Apple updates Java for older Mac OS X - kills browser plugin
Following Oracle's CPU patch day, in which a large number of Java vulnerabilities were fixed, Apple has released an update for Java 6 on Mac OS X 10.6.8, 10.7 and 10.8. The timely update brings Apple's Java 6 in line with Oracle's Java 6 Update 37 but also removes the Apple-provided Java applet plugin from all web browsers. Apple had previously modified its plugin to reduce unnecessary exposure to Java-based malware by disabling the plugin if it had been unused for a period of time.
This policy has apparently not been sufficient and now the update completely removes the plugin; browsers will display a "missing plugin" message, which, if clicked, will take the user to Oracle's site where they can download the latest Java applet plugin from Oracle.
Apple no longer ships Java with Mac OS X 10.7 and 10.8, having replaced the Java binary with a program that offers to download a suitable Java Runtime Environment (JRE) for Java 6. This means that only users who have installed the Java 6 runtime will be prompted to install an update. Oracle has already taken over responsibility for Java 7 on Mac OS X and the Oracle applet plugin comes complete with Java 7. The steps taken seem designed to ensure that any user who does need Java on Mac OS X in the browser will run not only Oracle's applet but also their latest Java 7 runtime.
Older versions of both Apple and Oracle's Java runtime were vulnerable to 30 holes, with 29 of them being listed as remotely exploitable without authentication. Details of Oracle's Java CPU updates are available in the October 2012 Security Advisory and the attached risk matrix gives further details of the flaws, which versions of Java they affect and where the flaw was found.
- About the security content of Java for OS X 2012-006 and Java for Mac OS X 10.6 Update 11, security advisory from Apple.