Apple-provided Java plug-in removed with software update
Apple on Tuesday rolled out two Java updates, one for OS X 10.6 Snow Leopard and another for OS X 10.7 Lion and OS X 10.8 Mountain Lion, the latter offering improved security by uninstalling the Apple-provided Java applet plug-in from all web browsers.
Tuesday's update for OS X Lion and Mountain Lion goes further and removes the Apple-built Java plug-in from all web browsers, forcing users to download the latest version curated directly by Oracle.
The move is the next step in Apple's plan to deprecate maintenance of its own Java runtime, which was announced in 2010. Apple subsequently dropped Java from OS X 10.7 Lion and placed the burden of future development on the OpenJDK community.
Both of today's updates are continuations of patches issued in June and September, which brought Java SE 6 to newer runtime versions, and disabled the plug-in by default upon installation. Those updates also configured the plug-in to deactivate when associated applets were not run for an extended period of time.
From the release notes:
From the release notes:
Tuesday's update for OS X Lion and Mountain Lion goes further and removes the Apple-built Java plug-in from all web browsers, forcing users to download the latest version curated directly by Oracle.
The move is the next step in Apple's plan to deprecate maintenance of its own Java runtime, which was announced in 2010. Apple subsequently dropped Java from OS X 10.7 Lion and placed the burden of future development on the OpenJDK community.
Both of today's updates are continuations of patches issued in June and September, which brought Java SE 6 to newer runtime versions, and disabled the plug-in by default upon installation. Those updates also configured the plug-in to deactivate when associated applets were not run for an extended period of time.
Java for OS X 2012-006
From the release notes:
Apple's update for Lion and Mountain Lion weighs in at 67.2B and can be downloaded via the Mac App Store or Apple's Support Downloads webpage.Java for OS X 2012-006 1.0
Java for OS X 2012-006 delivers improved security, reliability, and compatibility by updating Java SE 6 to 1.6.0_37.
This update uninstalls the Apple-provided Java applet plug-in from all web browsers. To use applets on a web page, click on the region labeled "Missing plug-in" to go download the latest version of the Java applet plug-in from Oracle.
Please quit any web browsers and Java applications before installing this update.
Java for Mac OS X 10.6 Update 11
From the release notes:
The Java update for Snow Leopard comes in at 81.9MB and can be downloaded via Software Update or Apple's Support Downloads webpage.About Java for Mac OS X 10.6 Update 11
Java for Mac OS X 10.6 Update 11 delivers improved security, reliability, and compatibility by updating Java SE 6 to 1.6.0_37.
On systems that have not already installed Java for Mac OS X 10.6 update 9 or later, this update will configure web browsers to not automatically run Java applets. Java applets may be re-enabled by clicking the region labeled "Inactive plug-in" on a web page. If no applets have been run for an extended period of time, the Java web plug-in will deactivate.
Please quit any web browsers and Java applications before installing this update.
Comments
6:52pm west coast. Not seeing it. Software update. Nothing. It is on Apple support web site though.
9:06 p.m. central - downloading now.
Not seeing it yet here either (9:11 pm Flyover Standard Time), but I'm glad to see it's coming: http://support.apple.com/kb/HT5493
When basically all major OS X security vulnerabilities today come from Java, its time to re-evaluate that relationship. This way, the only people affected will be the few who intentionally seek out Java to support specific applications.
Quote:
Originally Posted by John.B
When basically all major OS X security vulnerabilities today come from Java, its time to re-evaluate that relationship. This way, the only people affected will be the few who intentionally seek out Java to support specific applications.
Like Photoshop! Or was it Illustrator? One of the two. Stupid Adobe.
>> development on the OpenJDK community.
This is not fair toward the Apple team; Apple entered the OpenJDK community, and did not placed the burden to external entities only !! The Apple team is an integral part of the OpenJDK, and they are contributing interesting technologies to Java, like an OpenGL based graphic pipeline.
Bappo
Quote:
Originally Posted by v5v
Like Photoshop! Or was it Illustrator? One of the two. Stupid Adobe.
What the f*** does that have to do with whether or nor Apple distributes a Java web browser plug-in with every copy of OS X?
Context fail, much?
WOW! They are getting very efficient with their programming!
Quote:
Originally Posted by AppleInsider
Apple's update for Lion and Mountain Lion weighs in at 67.2B and can be downloaded via the Mac App Store or Apple's Support Downloads webpage.
Quote:
Originally Posted by John.B
What the f*** does that have to do with whether or nor Apple distributes a Java web browser plug-in with every copy of OS X?
Nothing the f***. It has to do with Adobe CS6 apps requiring installation of a Java runtime. Java support has implications beyond just browser applets.
