Oracle to stop patching Java 6 in February 2013
That will leave a significant portion of Mac users without the means to run an up-to-date Java next year. According to Web metrics company Net Applications, approximately 41% of all Macs still run versions of OS X older than Lion.
Apple will presumably issue the final OS X patches for Java 6 in February alongside Oracle's update.
But some security researchers are unconvinced that upgrading to Java 7 is a good idea.
On Tuesday, Polish researcher Adam Gowdiak, who reported scores of Java vulnerabilities to Oracle this year, told the IDG News Service, "Our research proved that Java 7 was far more insecure than its predecessor version. We are not surprised that corporations are resistant when it comes to the upgrade to Java 7."
Thomas Kristensen, chief security officer at Danish vulnerability management firm Secunia, was more optimistic about Java 7's security prowess, saying in an interview with Computerworld yesterday that it was "pretty much equal to Java 6 out of the box."
But Kristensen did criticize Java 7.
The Java 7 Update 10 released last week included several new security options that let users disable Java in all browsers, or set privileges for signed and unsigned Java apps.
Kristensen called the changes "a step in the right direction" for the attack-plagued Java, but argued that Oracle should have turned on the new features by default rather than leave them in users' hands.
"They're difficult to understand, they're more complicated than similar features in other products. You have to know how Java works, the nature of Java, you have to understand signed and unsigned [apps] and the source of those apps," Kristensen said. "A more restrictive [environment] should have been applied by default rather than depend on users actively choosing them."
Lucian Constantin of the IDG News Service contributed to this report.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
Read more about Application Security in Computerworld's Application Security Topic Center.
- The DDoS Threat Spectrum Bolstered by favorable economics, today's global botnets are using distributed denial-of-service (DDoS) attacks to target firewalls, web services, and applications, often simultaneously.
- How to Keep Company Assets Secure with Federated Identity and Access Management This Technology Spotlight discusses the growing need for security in today's cloud-based, mobile world of IT, and the rise of SaaS-based solutions.
- Security, Privacy and Trust in Email Management This white paper discusses a SaaS-based email management solution that delivers the security, continuity and archiving capabilities your organization demands.
- Unifying Secuirty Operations Agile enterprises know that the way to quickly identify and react to threats to the business is to break down operational siloes by...
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily...
- On Demand: Mastering the Art of Mobile Content Management Mobile device usage in the enterprise has skyrocketed, and it continues to escalate. IT must answer to users who demand access to their... All Application Security White Papers | Webcasts