Apple tree tries to kill its ain Java on most Macs

Pushes users to deal with Oracle, which maintains Java vii for Bone X

Senior Reporter, Computerworld |

Apple yesterday started scrubbing most Macs of older Coffee browser plug-ins, a move that will force users to download the software from Oracle. The company likewise patched Java for Os X, the second time Apple tree synchronized its Java security update with Oracle's, releasing its patches for Os X the same 24-hour interval every bit the Coffee software maker.

Along with the Coffee patches, Apple beefed by OS X security by uninstalling old browser plug-ins for the software.

The update aimed at Lion and Mountain Lion --which collectively accounted for 60% of all Macs last month -- zaps plug-ins provided by Apple via Coffee half-dozen and earlier.

"This update uninstalls the Apple tree-provided Java applet plug-in from all Spider web browsers," Apple tree said in a support document.

Apple'due south Java update for Snow Leopard did something dissimilar: "On systems that have non already installed Java for Mac Os Ten 10.half-dozen update 9 or afterwards, this update will configure Web browsers to not automatically run Java applets," Apple stated.

After the Lion and Mount Lion update is applied, users who scan to websites that require Coffee volition see the bulletin "Missing plug-in," and can then keep to the Oracle site to download the newest version of Java seven and its browser plug-in.

Apple tree has been ratcheting up efforts to eliminate some plug-ins, notably Adobe's Flash Player and Oracle'southward Java, later hundreds of thousands of Macs were infected by the Flashback Trojan equus caballus last March and April.

The company reacted with several measures, including blocking older versions of Wink. Earlier, Apple had made similar moves on Coffee, get-go blocking automatic execution of the Oracle plug-in, then following that with a patch that automatically disabled the plug-in if it had non been run in the past 35 days.

Wolfgang Kandek, CTO of Qualys, saw Wednesday'due south plug-in elimination as both a security enhancement and an attempt by Apple tree to push customers towards Oracle every bit the benefactor of Java.

"[This] might be part of the migration to a Coffee completely provided by Oracle," said Kandek via instant message today. "It will [likewise] enhance security, and reduce the number of web-attainable Java installations on Macs."

Apple stopped bundling Java with OS X starting with 2011'due south Panthera leo; this yr's Mount Lion likewise omitted Java. The Cupertino, Calif. company is still responsible for patching Java vi and earlier, but Oracle takes intendance of Os 10 users running Coffee 7.

While Lion and Mountain Lion did not include Java, users may have installed it themselves: When a browser encounters a Java applet, OS X asks for permission to download the Oracle software. People running the older Snow Leopard (2009) and Leopard (2007) have Java installed by default.

Apple tree took other measures to shove Mac owners towards Oracle, including removing Java options from the Preferences window.

Forth with the anti-Java plug-in maneuver, Apple also shipped two Java updates, dubbed Java for Mac OS X ten.six Update 11 and Coffee for Bone 10 2012-006, that patched xx critical vulnerabilities on OS X Snowfall Leopard, and Bone 10 Panthera leo and Mountain Lion, respectively.

Oracle patched the same 20 bugs -- and 10 more than for good measure -- on Wednesday for Windows. The firm updated Coffee 5, 6 and 7 for Windows, and Java 7 for OS X.

Adam Gowdiak, founder and CEO of Smoothen security house Security Explorations, reported most of the bugs that Oracle patched yesterday.

Gowdiak has found other Java vulnerabilities in the past. Earlier this yr he reported more than a dozen. Months later, hackers independently uncovered one of the bugs, then began using information technology in widespread attacks during August.

Simply neither Oracle or Apple addressed the critical null-day vulnerability that Gowdiak submitted to Oracle late last calendar month. The flaw impacted OS X as well as Windows versions of the software.

According to Gowdiak, Oracle told him it had received the problems report every bit information technology was wrapping up testing of the October. xvi update, and was unable to work up a fix in time. "Oracle confirm[ed] that it is on track to deliver fixes for [this bug] in the next Java SE Critical Patch Update which ships in February 2013," Gowdiak wrote on his firm's bug status website.

In the hope that he could prod Oracle to act rapidly concluding month, Gowdiak had gone public -- albeit minus technical details -- rather than privately reporting it to Oracle and waiting for the company to quietly patch Coffee. Only the strategy came up bosom. "[We as well asked] for the reason of sticking to Oracle's semi-quarterly patch release schedule, which means [an] additional four months to expect for a patch for a critical security issue in Java," Gowdiak noted. Oracle patches Java approximately every four months. As Gowdiak alluded, the next regularly-scheduled update is slated to ship Feb. 19, 2013.

The concluding fourth dimension Apple updated Java was in early September, when it stock-still flaws Oracle had addressed weeks earlier with an emergency update that aimed to squash aggressive and widespread attacks exploiting a vulnerability.

Users running Java half dozen and earlier can grab the update for their version of Os Ten past triggering Software Update from the Apple carte. Coffee 7 can exist updated by downloading the new version, Coffee SE Runtime Environment 7u9, from Oracle's website.

Gregg Keizer covers Microsoft, security issues, Apple tree, Spider web browsers and full general engineering science breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, send e-mail to gkeizer@ix.netcom.com or subscribe to Gregg'south RSS feed .

Senior Reporter Gregg Keizer covers Windows, Office, Apple/enterprise, web browsers and spider web apps for Computerworld.

Copyright © 2012 IDG Communications, Inc.