December 19, 2012, 4:36 PM — Java 6 will be retired from security support in less than two months, and users and businesses should prepare now for its demise, experts said today.
Oracle will publicly patch Java 6 for the last time on Feb. 19, 2013. After that date, only enterprises with contract support plans will receive security updates, according to the Java support roadmap.
That means consumers and most businesses should upgrade to Java 7 as soon as possible, said security professionals Wednesday.
"If you're not able to upgrade [to Java 7], you'd better have some pretty deep in-depth defenses in place," warned Jason Miller, manager of research and development at VMware.
Miller has a point: In 2012, Java vulnerabilities were widely targeted by exploit writers and hackers. Last March, for example, approximately 2% of all Macs were infected with Flashback, malware that exploited a Java bug that Apple was sluggish in patching, even though Oracle had issued fixes for other platforms.
Apple continues to maintain Java 6 for OS X users but ceded responsibility for Java 7 to Oracle in 2010.
Miller thought there was more to Oracle's decision to push aside the 2006 software than Java 6's longer-than-usual life. "Java 6 was Sun's Java," Miller noted. "Java 7 is Oracle's first. It's Oracle's product now."
Oracle acquired Sun Microsystems in late 2010 after it offered $7.4 billion for Java's creator the year before. Oracle released Java 7 in July 2011.
Although Oracle extended Java 6's EOL, for "end-of-life," twice this year -- first from July to November 2012, then again from November 2012 to February 2013 -- Miller was certain that this time the date would stick.
"At some point, they just have to say it's retired," said Miller, comparing Oracle's situation to that of Microsoft, which has delayed Windows XP's retirement, but now seems ready to stand by an April 2014 expiration date.
While individuals may have little trouble upgrading to Java 7, enterprises face a bumpier road.
IT administrators and Java developers are the most at risk of not making the deadline, said Miller. "They really need to test their [Java] apps," said Miller, and if necessary, rebuild or modify their in-house and public apps.