• Home
  • About 404TS
  • Contact

404 Tech Support

Where IT Help is Found

  • Articles
    • Code
    • Entertainment
    • Going Green
    • Hardware, Gadgets, and Products
    • Management
    • Network
    • News
    • Operating Systems
    • Security and Privacy
    • Software
    • System Administration
    • Talking Points
    • Tech Solutions
    • Web
    • Webmaster
  • Reviews
  • Media
    • Infographics
    • Videos
  • Tech Events
  • Tools
    • How do I find my IP address?
    • Browser and plugin tests
  • Get a Technical Consultation
You are here: Home / Articles / Operating Systems / In the wild exploit or Apple forces Oracle’s hand to release Java 7u13 early

In the wild exploit or Apple forces Oracle’s hand to release Java 7u13 early

2013-02-03 by Jason

I am going to need to start drinking coffee in order to deal with the issues Java is throwing. Of course, Java has been in the news recently since a vulnerability disclosed last August gained attention of the media and was finally (partially) patched with version Java 7u11. Following that, there are two separate issues; one on the Mac OS X side and one on the Windows side. The Mac issue was Thursday and Friday last week when the Mac OS X anti-malware service blacklisted all existing versions of Java. That is until Java 7u13 was released Friday afternoon. The Windows issue comes with the new version release as Java 6 is no longer supported and an update trigger will uninstall Java 6 and install Java 7.

For many people, Java is not even necessary on their computer and not worth the security vulnerabilities of browsing with the plugin enabled. However, there are a number of web applications out there that rely on Java from enterprises to universities and unfortunately, many of those actually require Java 6 or have some issues with Java 7.

Mac OS X

On Thursday when a client called in that they were no longer able to access an Enterprise application and instead only received an ‘Invalid plugin’ message, I found out an Apple support thread that an update to the Mac OS X anti-malware service, XProtect or File Quarantine, blocked all then current versions of Java. Specifically, it blocked all versions older than 7u12 and 6u38. A temporary workaround was provided in the thread that involved deleting /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist which would allow the current version of Java to work again until the next restart.

Fortunately, Oracle released a new version of Java on Friday afternoon so the temporary workaround was not needed for long. While Oracle had the next Java update scheduled for February 19th, the company decided to accelerate the release of the update due to exploits “in the wild” (and Apple’s blocking the plugin probably added weight to the speedy response). Java 7u13 is only compatible with Mac OS X 10.7 and 10.8.

java7u13 apple

This still left Mac OS X 10.6 users in the dark. Yesterday, Apple released an update for Java on Mac OS X 10.6 which updates the Apple-provided Java SE 6 to version 1.6.0_39.

On systems that have not already installed Java for Mac OS X 10.6 update 9 or later, this update will configure web browsers to not automatically run Java applets. You may re-enable Java applets by clicking the region labeled “Inactive plug-in” on a webpage. If no applets have been run for an extended period of time, the Java web plug-in will deactivate.

Java

The Oracle Java SE Critical Patch for February 2013 contained 50 new security fixes.

In addition to a number of security in-depth fixes, the February 2013 Critical Patch Update for Java SE contains fixes for 50 security vulnerabilities.  44 of these vulnerabilities only affect client deployment of Java (e.g., Java in Internet browsers).  In other words, these vulnerabilities can only be exploited on desktops through Java Web Start applications or Java applets.  In addition, one vulnerability affects the installation process of client deployment of Java (i.e. installation of the Java Runtime Environment on desktops).

Windows

Java on Windows is throwing a completely different set of problems. It comes down to the fact that Java 6 is no longer supported after February 2013. Back to our original story, Java 6 may still be needed by various applications where clients cannot uninstall version 6 and solely run Java 7. The just released Java 6u39 has been released and is available for download along with Java 7u13.

Oracle has discussed taking a rather heavy-handed approach  to upgrading computers and may trigger Java 6 to uninstall itself and install the latest in the Java 7 line after February 2013 according to the Java 6 Auto-Update to Java 7 FAQ.

In December 2012 Oracle will start to auto-update a sample of users from JRE 6 to JRE 7 to evaluate the auto-update mechanism, user experience and seamless migration. Oracle will then start auto-updating all Windows 32-bit users from JRE 6 to JRE 7 with the update release of Java, Java SE 7 Update 11 (Java SE 7u11), due in February 2013.

