Following Oracle’s CPU patch day, where Java bugs ended up fixed, Apple released an update for Java 6 on Mac OS X 10.6.8, 10.7 and 10.8.
The update brings Apple’s Java 6 in line with Oracle’s Java 6 Update 37 but also removes the Apple-provided Java applet plugin from all web browsers. Previously, Apple modified its plugin to reduce unnecessary exposure to Java-based malware by disabling the plugin if the user had not used it for a period of time.
This policy now shifted to where the update completely removes the plugin; browsers will display a “missing plugin” message, which, if clicked, will take the user to Oracle’s site where they can download the latest Java applet plugin from Oracle.
Apple no longer ships Java with Mac OS X 10.7 and 10.8, having replaced the Java binary with a program that offers to download a suitable Java Runtime Environment (JRE) for Java 6.
This means only users who have installed the Java 6 runtime will be prompted to install an update. Oracle has already taken over responsibility for Java 7 on Mac OS X and the Oracle applet plugin comes complete with Java 7.
The steps taken should ensure any user who does need Java on Mac OS X in the browser will run not only Oracle’s applet but also their latest Java 7 runtime.
Older versions of Apple and Oracle’s Java runtime were vulnerable to 30 holes, with 29 of them listed as remotely exploitable without authentication.