Apple tries to kill its ain Java on most Macs

Pushes users to deal with Oracle, which maintains Java 7 for OS 10

Apple yesterday started scrubbing most Macs of older Java browser plug-ins, a motility that will force users to download the software from Oracle. The visitor also patched Java for OS X, the 2nd time Apple synchronized its Java security update with Oracle'due south, releasing its patches for Os X the same solar day as the Java software maker.

Forth with the Coffee patches, Apple tree beefed by Os X security by uninstalling quondam browser plug-ins for the software.

The update aimed at Panthera leo and Mountain Lion --which collectively accounted for 60% of all Macs last month -- zaps plug-ins provided by Apple via Java 6 and earlier.

"This update uninstalls the Apple-provided Java applet plug-in from all Web browsers," Apple tree said in a support document.

Apple'south Java update for Snowfall Leopard did something unlike: "On systems that have not already installed Coffee for Mac Bone X x.half dozen update 9 or later, this update will configure Web browsers to not automatically run Java applets," Apple stated.

After the Lion and Mount Lion update is practical, users who browse to websites that require Java will come across the message "Missing plug-in," and can then continue to the Oracle site to download the newest version of Java 7 and its browser plug-in.

Apple tree has been ratcheting up efforts to eliminate some plug-ins, notably Adobe'south Flash Player and Oracle's Java, after hundreds of thousands of Macs were infected by the Flashback Trojan horse last March and April.

The company reacted with several measures, including blocking older versions of Flash. Earlier, Apple tree had made similar moves on Coffee, first blocking automatic execution of the Oracle plug-in, then following that with a patch that automatically disabled the plug-in if it had non been run in the past 35 days.

Wolfgang Kandek, CTO of Qualys, saw Wednesday's plug-in elimination as both a security enhancement and an try past Apple to push customers towards Oracle as the distributor of Java.

"[This] might be part of the migration to a Java completely provided by Oracle," said Kandek via instant message today. "It will [also] enhance security, and reduce the number of web-accessible Java installations on Macs."

Apple stopped bundling Coffee with OS X starting with 2011'southward Lion; this twelvemonth's Mount Lion as well omitted Coffee. The Cupertino, Calif. company is still responsible for patching Coffee half-dozen and earlier, but Oracle takes care of OS 10 users running Coffee seven.

While Panthera leo and Mountain Lion did not include Java, users may have installed information technology themselves: When a browser encounters a Java applet, Os 10 asks for permission to download the Oracle software. People running the older Snow Leopard (2009) and Leopard (2007) have Java installed by default.

Apple took other measures to shove Mac owners towards Oracle, including removing Java options from the Preferences window.

Along with the anti-Coffee plug-in maneuver, Apple tree also shipped ii Java updates, dubbed Java for Mac Os Ten 10.half dozen Update 11 and Java for OS X 2012-006, that patched 20 disquisitional vulnerabilities on Bone X Snow Leopard, and Os X Panthera leo and Mountain Panthera leo, respectively.

Oracle patched the aforementioned 20 bugs -- and 10 more for good measure -- on Wednesday for Windows. The firm updated Coffee five, six and 7 for Windows, and Java 7 for OS X.

Adam Gowdiak, founder and CEO of Polish security firm Security Explorations, reported near of the bugs that Oracle patched yesterday.

Gowdiak has constitute other Java vulnerabilities in the past. Earlier this twelvemonth he reported more than a dozen. Months later on, hackers independently uncovered 1 of the bugs, then began using it in widespread attacks during August.

But neither Oracle or Apple tree addressed the disquisitional zero-twenty-four hours vulnerability that Gowdiak submitted to Oracle late final month. The flaw impacted Bone X also as Windows versions of the software.

According to Gowdiak, Oracle told him information technology had received the bug report as information technology was wrapping up testing of the Oct. 16 update, and was unable to work upwards a fix in time. "Oracle confirm[ed] that information technology is on track to deliver fixes for [this bug] in the next Java SE Disquisitional Patch Update which ships in February 2013," Gowdiak wrote on his firm's bug status website.

In the hope that he could prod Oracle to deed quickly last month, Gowdiak had gone public -- admitting minus technical details -- rather than privately reporting it to Oracle and waiting for the visitor to quietly patch Java. Only the strategy came up bust. "[We too asked] for the reason of sticking to Oracle's semi-quarterly patch release schedule, which means [an] additional four months to look for a patch for a critical security outcome in Java," Gowdiak noted. Oracle patches Java approximately every four months. As Gowdiak alluded, the next regularly-scheduled update is slated to send Feb. 19, 2013.

The last time Apple tree updated Java was in early September, when it fixed flaws Oracle had addressed weeks earlier with an emergency update that aimed to squash aggressive and widespread attacks exploiting a vulnerability.

Users running Coffee 6 and earlier can take hold of the update for their version of OS X by triggering Software Update from the Apple menu. Java 7 can be updated by downloading the new version, Java SE Runtime Environs 7u9, from Oracle's website.

Gregg Keizer covers Microsoft, security issues, Apple, Spider web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, send email to gkeizer@9.netcom.com or subscribe to Gregg'southward RSS feed .

Copyright © 2012 IDG Communications, Inc.