Apple on Tuesday patched Java for the aged OS X Snow Leopard and tweaked Safari to give users more control over what websites they let run the vulnerability plagued Oracle software.
Oracle on Tuesday shipped an update for Java 6 and Java 7 to patch up to 42 bugs -- the number depends on the version and platform -- for Windows and OS X. Because Apple maintains Java 6 for OS X -- unlike Java 7, which Oracle handles -- it followed with its own update.
The Apple update was important beyond the fact that it fixed 21 Java flaws.
Not all Mac users can upgrade to the newest version, Java 7, which requires OS X Lion, or its successor, Mountain Lion. OS X Snow Leopard users are stuck on Java 6, and must rely on Apple to provide patches for that version.
Fortunately, Oracle has reversed an earlier commitment to halt security updates for Java 6 -- the end for Java 6 was originally slated for February, but Oracle extended it to early March when it shipped "out-of-band," or emergency, patches -- and continues to support 2006's Java 6.
That meant Apple had access to the Java 6 patches and could, as Computerworld speculated last month, keep serving fixes to Snow Leopard.
The Oracle/Apple move was smart: According to Web metrics firm Net Applications, Snow Leopard accounted for 27% of all copies of OS X used to access the Internet in March. The 2009 operating system has resisted retirement, and in fact powered more Macs last month than OS X Lion, its 2011 successor.
If Oracle and Apple had not continued to support Snow Leopard with Java patches, the percentage of unprotected Mac users would have jumped from the current 9% to a whopping 36%, or more than a third of the installed base.
Oracle did not say how long it will continue to provide patches for Java 6 to Windows users, and thus how long Apple will be able to issue security updates to its customers still running Snow Leopard.
But Apple could do so for months to come. Even after Oracle halts support for Java 6, it will still distribute patches to enterprises that have negotiated contract support plans. Apple will probably have access to those only-for-corporate-customers patches and will use them to draft updates for its own users.
The last public patches for Java 5, for example, shipped in November 2009, but Apple continued to issue Java 5 updates for OS X Leopard until June 2011, or 20 months later.
Tuesday's update to Java included fixes for the four vulnerabilities exploited by researchers at last month's Pwn2Own hacking contest. Each researcher (or in one instance, a team of researchers) was awarded $20,000 by HP TippingPoint, which co-sponsored the challenge.
Sign up for Computerworld eNewsletters.