Tech —

Forget Apple: Oracle to bring Java security fixes directly to Mac users

Macs are finally welcome to the regular Java update train.

Forget Apple: Oracle to bring Java security fixes directly to Mac users

Oracle released Java SE 7 Update 4 this week, which finally gives Mac owners the means to receive critical Java security patches at the same time they're available for users of Windows and Linux operating systems. The new release means that OS X should be receiving regular Java updates directly from the source—helping to prevent attacks like the recent Flashback infection—as well as a fully supported Java development environment.

Before this week, Apple built and released a version of Java for OS X on its own, and often lagged weeks or months behind Oracle in pushing out updates that patched serious security holes. However, Apple deprecated its own Java Virtual Machine (JVM) and other tools in 2010. Though the company committed to maintaining Java for Leopard and Snow Leopard, it warned that "developers should not rely on the Apple-supplied Java runtime being present in future versions of Mac OS X."

Former Apple CEO Steve Jobs explained the reasoning behind the change in an e-mail to a concerned Java developer in late 2010. "Sun (now Oracle) supplies Java for all other platforms," Jobs reportedly wrote. "They have their own release schedules, which are almost always different than ours, so the Java we ship is always a version behind. This may not be the best way to do it."

In other words, Oracle was responsible for Java development on Windows, Linux, and other platforms, and would be going forward for OS X as well.

However, updates for Java on the Mac continued to lag behind other platforms. This lag is largely responsible for the recent Flashback trojan infection which created a botnet of more than half a million Macs. Though Oracle had long since patched the hole that was exploited for the attack, the patch hadn't made its way into versions for Snow Leopard or Lion.

Beginning in the latest update to Java SE 7, however, Oracle has made OS X (from Lion forward) a fully supported platform for both Java deployment—including a Java Platform 1.7 compliant JVM—and Java development. Update 4 includes a full OS X version of the Java Development Kit (JDK) and JavaFX 2.1.

According to Henrik Stahl, Oracle's senior director of Product Management for the Java platform, there are some remaining issues related to packaging and debugging tools, and the Java Plugin and Web Start features "will be added in subsequent releases." Still, Oracle JDK and Java FX are "considered standard Oracle releases" and are fully supported.

"Future release of the Oracle JDK and JavaFX on Mac will follow the normal JDK release train with 4-6 releases every year," Stahl wrote on his blog. "The next major milestone is JDK 7 Update 6 where we plan to add support for Plugin and Web Start. JDK 8 will of course also support Mac OS X."

Until the Web plugin is available from Oracle, however, Mac users may still be vulnerable to attacks based on Java exploits. Users who don't update to Oracle's version and still rely on Apple's deprecated version, could face a similar security vulnerability. The good news is that Oracle offers automated update tools, so applying patches should be a no-brainer for Lion users and beyond from now on.

Java Platform JDK 7u4, JavaFX 2.1, and Netbeans are available to download now, and support OS X 10.7. The Mac port of Java will also be maintained as open source under the OpenJDK project.

Channel Ars Technica