To be fair to Oracle, the company announced in February 2011 that Java 6 would no longer receive public updates after July 2012. Oracle provided two separate four month extensions which brings us to February 2013. The FAQ provides a lot of clarity to concerns surrounding the auto-update but it still causes uneasiness for any IT shops whose clients require Java 6. The auto-update is not silent and will require an administrative user to trigger the update. A PC can be reverted back to Java 6 by uninstalling Java 7 and installing the latest Java 6, which will only be available for download until April 2013 unless you have a support contract with Oracle.

When will the auto-update from JRE 6 to JRE 7 happen?
We will do a first test by auto-updating a small percentage of users, randomly chosen, from JRE 6 to 7 in December 2012. The full auto-update from JRE 6 to 7 for all users is planned to be turned on in February 2013.

If your organization needs Java 6, make your plans sooner rather than later to manage Java and prevent the Java 7 auto-update. One approach might be to use Group Policy Preferences to push out a registry key to disable Java auto-updates. Under HKEY_LOCAL_MACHINESOFTWAREJavaSoftJava UpdatePolicy and (for 64-bit Windows) HKEY_LOCAL_MACHINESOFTWAREWow6432NodeJavaSoftJava UpdatePolicy:

“EnableJavaUpdate”=dword:00000000
“EnableAutoUpdateCheck”=dword:00000000

You will want to ensure that your users still receive Java 6u39 though since there are substantial security fixes in the latest release. Do you have a plan for managing Java updates or will your organization be scrambling to downgrade after the auto-update?

Filed Under: Operating Systems, Security and Privacy, Software

Trending

  • Product Review: Imation LINK Wireless Audio/Video Extender
    In Hardware, Gadgets, and Products, Reviews
  • Windows 10 will be a compromise to network security with Wi-Fi Sense
    In Operating Systems, Security and Privacy
  • WineHQ’s Database Compromised
    In Security and Privacy

Latest Media Posts

Find Out Where To Download SNES ROMs

Find Out Where To Download SNES ROMs

Multifunctional Video Conversion Tools – Wondershare Video Converter

Multifunctional Video Conversion Tools – Wondershare Video Converter

  • Popular
  • Latest
  • Today Week Month All
  • How to ‘Unblock’ multiple files at a time with PowerShell How to 'Unblock' multiple files at a time with PowerShell
  • Increase IIS Private Memory Limit to improve WSUS availability Increase IIS Private Memory Limit to improve WSUS availability
  • Command line to take ownership and change permissions Command line to take ownership and change permissions
  • Creating and editing views in phpMyAdmin Creating and editing views in phpMyAdmin
  • Read the Event Logs on Windows Server Core Read the Event Logs on Windows Server Core
  • How to Purchase Cryptocurrencies? How to Purchase Cryptocurrencies?
  • Top 6 necessary aspects to consider when hiring Angular developers Top 6 necessary aspects to consider when hiring Angular developers
  • Full guide on drawbacks and benefits of Node.js for making the perfect choice for your business Full guide on drawbacks and benefits of Node.js for making the perfect choice for your business
  • Benefits of End-To-End Testing That Will Match Company Expectations Benefits of End-To-End Testing That Will Match Company Expectations
  • 3 Key Features of Pets Health Monitoring Systems 3 Key Features of Pets Health Monitoring Systems
Ajax spinner

Elevator Pitch

404 Tech Support documents solutions to IT problems, shares worthwhile software and websites, and reviews hardware, consumer electronics, and technology-related books.

Subscribe to 404TS articles by email.

Recent Posts

  • How to Purchase Cryptocurrencies?
  • Top 6 necessary aspects to consider when hiring Angular developers
  • Full guide on drawbacks and benefits of Node.js for making the perfect choice for your business

Search

FTC Disclaimer

404TechSupport is an Amazon.com affiliate; when you click on an Amazon link from 404TS, the site gets a cut of the proceeds from whatever you buy. This site also uses Skimlinks for smart monetization of other affiliate links.
Use of this site requires displaying and viewing ads as they are presented.

Copyright © 2023 · Magazine Pro Theme on Genesis Framework · WordPress · Log in