Security & Privacy + Security News

Apple Releases Java 6u39 for Snow Leopard; Still No Safari Patches

Posted on by

Hot on the heels of Oracle’s release of Java SE 7 Update 13 for OS X Lion and Mountain Lion, Apple has released a corresponding security patch for Mac OS X Snow Leopard’s built-in version of Java. Java SE 6 Update 39 (1.6.0_39), which Apple has included in an update titled “Java for Mac OS X 10.6 Update 12,” fixes many of the same vulnerabilities that were patched in version 7u13 on other platforms earlier this week. The update is available now via Software Update.

For systems that aren’t already running Java for Mac OS X 10.6 Update 9 or later, Apple’s update also configures Safari to not run Java applets automatically, instead requiring users to click on an “Inactive plug-in” notification first. Additionally, Apple’s Java update also disables the Java browser plug-in “if no applets have been run for an extended period of time.”

Apple stopped bundling Java with OS X beginning with the release of Lion in July 2011. Apple has continued to update Java for Snow Leopard as well as for Lion and Mountain Lion users who upgraded from Snow Leopard and still have Java SE 6 installed. (Java SE 6 was also available for Snow Leopard’s predecessor, Leopard, but Apple has not released corresponding Java patches for Leopard since June 2011, just prior to Lion’s release.)

Mysteriously, while Apple continues to release Java security updates for Snow Leopard, the company is still neglecting to patch Snow Leopard’s version of Safari. Snow Leopard users are still stuck with Safari 5.1.7, while Lion and Mountain Lion users have been graced with 6.0, 6.0.1, and 6.0.2, all of which contain security fixes. Safari 6.0 alone patched 121 vulnerabilities that were present in Safari 5.1.7, according to Apple’s security release notes. Users of Safari for Windows are also stuck with the woefully insecure version 5.1.7.

One can only imagine why Apple refuses to patch its own Safari browser for Snow Leopard while continuing to release security updates for a plug-in for that browser.*

You might be wondering whether Snow Leopard is still relevant. Let’s take a look at some statistics, shall we?

(Credit: Net Applications)

According to data released by Net Applications in January, the now three-generations-old version of Mac OS X still commands a 29% share of Web traffic from Mac users, making it even more popular than Lion by a thin margin of less than one percent, and just slightly behind Mountain Lion, which holds the lead at merely 32%.

Given the high percentage of Mac users still actively using Snow Leopard, and also given that some Intel Macs can’t run Mountain Lion or even Lion, let’s hope that Apple decides to protect its customers by continuing to release Snow Leopard security updates for the foreseeable future—including Safari updates.

For now, we should encourage our fellow Mac users to upgrade to Lion or later if possible, and if they’re unable to upgrade, we can at least help them install an alternative browser and set it as their default.

*Of course I’m aware that the Java browser plug-in is a component of Java, not Java itself. Regardless, there’s irony in Apple releasing patches for third-party software while neglecting to patch its own software that’s a major component of its OS.

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher, writer, and public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at and follow him on Twitter/X, LinkedIn, and Mastodon. View all posts by Joshua Long →