the upgrade to Java 7."

Thomas Kristensen, chief security officer at Danish vulnerability management firm Secunia, was more optimistic about Java 7's security prowess, saying in an interview with Computerworld yesterday that it was "pretty much equal to Java 6 out of the box."

But Kristensen did criticize Java 7.

The Java 7 Update 10 released last week included several new security options that let users disable Java in all browsers, or set privileges for signed and unsigned Java apps.

Kristensen called the changes "a step in the right direction" for the attack-plagued Java, but argued that Oracle should have turned on the new features by default rather than leave them in users' hands.

"They're difficult to understand, they're more complicated than similar features in other products. You have to know how Java works, the nature of Java, you have to understand signed and unsigned [apps] and the source of those apps," Kristensen said. "A more restrictive [environment] should have been applied by default rather than depend on users actively choosing them."

Lucian Constantin of the IDG News Service contributed to this report.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about application security in Computerworld's Application Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Applesecurityapplication securityAccess control and authenticationMac OS XOracleVMware

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place