[Updated 10:30 pm 2013-04-17 to reflect the correct version of Java provided by Apple, 6u45]
There was a scheduled Java update on Tuesday 2013-04-16. Both Apple and Oracle provided updates. Here is the list:
From Apple
1) Java for Mac OS X 10.6 Update 15
Available via Software Update. This updates Mac OS X 10.6 Snow Leopard users to Java version 6 update 45, aka 6u45.
Apple's security content document:
http://support.apple.com/kb/HT5734
2) Java for OS X 2013-002
Available via Software Update. This updates OS X 10.7 Lion and 10.8 Mountain Lion users to Java version 6 update 45, aka 6u45.
Apple's security content document:
http://support.apple.com/kb/HT5734
From Oracle
Java 7 update 21, aka 7u21
Available directly from Oracle via the link above.
Oracle Java SE Critical Patch Update Advisory - April 2013:
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
PROBLEM WITH APPLE'S 2013-002 UPDATE
Apparently, it is NOT up-to-date!
Apple states that it is providing Java 6 update 45. However, their documentation is not listing the patching of all the known CVE security holes Oracle lists for Java 6 update 43 and below. I have documented the difference ahead.
[Note that earlier in the day it was not clear that Apple had updated beyond Java 6 update 43. Now apparently their documentation is making it clear that Java 6 update 45 is indeed what is provided. Apologies if I added to the confusion!]
Therefore, if you have OS X 10.7.3 or higher on you Mac, and you use Java while browsing the Internet, I STRONGLY suggest installing Oracle's Java 7 update 21 (7u21) on top of Apple's update.
Current Java CVE Issues
Oracle's Java 7u21 patches 42 CVE security holes. Apple's Java 6u45 patches 21 CVE security holes.
You can access Oracle's Java SE Risk Matrix here:
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html#AppendixJAVA
I'm going to restate Oracle's list of CVEs below in order to point out what has been patched and what remains unpatched in each of the updates from Oracle and Apple. Those that are in bold have been patched by both Oracle's 7u21 update and Apple's 6u42 update. Those in plain text have only been updated in Oracle's 7u21 update. At the end of the list is one CVE in italics that was patched by Apple's 6u42 update but is not listed in Oracle's 7u21 update and remains listed but 'unspecified' in the CVE databases. Those listed in red affect Java 7 only, not Java 6.
CVE-2013-2383
CVE-2013-2384
CVE-2013-1569
CVE-2013-2434
CVE-2013-2432
CVE-2013-2420
CVE-2013-1491
CVE-2013-1558
CVE-2013-2440
CVE-2013-2435
CVE-2013-2431
CVE-2013-2425
CVE-2013-1518
CVE-2013-2414
CVE-2013-2428
CVE-2013-2427
CVE-2013-2422
CVE-2013-1537
CVE-2013-1557
CVE-2013-2421
CVE-2013-0402
CVE-2013-2426
CVE-2013-2436
CVE-2013-1488
CVE-2013-2394
CVE-2013-2430
CVE-2013-2429
CVE-2013-1563
CVE-2013-2439
CVE-2013-0401
CVE-2013-2419
CVE-2013-2424
CVE-2013-1561
CVE-2013-1564
CVE-2013-2438
CVE-2013-2417
CVE-2013-2418
CVE-2013-2416
CVE-2013-2433
CVE-2013-1540
CVE-2013-2423
CVE-2013-2415
CVE-2013-2437
Summary: If I can believe both Apple and Oracle's lists of patched CVEs, this means that the following CVE security holes REMAIN in Apple's Java 6u45 update:
CVE-2013-1518 - Unspecified details.
CVE-2013-2439 - Unspecified details.
CVE-2013-0401
Oracle Java 7 Update 17, and possibly other versions, allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by Ben Murphy during a Pwn2Own competition at CanSecWest 2013.CVE-2013-2418 - Unspecified details.
Again note: Documentation confusion indicates these four CVEs were not patched by Apple's Java 6u45 update. Ideally, I'd like to verify that this is the fact in the near future. I'm hoping this discrepancy in documentation is straightened out.
CONCLUSION:
If you want to surf the net with Java running, and you're using OS X 10.7.3 or higher, please install Apple's Java 6u45 update FIRST, then install Oracle's Java 7u21 update.
We know full well that there are still unpatched security holes in Java 7u21. Therefore, it is CRITICAL to 'Just Turn Java Off' until you have loaded a trusted web page. Then turn Java ON and reload that page. Before you leave that page, 'Just Turn Java Off' again. I've covered how to turn Java on and off in previous posts.
STUPID NEWS:
Oracle has REMOVED the checkboxes for turning Java On and Off as of Java 7u21. Therefore, I can't rant about their dysfunctionality any longer, Oracle gave up trying to get their checkboxes to work, and apparently Oracle no longer even pretends there is a way to turn Java off inside its own control panel. Stupid deluxe. I have to wonder if Oracle itself understands Java well enough to get dead simple checkboxes to work.
I find this to be incredibly shameful.
Oracle: I HATE YOU.
And Apple: Either your documentation of patched CVEs is incomplete, or Oracle has provided an erroneous list of current CVEs! Either way, I'd feel more secure knowing the four 'unpatched' CVEs I list above actually had been patched by 6u45, or that they were actually inapplicable to 6u45. I'm left confused as to the full state of affairs. No wonder newbies and regular users find these updates confusing.
--
No comments:
Post a Comment