March 05, 2013, 9:44 AM — Apple on Monday patched Java 6 for OS X, following Oracle's lead and quashing a browser plug-in vulnerability that hackers have been exploiting.
Oracle issued the "out-of-band," or emergency, update for Java 6 and Java 7 to patch two critical vulnerabilities. One of those bugs -- designated CVE-2013-1493 -- has been exploited in the wild since at least Feb. 28, according to security firm FireEye, which discovered the attacks.
Because Apple maintains Java 6 for OS X -- unlike Java 7, which Oracle handles -- it followed with its own update, as usual.
But Oracle also said that Monday's update would be the final for the aging software. "This release is the last of publicly available JDK 6 Updates," Oracle said in its release notes. "Oracle recommends that users migrate to JDK 7 in order to continue receiving public updates and security enhancements."
That advice works for Windows users: Java 7 runs on all Microsoft-supported versions of its operating system, including Windows XP.
However, not all Mac users can upgrade to Java 7, which requires OS X Lion, or its successor, Mountain Lion. According to Web metrics company Net Applications, 37% of all Macs last month ran a version of OS X older than Lion. The majority of those users relied on OS X Snow Leopard, the 2009 operating system that is stubbornly resisting retirement.
But that doesn't necessarily mean that Snow Leopard users will be out in the cold, Java-wise.
Contrary to what Computerworld reported in December, when it said Snow Leopard users would be without Java 6 security updates as soon as Oracle pulled the plug, further investigation has provided more than a glimmer of hope.
Apple relies on Oracle to craft Java 6 patches, and so without Oracle creating patches, Apple would seemingly have nothing to distribute. Not quite.
Oracle will continue to come up with security patches for Java 6, but those will only be distributed to enterprises that have negotiated contract support plans with Oracle. And if the past is any indicator, Apple will have access to those only-for-corporate-customers patches and will use them to draft updates for its own users.
The future is murky, as it always is with Apple support -- unlike Microsoft, the company does not spell out its support policies in black and white -- but there is precedent.
For OS X 10.5, known as Leopard, Apple provided Java 5 updates well after Sun Microsystems, the creator and former owner of Java, stopped serving public patches.
Sun stopped Java 5 support with Java 5 Update 22 (Java 5u22), which it released Nov. 4, 2009. But Apple continued to issue Java 5 updates for Leopard until June 2011, when it released patches that it said pushed the software up to Java 5u30.
Those patches were for flaws that Oracle -- by then it had acquired Sun and taken control of Java -- identified as fixes for its business customers.
If Apple follows that same timeline, it will support Java 6 for approximately a year and a half, or deep into 2014.
There's no guarantee. The closest Apple has come to that was when it deprecated Java, telling developers that it would no longer ship Java with OS X. "The Java runtime shipping in OS X v10.6 Snow Leopard, and OS X v10.5 Leopard, will continue to be supported and maintained through the standard support cycles of those products," Apple said at the time.
Leopard's support cycle has long ended -- the last Java update for OS X 10.5 was issued in mid-2011, and its last security update released in May 2012 -- but Snow Leopard's has not come to an end. (Apple shipped a security update for OS X 10.6 in September, for example, alongside the most recent fixes for Lion and Mountain Lion.)
Apple might want to play it safe and continue to patch Java for Snow Leopard, both because of the recent rash of Java "zero-days," or vulnerabilities exploited before they have been patched, and because Apple was embarrassed last year when a then-unpatched Java bug gave hackers a way to infect hundreds of thousands of Macs in the widespread "Flashback" malware campaign.
The massive numbers of customers who remain on Snow Leopard -- as of last month, OS X 10.6 powered 27.5% of all Macs -- might also weigh in Apple's decision.
Ironically, Monday's update was a bonus for both Windows and Mac users. Previously, Oracle had said it would end public support for Java 6 with its Feb. 19 update. Oracle had also extended Java 6's EOL, or "end-of-life," twice last year, first from July to November 2012, then again from November 2012 to February 2013.
OS X Lion and Mountain Lion users who require Java should upgrade as soon as possible to Java 7, which Oracle plans to maintain at least until July 2014, and Apple may support even longer.
The next scheduled Java 7 update is set for April 16. If Apple continues support for Java 6 on Snow Leopard, it will issue that update the same day.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is firstname.lastname@example.org.
Read more about application security in Computerworld's Application Security Topic Center.