Friday, March 10, 2017

Java Critical Updates Apple Java 10 6 Update 15 Java 6u45 Apple Java 2013 002 Java 6u45 Oracle Java 7u21

Java Critical Updates Apple Java 10 6 Update 15 Java 6u45 Apple Java 2013 002 Java 6u45 Oracle Java 7u21


--
[Updated 10:30 pm 2013-04-17 to reflect the correct version of Java provided by Apple, 6u45]

There was a scheduled Java update on Tuesday 2013-04-16. Both Apple and Oracle provided updates. Here is the list:

From Apple

1) Java for Mac OS X 10.6 Update 15

Available via Software Update. This updates Mac OS X 10.6 Snow Leopard users to Java version 6 update 45, aka 6u45.

Apples security content document:

http://support.apple.com/kb/HT5734

2) Java for OS X 2013-002

Available via Software Update. This updates OS X 10.7 Lion and 10.8 Mountain Lion users to Java version 6 update 45, aka 6u45.

Apples security content document:

http://support.apple.com/kb/HT5734


From Oracle

Java 7 update 21, aka 7u21

Available directly from Oracle via the link above. 


Oracle Java SE Critical Patch Update Advisory - April 2013:

http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html


PROBLEM WITH APPLES 2013-002 UPDATE

Apparently, it is NOT up-to-date!

Apple states that it is providing Java 6 update 45. However, their documentation is not listing the patching of all the known CVE security holes Oracle lists for Java 6 update 43 and below. I have documented the difference ahead.

[Note that earlier in the day it was not clear that Apple had updated beyond Java 6 update 43. Now apparently their documentation is making it clear that Java 6 update 45 is indeed what is provided. Apologies if I added to the confusion!]

Therefore, if you have OS X 10.7.3 or higher on you Mac, and you use Java while browsing the Internet, I STRONGLY suggest installing Oracles Java 7 update 21 (7u21) on top of Apples update.


Current Java CVE Issues

Oracles Java 7u21 patches 42 CVE security holes. Apples Java 6u45 patches 21 CVE security holes.

You can access Oracles Java SE Risk Matrix here:

http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html#AppendixJAVA

Im going to restate Oracles list of CVEs below in order to point out what has been patched and what remains unpatched in each of the updates from Oracle and Apple. Those that are in bold have been patched by both Oracles 7u21 update and Apples 6u42 update. Those in plain text have only been updated in Oracles 7u21 update. At the end of the list is one CVE in italics that was patched by Apples 6u42 update but is not listed in Oracles 7u21 update and remains listed but unspecified in the CVE databases. Those listed in red affect Java 7 only, not Java 6.

CVE-2013-2383
CVE-2013-2384
CVE-2013-1569
CVE-2013-2434
CVE-2013-2432
CVE-2013-2420
CVE-2013-1491
CVE-2013-1558
CVE-2013-2440
CVE-2013-2435
CVE-2013-2431
CVE-2013-2425
CVE-2013-1518
CVE-2013-2414
CVE-2013-2428
CVE-2013-2427
CVE-2013-2422
CVE-2013-1537
CVE-2013-1557
CVE-2013-2421
CVE-2013-0402
CVE-2013-2426
CVE-2013-2436
CVE-2013-1488
CVE-2013-2394
CVE-2013-2430
CVE-2013-2429
CVE-2013-1563
CVE-2013-2439
CVE-2013-0401
CVE-2013-2419
CVE-2013-2424
CVE-2013-1561
CVE-2013-1564
CVE-2013-2438
CVE-2013-2417
CVE-2013-2418
CVE-2013-2416
CVE-2013-2433
CVE-2013-1540
CVE-2013-2423
CVE-2013-2415

Apple Only:
CVE-2013-2437


Summary: If I can believe both Apple and Oracles lists of patched CVEs, this means that the following CVE security holes REMAIN in Apples Java 6u45 update:

CVE-2013-1518 - Unspecified details.

CVE-2013-2439 - Unspecified details.

CVE-2013-0401
Oracle Java 7 Update 17, and possibly other versions, allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by Ben Murphy during a Pwn2Own competition at CanSecWest 2013.
CVE-2013-2418 - Unspecified details.

Again note: Documentation confusion indicates these four CVEs were not patched by Apples Java 6u45 update. Ideally, Id like to verify that this is the fact in the near future. Im hoping this discrepancy in documentation is straightened out.


CONCLUSION:

If you want to surf the net with Java running, and youre using OS X 10.7.3 or higher, please install Apples Java 6u45 update FIRST, then install Oracles Java 7u21 update.

We know full well that there are still unpatched security holes in Java 7u21. Therefore, it is CRITICAL to Just Turn Java Off until you have loaded a trusted web page. Then turn Java ON and reload that page. Before you leave that page, Just Turn Java Off again. Ive covered how to turn Java on and off in previous posts.


STUPID NEWS:

Oracle has REMOVED the checkboxes for turning Java On and Off as of Java 7u21. Therefore, I cant rant about their dysfunctionality any longer, Oracle gave up trying to get their checkboxes to work, and apparently Oracle no longer even pretends there is a way to turn Java off inside its own control panel. Stupid deluxe. I have to wonder if Oracle itself understands Java well enough to get dead simple checkboxes to work.

I find this to be incredibly shameful.

Oracle: I HATE YOU.

And Apple: Either your documentation of patched CVEs is incomplete, or Oracle has provided an erroneous list of current CVEs! Either way, Id feel more secure knowing the four unpatched CVEs I list above actually had been patched by 6u45, or that they were actually inapplicable to 6u45. Im left confused as to the full state of affairs. No wonder newbies and regular users find these updates confusing.


--

Available link for download