Wednesday, February 20, 2013

Java Updates!
- From Apple: JRE v6u41 for OS X 10.6.8 - 10.8,
with a Java malware removal tool!
- From Apple: Java Plug-in v6u41 for OS X 10.6 (only).
- From Oracle: Java v7u15

--
Before I begin, let me clear up a major cause of confusion. This will help us understand exactly what's going on with these three different updates, two from Apple and one from Oracle:

Java 101, Short Bus Version:


There are two aspects of Java in OS X:


1) The JRE, Java Runtime Engine. Apple provides this in all versions of OS X and will continue to do so as long as Java survives as a viable programming language. The JRE is used primarily for Java applications. It is NOT the same thing as:


2) The Java web browser plug-in. The plug-in uses its own Java engine, not necessarily any of the JRE Apple provides. There are exceptions and you can ignore them for the sake of simplicity.


~~~


There are two concurrent versions of Java under development:


1) Java 6. The actual version number is Java 1.6. Every time it is updated it is given a 'u' or 'update' number. Today's update is Java 1.6 update 41, aka Java 6u41. Yes, this numbering system is stupid. Blame the now defunct Sun Microsystems. Oracle merely kept their convention.


2) Java 7. This is a progressed version of Java with added capabilities beyond version 6. Some consider it a 'beta' branch of Java. That is baloney. It is a full fledged version of Java. But most definitely this branch of Java is experimental. That's different from 'beta'. Yes, that's confusing. And yes, Java 7 really means Java 1.7, it has 'u' or 'update' numbers, yes this numbering system is stupid, blame Sun Microsystems, not Oracle.


~~~~~~~~~~~~~~~~~~


The Three Java Updates:


I)  Java for Mac OS X 10.6 Update 13

Apple has released a Java update specifically for OS X 10.6.8. It is available via Software Update. You can read about it and download it here:

http://support.apple.com/kb/DL1573


Its security details are available here:


http://support.apple.com/kb/HT5647


What is provided:


A) Java JRE 6u41, along with updated other files that are part of Apple's system level JRE for OS X.


B) Java Plug-in 6u41. It is OFF by default in all web browsers that access it. These days, as far as I am aware, no web browsers provide their own version of the Java plug-in. All of them use the version of the plug-in installed into OS X.


C) Apple's Java malware removal tool. This tool is run during the installation process. It provides NO FEEDBACK to the user if it finds and removes any Java malware. Yes, this is stupid. Blame Apple. But at least the removal tool is there, and apparently it works just fine.


What you need to know after the installation:


Quoting from Apple's documentation:

On systems that have not already installed Java for Mac OS X 10.6 update 9 or later, this update will configure web browsers to not automatically run Java applets. Java applets may be re-enabled by clicking the region labeled "Inactive plug-in" on a web page. If no applets have been run for an extended period of time, the Java web plug-in will deactivate. 
IOW: The Java plug-in is OFF by default. It turns itself OFF again automatically after some unspecified period of time. If you want to use it on a web page, look for the 'Inactive plug-in' notice and click it to reactivate the plug-in for that unspecified period of time.

My added advice: It's a great idea to turn the Java plug-in OFF again before leaving every web page due to possible drive-by Java infections from malicious web pages. Leave it OFF until you visit another page where you require it.


~~~


II) Java for OS X 2013-001

Apple has released a Java update specifically for OS X 10.7 and 10.8. It is available via Software Update. You can read about it and download it here:

http://support.apple.com/kb/DL1572



Its security details are available here, maybe:

http://support.apple.com/kb/HT5666


Why 'maybe'? Apple has yanked the security page link off their 'Apple Security Updates' page, which is:


rant
I have no idea why why this security page link was yanked by Apple. I am so UNimpressed with Apple's documentation team that I suspect someone accidentally sat on their keyboard, accidentally deleted it and no one noticed. *snark* In any case, the security page is still at Apple's website! I thankfully just happen to have the link, despite Apple's goofiness, and there you go. You're welcome.

If Apple's documentation team has a coherent editor at the helm, I haven't noticed. Yes, I've ranted at Apple about their lousy documentation team extensively. Apple don't reply. Apple apparently don't care. It's been this way for over a year. I could easily do a better job and I have meagre skills at editing. IASSOTS, etc.
 /rant

What is provided:

A) Java JRE 6u41, along with updated other files that are part of Apple's system level JRE for OS X.

B) REMOVAL of any Java plug-in you have installed. You are left with NONE. You will see an alias in your /Library/Internet Plug-ins/ folder titled "JavaAppletPlugin.plugin" that leads into Apple's JRE installed into OS X. But it is NOT a plug-in. It merely triggers the "Missing plug-in" dialog discussed below. Again: No plug-in. It's gone, gone, gone.

C) Apple's Java malware removal tool. This tool is run during the installation process. It provides NO FEEDBACK to the user if it finds and removes any Java malware. Yes, this is stupid. Blame Apple. But at least the removal tool is there, and apparently it works just fine.

What you need to know after the installation:

Quoting from Apple's documentation:
This update uninstalls the Apple-provided Java applet plug-in from all web browsers. To use applets on a webpage, click on the region labeled "Missing plug-in" to go download the latest version of the Java applet plug-in from Oracle.
The plug-in you would be installing would be Oracle's most recent version of the Java 7 plug-in. Not Java 6! Java 7.

But if you want to install the current version of Oracle's Java plug-in, please read on...


~~~


III) Oracle's Java Plug-In 7u15

Oracle has provided their latest security patched version of the Java plug-in. It should ONLY be installed into OS X 10.7 and 10.8, NOT OS X 10.6. Again: NOT 10.6. OK?

It's the usual cruddy Oracle plug-in and Java System Preferences pane. I'm not going to review the thing here today. Maybe next week.

Remember to jam the security level to VERY HIGH. Then disable it anyway by removing it from your /Library/Internet Plug-ins folder to some other save place, such as a folder named 'Internet Plug-ins (disabled)'. Do NOT trust the security settings. They were proven to be total garbage last month and probably still are. Do NOT attempt to turn off the plug-in within its preference pane. You're wasting your time. Just remove the thing. THEN restart your web browser.

ALSO, just to be extra careful, turn Java OFF in ALL your various web browsers.

AND, if you have to use Java on a specific website, remember to turn it OFF again BEFORE you leave that website. This is critical and can save your butt. Java is that dangerous.

~~~

And yes, Apple had some computers at their offices get infected with the recent Java drive-by infection malware. So did some computers at Facebook and Twitter. So did probably LOTS of computers! That's why Apple is providing the Java malware removal tool in their Java installers.

And no, neither Apple, nor Facebook, nor Twitter got 'hacked' or had any data stolen. The infections were limited to just the specific computers that hit the drive-by infections via the web. That is all. No horror story here.

~~~

Recommendation! Watch this week's 'Security Now!' podcast. It has a GREAT interview with one of my security heroes, Brian Krebs. You can find the video and audio versions of the podcast at TWiT.tv or iTunes. The small bandwidth audio and transcript versions of the podcast are at GRC.com. I was listening live today over at TWiT.tv and was extremely impressed. Brian talks at great length about his adventures in the 'underweb' as he calls it, hobnobbing with the malware rats and script kiddies. Lots of scary fun.

~~~

Sorry about no fun graphics today. I'm taking the rest of the week off, no matter what security FAIL hits town. Have fun. Be safe. Grow and become better. Enjoy.

:-Derek
--

No comments:

Post a Comment