Apple tries to kill its own Coffee on almost Macs

Pushes users to deal with Oracle, which maintains Java 7 for Os Ten

Senior Reporter, Computerworld |

Apple tree yesterday started scrubbing most Macs of older Coffee browser plug-ins, a move that will force users to download the software from Oracle. The company also patched Coffee for OS X, the second time Apple synchronized its Java security update with Oracle's, releasing its patches for Os X the aforementioned day as the Coffee software maker.

Along with the Coffee patches, Apple beefed by Bone X security past uninstalling old browser plug-ins for the software.

The update aimed at Lion and Mountain Panthera leo --which collectively accounted for 60% of all Macs final month -- zaps plug-ins provided past Apple via Coffee half-dozen and earlier.

"This update uninstalls the Apple tree-provided Java applet plug-in from all Web browsers," Apple said in a support document.

Apple tree's Java update for Snow Leopard did something different: "On systems that have not already installed Coffee for Mac Os X ten.6 update nine or subsequently, this update will configure Web browsers to not automatically run Java applets," Apple tree stated.

Later on the Lion and Mount Lion update is applied, users who browse to websites that require Java volition run across the message "Missing plug-in," and can then proceed to the Oracle site to download the newest version of Java 7 and its browser plug-in.

Apple has been ratcheting upwards efforts to eliminate some plug-ins, notably Adobe'due south Wink Player and Oracle'southward Java, afterwards hundreds of thousands of Macs were infected by the Flashback Trojan equus caballus last March and April.

The company reacted with several measures, including blocking older versions of Flash. Earlier, Apple had made like moves on Java, first blocking automatic execution of the Oracle plug-in, and then following that with a patch that automatically disabled the plug-in if it had not been run in the by 35 days.

Wolfgang Kandek, CTO of Qualys, saw Wed'due south plug-in elimination equally both a security enhancement and an attempt by Apple to push customers towards Oracle as the distributor of Java.

"[This] might be function of the migration to a Java completely provided by Oracle," said Kandek via instant message today. "It will [also] heighten security, and reduce the number of web-attainable Java installations on Macs."

Apple stopped bundling Java with Os Ten starting with 2011's Lion; this year's Mountain Panthera leo as well omitted Java. The Cupertino, Calif. visitor is still responsible for patching Coffee 6 and earlier, simply Oracle takes care of OS Ten users running Java 7.

While King of beasts and Mount Lion did not include Coffee, users may take installed it themselves: When a browser encounters a Java applet, OS X asks for permission to download the Oracle software. People running the older Snow Leopard (2009) and Leopard (2007) accept Coffee installed by default.

Apple took other measures to shove Mac owners towards Oracle, including removing Java options from the Preferences window.

Along with the anti-Java plug-in maneuver, Apple likewise shipped 2 Java updates, dubbed Java for Mac Bone Ten 10.6 Update 11 and Coffee for OS X 2012-006, that patched twenty critical vulnerabilities on Bone 10 Snow Leopard, and Bone Ten King of beasts and Mountain Panthera leo, respectively.

Oracle patched the same 20 bugs -- and 10 more for good measure -- on Wednesday for Windows. The firm updated Java 5, 6 and seven for Windows, and Java vii for OS 10.

Adam Gowdiak, founder and CEO of Shine security firm Security Explorations, reported nigh of the bugs that Oracle patched yesterday.

Gowdiak has plant other Java vulnerabilities in the by. Earlier this year he reported more than a dozen. Months later, hackers independently uncovered one of the bugs, so began using information technology in widespread attacks during Baronial.

But neither Oracle or Apple addressed the disquisitional zero-day vulnerability that Gowdiak submitted to Oracle late last calendar month. The flaw impacted OS X equally well as Windows versions of the software.

According to Gowdiak, Oracle told him it had received the bug report as information technology was wrapping up testing of the Oct. xvi update, and was unable to work up a set up in time. "Oracle confirm[ed] that it is on track to evangelize fixes for [this issues] in the next Coffee SE Critical Patch Update which ships in February 2013," Gowdiak wrote on his business firm'due south bug condition website.

In the hope that he could prod Oracle to act chop-chop last month, Gowdiak had gone public -- albeit minus technical details -- rather than privately reporting it to Oracle and waiting for the company to quietly patch Coffee. Just the strategy came upwardly bust. "[We also asked] for the reason of sticking to Oracle's semi-quarterly patch release schedule, which means [an] additional 4 months to wait for a patch for a critical security issue in Java," Gowdiak noted. Oracle patches Java approximately every 4 months. As Gowdiak alluded, the next regularly-scheduled update is slated to ship February. xix, 2013.

The last time Apple updated Coffee was in early September, when it fixed flaws Oracle had addressed weeks earlier with an emergency update that aimed to squash aggressive and widespread attacks exploiting a vulnerability.

Users running Java half dozen and earlier can grab the update for their version of Os X by triggering Software Update from the Apple menu. Java 7 tin can be updated by downloading the new version, Java SE Runtime Environment 7u9, from Oracle'southward website.

Gregg Keizer covers Microsoft, security issues, Apple tree, Spider web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, send e-mail to gkeizer@ix.netcom.com or subscribe to Gregg'southward RSS feed .

Senior Reporter Gregg Keizer covers Windows, Office, Apple/enterprise, web browsers and web apps for Computerworld.

Copyright © 2012 IDG Communications, Inc.