What Mac Users Need to Know About the Java Security Update

The recent Java security update has some minor implications for the average Mac user. Here's what you need to know in terms of making sure your Mac is secure, how to verify that your update worked, and how to make sure native Java apps developed for Java 6 will still work.


Very briefly, what you need to know is that, historically, Apple had always integrated Java into its Macs for developers and users. In 2012, Oracle agreed to assume responsibility for Java, starting with Java 7. So the last version of Java that Apple has integrated into OS X is Java 6.

Previously, the question was whether Java was even installed. If you type this terminal command:

java -version

... you will see the version of Java that's installed for local Java applications (like CrashPlan) to use. This, however, doesn't necessarily tell you what version of the Java Runtime Environment (JRE) is installed, and that's what's of interest when discussing this latest exploit.

By the way, the Java numbering scheme is somewhat odd. Historically, Java "N" is numbered as 1.N, so if you see "1.6" in the version number, that's Java 6.

How Are Users Affected?

The security vulnerability recently reported was exploited by the use of a Java applet, delivered by a malicious website, that runs in your browser. A Java plug-in is required to run it. As a result, you'd only have to worry if you visited one of the maliciously crafted websites with an previous version of the Java JRE.  What's the linkage there?  The Java plug-in pointed to Apple's Java 6 JRE. That became a potential problem (though Oracle originally reported that the exploit only affected Java 7, not Java 6).

In order to prevent that, on January 10, Apple used its Xprotect mechanism, updated remotely, to prevent the Java plug-in from working if an older version of Java were installed.

On the other hand, specialized Java apps written for your Mac, such as Crash Plan would not be affected because they run, stand-alone, not via a browser and Java plug-in. Also, those apps need to find and use the Java Runtime Environment (JRE), and almost all have been written for Java 6. When you enter "java -version" on the terminal line, you're likely to be pointing to the Java 6 previously installed by you (or a Java product) and also used by the developer on his Mac to build the Java app.

Mountain Lion doesn't come installed with Java, so if you enter that command, you'll get an invite to install Apple's last integrated version, Java 6. Unless you know you need to run Java for a specific application, you have no need to do that.

Oracle's Update

When you visit a specific Oracle webpage to update to the latest version of Java 7, in response to the security alert, you'll be updating your Java Plug-in only. (That plug-in is in /Library/Internet Plug-ins.) It knows how to run Java applets on its own now because buried inside it is a new JRE, build 1.7.0_11-b21)  Here is the page where you can do that. It looks like this.

That page serves as a test page, to verify your Java plug-in version and also download a new version if required.

Essentially, any previous installation of the full Java 6 Runtime Environment (JRE) from Apple is unaffected. And if it's not there, you probably don't need it unless you're doing development.

Checking Your Version

When you update to Oracle's latest version, using the link above, you'll also see a new Preference Pane in System Preferences. It looks like this:

Partial view of System Preferences

You can navigate to the "Java" tab in the middle and see the version. Right now, that should be 1.7.0_11. That's also a confirmation of the test page above.

The Java Development Kit

Some users who expect to do development using Oracle's Java 7 may instead download the Java Development Kit (JDK). If you do that, it means that you are an expert user who expects to do development in Java 7. The full Java environment is installed, not just a new plug-in. Entering "java -version" after that install will show that you're now using Oracle's Java 7 not Apple's last supported version, Java 6.

More importantly, unless you know what you're doing with Java development, it could break any stand-alone Java apps you may have been using that depend on knowing where to find Java 6. (Most Java apps for the Mac have been written in Java 6). The bottom line: don't install the JDK unless you're an expert user. Instead, use this link mentioned above simply to update your Java plug-in and install the Preference Pane.

With that, you're on your way. And note that the latest version of Java will require you to explicitly give any applet permission to run.  There will be no more "silent" applets.


TMO's Dave Hamilton contributed to this article.