What Mac Users Need to Know About the Java Security Update

| How-To

The recent Java security update has some minor implications for the average Mac user. Here's what you need to know in terms of making sure your Mac is secure, how to verify that your update worked, and how to make sure native Java apps developed for Java 6 will still work.

_________________

Very briefly, what you need to know is that, historically, Apple had always integrated Java into its Macs for developers and users. In 2012, Oracle agreed to assume responsibility for Java, starting with Java 7. So the last version of Java that Apple has integrated into OS X is Java 6.

Previously, the question was whether Java was even installed. If you type this terminal command:

java -version

... you will see the version of Java that's installed for local Java applications (like CrashPlan) to use. This, however, doesn't necessarily tell you what version of the Java Runtime Environment (JRE) is installed, and that's what's of interest when discussing this latest exploit.

By the way, the Java numbering scheme is somewhat odd. Historically, Java "N" is numbered as 1.N, so if you see "1.6" in the version number, that's Java 6.

How Are Users Affected?

The security vulnerability recently reported was exploited by the use of a Java applet, delivered by a malicious website, that runs in your browser. A Java plug-in is required to run it. As a result, you'd only have to worry if you visited one of the maliciously crafted websites with an previous version of the Java JRE.  What's the linkage there?  The Java plug-in pointed to Apple's Java 6 JRE. That became a potential problem (though Oracle originally reported that the exploit only affected Java 7, not Java 6).

In order to prevent that, on January 10, Apple used its Xprotect mechanism, updated remotely, to prevent the Java plug-in from working if an older version of Java were installed.

On the other hand, specialized Java apps written for your Mac, such as Crash Plan would not be affected because they run, stand-alone, not via a browser and Java plug-in. Also, those apps need to find and use the Java Runtime Environment (JRE), and almost all have been written for Java 6. When you enter "java -version" on the terminal line, you're likely to be pointing to the Java 6 previously installed by you (or a Java product) and also used by the developer on his Mac to build the Java app.

Mountain Lion doesn't come installed with Java, so if you enter that command, you'll get an invite to install Apple's last integrated version, Java 6. Unless you know you need to run Java for a specific application, you have no need to do that.

Oracle's Update

When you visit a specific Oracle webpage to update to the latest version of Java 7, in response to the security alert, you'll be updating your Java Plug-in only. (That plug-in is in /Library/Internet Plug-ins.) It knows how to run Java applets on its own now because buried inside it is a new JRE, build 1.7.0_11-b21)  Here is the page where you can do that. It looks like this.

That page serves as a test page, to verify your Java plug-in version and also download a new version if required.

Essentially, any previous installation of the full Java 6 Runtime Environment (JRE) from Apple is unaffected. And if it's not there, you probably don't need it unless you're doing development.

Checking Your Version

When you update to Oracle's latest version, using the link above, you'll also see a new Preference Pane in System Preferences. It looks like this:

Partial view of System Preferences

You can navigate to the "Java" tab in the middle and see the version. Right now, that should be 1.7.0_11. That's also a confirmation of the test page above.

The Java Development Kit

Some users who expect to do development using Oracle's Java 7 may instead download the Java Development Kit (JDK). If you do that, it means that you are an expert user who expects to do development in Java 7. The full Java environment is installed, not just a new plug-in. Entering "java -version" after that install will show that you're now using Oracle's Java 7 not Apple's last supported version, Java 6.

More importantly, unless you know what you're doing with Java development, it could break any stand-alone Java apps you may have been using that depend on knowing where to find Java 6. (Most Java apps for the Mac have been written in Java 6). The bottom line: don't install the JDK unless you're an expert user. Instead, use this link mentioned above simply to update your Java plug-in and install the Preference Pane.

With that, you're on your way. And note that the latest version of Java will require you to explicitly give any applet permission to run.  There will be no more "silent" applets.

__________________________

TMO's Dave Hamilton contributed to this article.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

7 Comments Leave Your Own

jbruni

Also, if you don’t use any web-based Java programs for a period of time, Safari will automatically disable the Java plugin. (IIRC, after 30 days).

You can check the plug-in’s status in Safari in Preferences->Security. The “Enable Java” checkbox will indicate if the plug-in can run.

Frank Lowney

When Apple handed Java over to Oracle, certain Apple-developed libraries became unavailable to Mac users.  Consequently, some Java applets have lost functionality on the Mac whereas they continue to function as advertised under Windows.
I know this because we (Georgia College) developed a server that uses two Java applets: JFileUpload and Vimas Video Applet.  The JFileUpload applet enabled drag & drop upload of files and that function has been lost.  The Vimas Video Applet used connected or built-in cameras to capture video and upload it to the server.  It still does that but gives no visual feedback to the person recording themselves.

Kenoodle

Recent Mac versions of Firefox automatically disable the Java Applet Plug-in with a warning about enabling it.

Infoprov

The article correctly mentions that “specialized Java apps written for your Mac, such as Crash Plan would not be affected because they run, stand-alone, not via a browser and Java plug-in.”

In addition, however, CrashPlan requires Java 6 and will not run with Java 7, so CrashPlan users should not upgrade to it.
<https://crashplan.zendesk.com/entries/22199717-apple-update-java-1-06-0-37-causes-crashplan-to-not-start-for-anyone-running-java-1-6-alongside-1-7>

Hank

What’s a big red “TERMINATED” in fake rubber stamp font mean, alongside a prompt to update Java?  Mountain Lion.  Java’s turned off in the security panel.

James

I ran this update. Everything is working great. However, when I open the Java Pref Pane, it tells me I’m running Java 1.7.0_11; but the Terminal command still shows I’m running 1.6.0_37. What does that mean?

John Martellaro

James:  It means that the JRE installed by Apple,  in /usr/bin used by a developer, is still the older version.  On the other hand, Oracle installs *its own JRE* in a new Java plug-in for use by the browser.

That’s not great, but it seems to be the result of the transition from the days when Apple maintained Java on the Mac.

if you want the full Java 1.7 for development, download the 1.7 JDK, as explained above, then your terminal will show the new version also.

Log-in to comment