Quote:
Originally Posted by Kermit262
Could someone explain to me how the Mountain Lion update for Java updates Java to 1.6.0_37, while at the same time removing it (and requiring Java 7 to be installed from Oracle's site)?
It looks to me like the update just removes the Java web browser plugin, not the Java runtime (JRE). The latter is what's used to run Java-based desktop applications. It looks like it actually updates the JRE, which is why it's so large.
If that's the case, then the discussion about Adobe CS is moot -- it shouldn't be affected since it's made up of desktop applications.
The thinking here, I believe, is that almost all of the security holes in Java are exploited via the web (trojan websites, etc). It's much more difficult to get someone to download, install, and run an application, than it is to just get them to browse to a website.
So by forcing people to use the Oracle version of the Java web browser plugin (which has security holes fixed more quickly than Apple's version), but keeping Apple's version of the JRE on the system so that Java-based desktop applications can continue to be used without interruption, you eliminate the vast majority of security exploits without too much hassle.
Quote:
Originally Posted by auxio
It looks to me like the update just removes the Java web browser plugin, not the Java runtime (JRE). The latter is what's used to run Java-based desktop applications. It looks like it actually updates the JRE, which is why it's so large.
If that's the case, then the discussion about Adobe CS is moot -- it shouldn't be affected since it's made up of desktop applications.
The thinking here, I believe, is that almost all of the security holes in Java are exploited via the web (trojan websites, etc). It's much more difficult to get someone to download, install, and run an application, than it is to just get them to browse to a website.
So by forcing people to use the Oracle version of the Java web browser plugin (which has security holes fixed more quickly than Apple's version), but keeping Apple's version of the JRE on the system so that Java-based desktop applications can continue to be used without interruption, you eliminate the vast majority of security exploits without too much hassle.
Excellent. Thanks. I also discovered that even though the release notes say that the Java Preferences are removed (and indeed, looking in the Utilities folder you will no longer see Java Preferences) you can do a system search for "Java Preferences" and still get access to it. Although now the functionality is limited to enabling or disabling Java:
Well, this is the second time I've tried using Oracle's Java plugin and it's failed to operate both times. I ran the Apple updater and it installs the Java 7 plugin. I used the java.com test page to download and install the plugin but it just keeps spinning, meaning there's something wrong with the installation. I was able to back out to Java 6 following their instructions.
Has anyone been able to get this to install and run the version verification page form Java?
I was able to download and install Java 7 from Oracle with no problem.
I tried installing again and the Java Preference utility was deleted by the installation. Went to the Java test page and it says it's missing the plug-in so I clicked on it to install it. (Checked /Library/Internet Plug-Ins and there is a link to the JavaAppletPlugin.plugin) Clicking More Info to download the plugin put me on a second page where I pressed the Agree button. This downloads the plugin without any authentication request. Quit Safari and tried again. Still says Missing Plug-in. I have Open safe files after downloading unchecked so it never installed it. The Oracle Java page assumes this box is checked, something every security guide says to uncheck. So, my original post was wrong and I never installed Java 7. This puts the Java preference pane in and testing the Java version finally works. Oracle needs to revise their download page so it doesn't say the plugin is automatically installed. So far, my initial testing of sites I know use Java are working but a banking site (mortgage calculator) didn't work previously so I'll need to try and find it to see if it actually works. For some reason, an alias/link for java and my boot drive showed up on the desktop. Not sure why. The entire Java package is now in the /Library/Internet Plug-Ins folder as a bundled app named JavaAppletPlugin.plugin. The original Java 6 is still in /System/Library/Java.
Ugh! I'm waiting for the phone calls from my various clients now... They use ZipForm Online, which exclusively uses Java! Before anyone starts by saying how easy it is to fix this problem, you've never been a computer consultant before!
Quote:
Originally Posted by auxio
It looks to me like the update just removes the Java web browser plugin, not the Java runtime (JRE). The latter is what's used to run Java-based desktop applications. It looks like it actually updates the JRE, which is why it's so large.
If that's the case, then the discussion about Adobe CS is moot -- it shouldn't be affected since it's made up of desktop applications.
Right, like you said, it SHOULDN'T be affected, but it wouldn't be the first time a "fix" for one issue wound up being an accidental "broken" somewhere else.
I just found it interesting that of the three Macs I use regularly, only the one with Adobe CS apps installed even needs a Java runtime. The other two don't have Java installed at all, neither runtime nor browser plug-in, and after two months I have yet to notice it's gone. Does Photoshop's dependance on Java say anything about the quality of the programming, or is it a normal practice I just wouldn't have noticed if Apple hadn't quit developing their own version?