404 Tech Support

In the wild exploit or Apple forces Oracle’s hand to release Java 7u13 early

I am going to need to start drinking coffee in order to deal with the issues Java is throwing. Of course, Java has been in the news recently since a vulnerability disclosed last August gained attention of the media and was finally (partially) patched with version Java 7u11. Following that, there are two separate issues; one on the Mac OS X side and one on the Windows side. The Mac issue was Thursday and Friday last week when the Mac OS X anti-malware service blacklisted all existing versions of Java. That is until Java 7u13 was released Friday afternoon. The Windows issue comes with the new version release as Java 6 is no longer supported and an update trigger will uninstall Java 6 and install Java 7.

For many people, Java is not even necessary on their computer and not worth the security vulnerabilities of browsing with the plugin enabled. However, there are a number of web applications out there that rely on Java from enterprises to universities and unfortunately, many of those actually require Java 6 or have some issues with Java 7.

Mac OS X

On Thursday when a client called in that they were no longer able to access an Enterprise application and instead only received an ‘Invalid plugin’ message, I found out an Apple support thread that an update to the Mac OS X anti-malware service, XProtect or File Quarantine, blocked all then current versions of Java. Specifically, it blocked all versions older than 7u12 and 6u38. A temporary workaround was provided in the thread that involved deleting /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist which would allow the current version of Java to work again until the next restart.

Fortunately, Oracle released a new version of Java on Friday afternoon so the temporary workaround was not needed for long. While Oracle had the next Java update scheduled for February 19th, the company decided to accelerate the release of the update due to exploits “in the wild” (and Apple’s blocking the plugin probably added weight to the speedy response). Java 7u13 is only compatible with Mac OS X 10.7 and 10.8.

This still left Mac OS X 10.6 users in the dark. Yesterday, Apple released an update for Java on Mac OS X 10.6 which updates the Apple-provided Java SE 6 to version 1.6.0_39.

On systems that have not already installed Java for Mac OS X 10.6 update 9 or later, this update will configure web browsers to not automatically run Java applets. You may re-enable Java applets by clicking the region labeled “Inactive plug-in” on a webpage. If no applets have been run for an extended period of time, the Java web plug-in will deactivate.

Java

The Oracle Java SE Critical Patch for February 2013 contained 50 new security fixes.

In addition to a number of security in-depth fixes, the February 2013 Critical Patch Update for Java SE contains fixes for 50 security vulnerabilities.  44 of these vulnerabilities only affect client deployment of Java (e.g., Java in Internet browsers).  In other words, these vulnerabilities can only be exploited on desktops through Java Web Start applications or Java applets.  In addition, one vulnerability affects the installation process of client deployment of Java (i.e. installation of the Java Runtime Environment on desktops).

Windows

Java on Windows is throwing a completely different set of problems. It comes down to the fact that Java 6 is no longer supported after February 2013. Back to our original story, Java 6 may still be needed by various applications where clients cannot uninstall version 6 and solely run Java 7. The just released Java 6u39 has been released and is available for download along with Java 7u13.

Oracle has discussed taking a rather heavy-handed approach  to upgrading computers and may trigger Java 6 to uninstall itself and install the latest in the Java 7 line after February 2013 according to the Java 6 Auto-Update to Java 7 FAQ.

In December 2012 Oracle will start to auto-update a sample of users from JRE 6 to JRE 7 to evaluate the auto-update mechanism, user experience and seamless migration. Oracle will then start auto-updating all Windows 32-bit users from JRE 6 to JRE 7 with the update release of Java, Java SE 7 Update 11 (Java SE 7u11), due in February 2013.

To be fair to Oracle, the company announced in February 2011 that Java 6 would no longer receive public updates after July 2012. Oracle provided two separate four month extensions which brings us to February 2013. The FAQ provides a lot of clarity to concerns surrounding the auto-update but it still causes uneasiness for any IT shops whose clients require Java 6. The auto-update is not silent and will require an administrative user to trigger the update. A PC can be reverted back to Java 6 by uninstalling Java 7 and installing the latest Java 6, which will only be available for download until April 2013 unless you have a support contract with Oracle.

When will the auto-update from JRE 6 to JRE 7 happen?
We will do a first test by auto-updating a small percentage of users, randomly chosen, from JRE 6 to 7 in December 2012. The full auto-update from JRE 6 to 7 for all users is planned to be turned on in February 2013.

If your organization needs Java 6, make your plans sooner rather than later to manage Java and prevent the Java 7 auto-update. One approach might be to use Group Policy Preferences to push out a registry key to disable Java auto-updates. Under HKEY_LOCAL_MACHINESOFTWAREJavaSoftJava UpdatePolicy and (for 64-bit Windows) HKEY_LOCAL_MACHINESOFTWAREWow6432NodeJavaSoftJava UpdatePolicy:

“EnableJavaUpdate”=dword:00000000
“EnableAutoUpdateCheck”=dword:00000000

You will want to ensure that your users still receive Java 6u39 though since there are substantial security fixes in the latest release. Do you have a plan for managing Java updates or will your organization be scrambling to downgrade after the auto-update?