Apple on Monday patched Java 6 for OS X, following Oracle's lead and quashing a browser plug-in vulnerability that hackers have been exploiting.
Oracle issued the "out-of-band," or emergency, update for Java 6 and Java 7 to patch two critical vulnerabilities. One of those bugs -- designated CVE-2013-1493 -- has been exploited in the wild since at least Feb. 28, according to security firm FireEye, which discovered the attacks.
[ Also on InfoWorld: New Java proposal could ease ports to iOS. | Learn how to greatly reduce the threat of malicious attacks with InfoWorld's Insider Threat Deep Dive PDF special report. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Because Apple maintains Java 6 for OS X -- unlike Java 7, which Oracle handles -- it followed with its own update, as usual.
But Oracle also said that Monday's update would be the final for the aging software. "This release is the last of publicly available JDK 6 Updates," Oracle said in its release notes. "Oracle recommends that users migrate to JDK 7 in order to continue receiving public updates and security enhancements."
That advice works for Windows users: Java 7 runs on all Microsoft-supported versions of its operating system, including Windows XP.
However, not all Mac users can upgrade to Java 7, which requires OS X Lion, or its successor, Mountain Lion. According to Web metrics company Net Applications, 37 percent of all Macs last month ran a version of OS X older than Lion. The majority of those users relied on OS X Snow Leopard, the 2009 operating system that is stubbornly resisting retirement.
But that doesn't necessarily mean that Snow Leopard users will be out in the cold, Java-wise.
Contrary to what Computerworld reported in December, when it said Snow Leopard users would be without Java 6 security updates as soon as Oracle pulled the plug, further investigation has provided more than a glimmer of hope.
Apple relies on Oracle to craft Java 6 patches, and so without Oracle creating patches, Apple would seemingly have nothing to distribute. Not quite.
Oracle will continue to come up with security patches for Java 6, but those will only be distributed to enterprises that have negotiated contract support plans with Oracle. And if the past is any indicator, Apple will have access to those only-for-corporate-customers patches and will use them to draft updates for its own users.
The future is murky, as it always is with Apple support -- unlike Microsoft, the company does not spell out its support policies in black and white -- but there is precedent.
For OS X 10.5, known as Leopard, Apple provided Java 5 updates well after Sun Microsystems, the creator and former owner of Java, stopped serving public patches.