Optimize with a SATA RAID Storage Solution
Range of capacities as low as $1250 per TB. Ideal if you currently rely on servers/disks/JBODs
Apple on Tuesday patched Java for the aged OS X Snow Leopard and tweaked Safari to give users more control over what websites they let run the vulnerability plagued Oracle software.
Oracle on Tuesday shipped an update for Java 6 and Java 7 to patch up to 42 bugs -- the number depends on the version and platform -- for Windows and OS X. Because Apple maintains Java 6 for OS X -- unlike Java 7, which Oracle handles -- it followed with its own update.
The Apple update was important beyond the fact that it fixed 21 Java flaws.
Not all Mac users can upgrade to the newest version, Java 7, which requires OS X Lion, or its successor, Mountain Lion. OS X Snow Leopard users are stuck on Java 6, and must rely on Apple to provide patches for that version.
Fortunately, Oracle has reversed an earlier commitment to halt security updates for Java 6 -- the end for Java 6 was originally slated for February, but Oracle extended it to early March when it shipped "out-of-band," or emergency, patches -- and continues to support 2006's Java 6.
That meant Apple had access to the Java 6 patches and could, as Computerworld speculated last month, keep serving fixes to Snow Leopard.
The Oracle/Apple move was smart: According to Web metrics firm Net Applications, Snow Leopard accounted for 27% of all copies of OS X used to access the Internet in March. The 2009 operating system has resisted retirement, and in fact powered more Macs last month than OS X Lion, its 2011 successor.
If Oracle and Apple had not continued to support Snow Leopard with Java patches, the percentage of unprotected Mac users would have jumped from the current 9% to a whopping 36%, or more than a third of the installed base.
Oracle did not say how long it will continue to provide patches for Java 6 to Windows users, and thus how long Apple will be able to issue security updates to its customers still running Snow Leopard.
But Apple could do so for months to come. Even after Oracle halts support for Java 6, it will still distribute patches to enterprises that have negotiated contract support plans. Apple will probably have access to those only-for-corporate-customers patches and will use them to draft updates for its own users.
The last public patches for Java 5, for example, shipped in November 2009, but Apple continued to issue Java 5 updates for OS X Leopard until June 2011, or 20 months later.
Tuesday's update to Java included fixes for the four vulnerabilities exploited by researchers at last month's Pwn2Own hacking contest. Each researcher (or in one instance, a team of researchers) was awarded $20,000 by HP TippingPoint, which co-sponsored the challenge.
With Oracle's patches for Pwn2Own's Java vulnerabilities, only Microsoft has yet to close a hole uncovered at the challenge. French bug broker Vupen exploited Internet Explorer 10 (IE10) on Windows 8 at Pwn2Own. Some experts anticipated IE10 fixes for the Pwn2Own flaws last week on April's Patch Tuesday, but Microsoft disappointed.
Also Tuesday, Apple refreshed Safari 6 for OS X Lion and Mountain Lion, and Safari 5 for Snow Leopard to add a new security tool. The browser now lets users closely manage Java permissions by selecting which sites can execute the software. Users comfortable with changing security settings can now allow Java to run on trusted websites -- an online banking site, for example -- while blocking it from executing on other domains.