Just hours after Oracle released a patch to Java 7, it has been found to be buggy again. It's Groundhog Day.
I first ran across this news at Ars.com, where the author, Dan Goodin, credited IDG with breaking the story. The original report, by Lucian Constantin, is available here at Computerworld: Researchers find critical vulnerability in Java 7 patch hours after release.
Both Constantin and Goodin have been in touch with security firm Security Explorations that discovered multiple bugs in Java. After Security Explorations verified that the just-released Update 7 of Java 7 fixed their prior exploit for running a Java Applet outside of its normal sandbox, they started kicking the tires again.
It seems that in the Update 7 patch, Oracle blocked the road to the bug, but did not fix the underlying problem. In part, that may explain how Oracle issued a patch so quickly. From what these articles report, Security Explorations was able to find another path to exploiting the same flaw. A detour, if you will.
For anyone that needs Java, the path is now brutally obvious, go with version 6 rather than 7 (NOTE: See updates below). Version 6 has fewer features (the bug is in a new feature that only exists in Java 7) and Security Explorations found they could not (yet at least) break it.
Mac users running either Leopard (10.5) or Snow Leopard (10.6) are safe from the flaw that caused such a stir the last few days because all they can get is Java version 6.
However, at least on the one Snow Leopard system I tested with, the latest version of Java 6 from Apple was Update 33 released June 12, 2012. Update 34, released by Oracle about two weeks ago, had bug fixes, but none were security related. Update 35, released yesterday, does have security fixes.
This is just like old times for Mac users, Apple has traditionally left their customers running outdated Java software. After the Flashback scare many thought Apple would get their Java act together. We'll see.
Mac users running Lion (10.7) and Mountain Lion (10.8) that get their Java from Apple, should also be running Java 6. Those that opted to get Java from Oracle will be running Java 7. Oracle has instructions for falling back from their Java 7 to Apple's Java 6. See How do I uninstall Java 7 and restore Java 6 for my Mac?
Update: October 4, 2012. The link above was changed. My thanks to JavaUserGuy for pointing out that the original article had been moved and updated.
Update: October 5, 2012: The basic premise here, that Java version 6 is safer than version 7, no longer applies. Both versions are vulnerable to the latest Java flaw, discovered at the end of September. See Another critical Java vulnerability puts 1 billion users at risk.