Oracle pulls Java 6 plug, but Apple likely to keep patching OS X Snow Leopard

If past practice is a clue, Apple will support Java 6 on Snow Leopard until second half of 2014

Apple on Monday patched Java 6 for OS X, following Oracle's lead and quashing a browser plug-in vulnerability that hackers have been exploiting.

Oracle issued the "out-of-band," or emergency, update for Java 6 and Java 7 to patch two critical vulnerabilities. One of those bugs -- designated CVE-2013-1493 -- has been exploited in the wild since at least Feb. 28, according to security firm FireEye, which discovered the attacks.

Because Apple maintains Java 6 for OS X -- unlike Java 7, which Oracle handles -- it followed with its own update, as usual.

But Oracle also said that Monday's update would be the final for the aging software. "This release is the last of publicly available JDK 6 Updates," Oracle said in its release notes. "Oracle recommends that users migrate to JDK 7 in order to continue receiving public updates and security enhancements."

That advice works for Windows users: Java 7 runs on all Microsoft-supported versions of its operating system, including Windows XP.

However, not all Mac users can upgrade to Java 7, which requires OS X Lion, or its successor, Mountain Lion. According to Web metrics company Net Applications, 37% of all Macs last month ran a version of OS X older than Lion. The majority of those users relied on OS X Snow Leopard, the 2009 operating system that is stubbornly resisting retirement.

But that doesn't necessarily mean that Snow Leopard users will be out in the cold, Java-wise.

Contrary to what Computerworld reported in December, when it said Snow Leopard users would be without Java 6 security updates as soon as Oracle pulled the plug, further investigation has provided more than a glimmer of hope.

Apple relies on Oracle to craft Java 6 patches, and so without Oracle creating patches, Apple would seemingly have nothing to distribute. Not quite.

Oracle will continue to come up with security patches for Java 6, but those will only be distributed to enterprises that have negotiated contract support plans with Oracle. And if the past is any indicator, Apple will have access to those only-for-corporate-customers patches and will use them to draft updates for its own users.

The future is murky, as it always is with Apple support -- unlike Microsoft, the company does not spell out its support policies in black and white -- but there is precedent.

For OS X 10.5, known as Leopard, Apple provided Java 5 updates well after Sun Microsystems, the creator and former owner of Java, stopped serving public patches.

Sun stopped Java 5 support with Java 5 Update 22 (Java 5u22), which it released Nov. 4, 2009. But Apple continued to issue Java 5 updates for Leopard until June 2011, when it released patches that it said pushed the software up to Java 5u30.

Those patches were for flaws that Oracle -- by then it had acquired Sun and taken control of Java -- identified as fixes for its business customers.

If Apple follows that same timeline, it will support Java 6 for approximately a year and a half, or deep into 2014.

There's no guarantee. The closest Apple has come to that was when it deprecated Java, telling developers that it would no longer ship Java with OS X. "The Java runtime shipping in OS X v10.6 Snow Leopard, and OS X v10.5 Leopard, will continue to be supported and maintained through the standard support cycles of those products," Apple said at the time.

Leopard's support cycle has long ended -- the last Java update for OS X 10.5 was issued in mid-2011, and its last security update released in May 2012 -- but Snow Leopard's has not come to an end. (Apple shipped a security update for OS X 10.6 in September, for example, alongside the most recent fixes for Lion and Mountain Lion.)

Apple might want to play it safe and continue to patch Java for Snow Leopard, both because of the recent rash of Java "zero-days," or vulnerabilities exploited before they have been patched, and because Apple was embarrassed last year when a then-unpatched Java bug gave hackers a way to infect hundreds of thousands of Macs in the widespread "Flashback" malware campaign.

The massive numbers of customers who remain on Snow Leopard -- as of last month, OS X 10.6 powered 27.5% of all Macs -- might also weigh in Apple's decision.

Ironically, Monday's update was a bonus for both Windows and Mac users. Previously, Oracle had said it would end public support for Java 6 with its Feb. 19 update. Oracle had also extended Java 6's EOL, or "end-of-life," twice last year, first from July to November 2012, then again from November 2012 to February 2013.

OS X Lion and Mountain Lion users who require Java should upgrade as soon as possible to Java 7, which Oracle plans to maintain at least until July 2014, and Apple may support even longer.

The next scheduled Java 7 update is set for April 16. If Apple continues support for Java 6 on Snow Leopard, it will issue that update the same day.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about application security in Computerworld's Application Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsMicrosoftiossecurityapplication securityAccess control and authenticationFireEyesoftwareoperating systemsOracleApple

More about AppleFireEyeGoogleMacsMicrosoftOracleSun MicrosystemsTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts