Java Update for 10.6?

Nothing to do since Java 6 and earlier aren't affected.

It may or may not affect Java 6, but FYI, Apple, through XProtect, has disabled all Java Plug-ins lower than version 1.7.10.19. Maybe Apple knows something you don't. Best to stay informed so you won't be rattled by the "FUD." From my 10.6 XProtect dated 1/11/13.

<key>com.oracle.java.JavaAppletPlugin</key>

<dict>

<key>MinimumPlugInBundleVersion</key>

<string>1.7.10.19</string>

I'm supposing Apple will either remove Java 6 from the blacklist, or we will have to wait for a patch from Oracle.

Message was edited by: WZZZ

AFAIK, Oracle has nothing to do with Java 6 for Mac OS X. That's under Apple's purview. As for the XProtect change, the constraint is:

<key>com.oracle.java.JavaAppletPlugin</key>

<dict>

<key>MinimumPlugInBundleVersion</key>

<string>1.6.0.37</string>

which doesn't exist on my SL installation. I only have the Java 6 JavaAppletPlugin from Apple. The one from Oracle is for Java 7.

I wasn't suggesting you were being rattled by the FUD. My reply wasn't addressed to you. (There is a bit of back story there, which I won't go into.) But, yes, I don't know if anyone is 100% certain yet that Java 6 can't be similarly exploited. That must be why Apple blacklisted it along with the 7. Not sure who will handle a patch, Apple or Oracle, if one is ever forthcoming. We'll have to wait and see.

And even if there is a patch, it's inevitable that another hole will be found. I've had Java disabled in the browser for years now.

The first link doesn't load in Safari, but from earlier today, it was only showing Java 7 from Oracle stuff. The second only talks to Java 7, so don't know what you're on about, since that's what I answered.

When is that XProtect for minimum 1.6.0.37 you are showing dated?

That was one dated 10 JAN 13. The previous one from 12/12/12 (a clone) shows:

<string>1.7.06.24</string>

But, in either case, they're blocking the com.oracle.java.JavaAppletPlugin and not the com.apple.java.JavaAppletPlugin

Your XProtect meta, dated 1/10, was showing as blacklisting any version lower than the 1.6.0.37

<key>com.oracle.java.JavaAppletPlugin</key>

<dict>

<key>MinimumPlugInBundleVersion</key>

<string>1.6.0.37</string>

Then

But, in either case, they're blocking the com.oracle.java.JavaAppletPlugin and not the com.apple.java.JavaAppletPlugin

On the face of it, your explanation doesn't make any sense. Why would Apple be writing an XProtect blacklist for an Oracle only Java when all the Java for Snow Leopard came by way of Apple. The 1.6.0.37 was issued by Apple back in October 2012 with the Java for Mac OS X 10.6 Update 11 and any previous Java was issued by Apple, not Oracle, or Sun.

Are you thinking someone might have installed the 1.6.0.37 from Oracle for Windows--don't think that's even possible, but it seems far fetched Apple would go to the trouble of blacklisting that.

Bottom line: why would Apple be blacklisting an Oracle Java that can't even be installed on a Mac?

Haven't a clue, but no one but me runs my computer in my house. Also, there's nothing associated with the plugin package WRT to Oracle. You'll have to ask Apple, since they update the XProtect plists.

WZZZ wrote:

Bottom line: why would Apple be blacklisting an Oracle Java that can't even be installed on a Mac?

My guess is that they are doing everything they can to wash their hands of Java. Java 1.6.0.38 has been out for some time now (I haven't been able to locate the exact release date) and I expect there will be one more before Oracle stops posting updates for Java 6 so Apple could issue at least one more update, if they feel like it.

My recommendation would be for any users that find they must continue to use Java 6 for whatever reason to send Apple some feedback, or they'll just feel free to ignore the situation.

MadMacs0 wrote:

WZZZ wrote:

Bottom line: why would Apple be blacklisting an Oracle Java that can't even be installed on a Mac?

My guess is that they are doing everything they can to wash their hands of Java. Java 1.6.0.38 has been out for some time now (I haven't been able to locate the exact release date)

But doesn't this beg the question why Apple wrote it this way? (In my opinion, probably a rhetorical one, since, lacking any other sensible explanation, I think this must have been the way Apple blacklisted the Apple version--both for lower than the 1.6.0.37 and then, when the latest exploit appeared, for lower than the 1.7.10.19--and the com.oracle vs. the com.apple prefix is a red herring)

As of December 12, 2012 the latest version of Java 6 is Update 38

http://javatester.org/version.html

So Apple is at least a month late, and I'll guess Snow may never get the 38. Or last minute just before the Java 6 EOL in February.

WZZZ wrote:

MadMacs0 wrote:

WZZZ wrote:

Bottom line: why would Apple be blacklisting an Oracle Java that can't even be installed on a Mac?

My guess is that they are doing everything they can to wash their hands of Java. Java 1.6.0.38 has been out for some time now (I haven't been able to locate the exact release date)

But doesn't this beg the question why Apple wrote it this way? (In my opinion, probably a rhetorical one, since, lacking any other sensible explanation, I think this must have been the way Apple blacklisted the Apple version--both for lower than the 1.6.0.37 and then, when the latest exploit appeared, for lower than the 1.7.10.19--and the com.oracle vs. the com.apple prefix is a red herring)

That's always been my feeling. I've come to the conclusion that it's Safari's job to check the metadata for blacklisting as it's loading plug-ins at startup, so the com.oracle.java.JavaAppletPlugin is simply Apple's internal convention for identifying the Java plug-in. I must have missed a discussion here on that matter earlier. One question I still have is are there users still running older versions of Safari (e.g. v5.1.7) that don't know to check the metadata that are still able to use the plug-in?

I still think Apple was in error in setting the minimum 1.7.10.19 for Snow Leopard users since there is no way I know of that they can use Java 7, they should have made the minimum 1.6.0.38. Perhaps initially it was because many thought that Java 6 was also vulnerable (and I'm still reading today that it may be), but once Oracle declared it was Java 7 only, all the official sites accepted that. Apple has so far chosen to be more restrictive.

As of December 12, 2012 the latest version of Java 6 is Update 38

http://javatester.org/version.html

So Apple is at least a month late, and I'll guess Snow may never get the 38. Or last minute just before the Java 6 EOL in February.

Thanks, I've been looking for that, and I agree with you, but then we've been surprised by the update to 10.5.8 intel before, so anything is possible.

I'm not about to try, since I would rather stand on my hands and walk blindfolded, backwards through eight lanes of highway traffic than run a Java applet, but I wonder if anyone is able to run any applets in Snow now.