Apple keeps patching Java on OS X Snow Leopard after proposed drop-dead date

Adds site-by-site Java management tool to Safari for all users

Apple on Tuesday patched Java for the aged OS X Snow Leopard and tweaked Safari to give users more control over what websites they let run the vulnerability plagued Oracle software.

Oracle on Tuesday shipped an update for Java 6 and Java 7 to patch up to 42 bugs -- the number depends on the version and platform -- for Windows and OS X. Because Apple maintains Java 6 for OS X -- unlike Java 7, which Oracle handles -- it followed with its own update.

The Apple update was important beyond the fact that it fixed 21 Java flaws.

Not all Mac users can upgrade to the newest version, Java 7, which requires OS X Lion, or its successor, Mountain Lion. OS X Snow Leopard users are stuck on Java 6, and must rely on Apple to provide patches for that version.

Fortunately, Oracle has reversed an earlier commitment to halt security updates for Java 6 -- the end for Java 6 was originally slated for February, but Oracle extended it to early March when it shipped "out-of-band," or emergency, patches -- and continues to support 2006's Java 6.

That meant Apple had access to the Java 6 patches and could, as Computerworld speculated last month, keep serving fixes to Snow Leopard.

The Oracle/Apple move was smart: According to Web metrics firm Net Applications, Snow Leopard accounted for 27% of all copies of OS X used to access the Internet in March. The 2009 operating system has resisted retirement, and in fact powered more Macs last month than OS X Lion, its 2011 successor.

If Oracle and Apple had not continued to support Snow Leopard with Java patches, the percentage of unprotected Mac users would have jumped from the current 9% to a whopping 36%, or more than a third of the installed base.

Oracle did not say how long it will continue to provide patches for Java 6 to Windows users, and thus how long Apple will be able to issue security updates to its customers still running Snow Leopard.

But Apple could do so for months to come. Even after Oracle halts support for Java 6, it will still distribute patches to enterprises that have negotiated contract support plans. Apple will probably have access to those only-for-corporate-customers patches and will use them to draft updates for its own users.

The last public patches for Java 5, for example, shipped in November 2009, but Apple continued to issue Java 5 updates for OS X Leopard until June 2011, or 20 months later.

Tuesday's update to Java included fixes for the four vulnerabilities exploited by researchers at last month's Pwn2Own hacking contest. Each researcher (or in one instance, a team of researchers) was awarded $20,000 by HP TippingPoint, which co-sponsored the challenge.

With Oracle's patches for Pwn2Own's Java vulnerabilities, only Microsoft has yet to close a hole uncovered at the challenge. French bug broker Vupen exploited Internet Explorer 10 (IE10) on Windows 8 at Pwn2Own. Some experts anticipated IE10 fixes for the Pwn2Own flaws last week on April's Patch Tuesday, but Microsoft disappointed.

Also Tuesday, Apple refreshed Safari 6 for OS X Lion and Mountain Lion, and Safari 5 for Snow Leopard to add a new security tool. The browser now lets users closely manage Java permissions by selecting which sites can execute the software. Users comfortable with changing security settings can now allow Java to run on trusted websites -- an online banking site, for example -- while blocking it from executing on other domains.

Apple has published a support document outlining how the new site-by-site Java permission manager operates.

The new Safari tool may come in handy: Hackers have turned up the heat on Oracle in the past year, exploiting a succession of Java vulnerabilities, including several so-called "zero-day" bugs, or unpatched -- and in some cases even unknown -- flaws.

A year ago, for instance, cybercriminals infected more than 600,000 Macs in the widespread "Flashback" malware campaign by exploiting a Java vulnerability that Oracle had fixed, but Apple had not. It was easily the biggest-ever security event on OS X, and a major embarrassment for Apple, which, in response, changed its Java patch cadence to match Oracle's.

OS X Lion and Mountain Lion users running Java 7 will also see new messages that appear in their browser of choice when attempting to launch a Java applet. Those messages, which were called confusing by U.K.-based security vendor Sophos, display small icons or badges that represent various risks.

The next scheduled Java security update is set for release by Oracle on June 18. Unless Apple changes its mind on Snow Leopard, it will also issue patches the same day for that version of OS X as well as for Lion and Mountain Lion.

Safari now lets users define the websites allowed to run Oracle's bug-plagued Java software in the browser's Preferences console. (Image: Apple.)

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about mac os x in Computerworld's Mac OS X Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Applesecurityapplication securityAccess control and authenticationMac OS XOracle

More about AppleApple.GoogleHPMacsMicrosoftOracleSophosTippingPointTippingPointTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts