Apple + Recommended + Security & Privacy

Apple’s Java Update Surprise for Snow Leopard

Posted on September 7th, 2012 by

Last Wednesday, Apple released a Java update for Macs with Java 6 installed to coincide with the emergency patch Oracle released for other platforms last Thursday.  (Notably, there’s already another Java zero-day that this update doesn’t fix.) What’s intriguing, though, is that Apple released the update not only for the current and one previous version of Mac OS X — Mountain Lion and Lion, respectively — but also for the now two generations old Snow Leopard. This may come as a surprise to many in the security industry given that Apple has thus far neglected to release a security update for its own web browser, Safari, for Snow Leopard.

Near the end of July, Apple released Safari 6 exclusively for Mountain Lion and Lion, neglecting to release even a security-only update for the Windows and Snow Leopard versions of the browser. The Safari update patched a whopping 121 security vulnerabilities.


No Safari for you, Windows or Snow Leopard!

Apple has traditionally released its own Java patches through its Mac OS X Software Update application. However, Apple stopped bundling Java with the OS beginning with the release of Lion last year. This year’s operating system, Mountain Lion, also excludes Java. Apple released Lion as an upgrade for Snow Leopard available exclusively through the Mac App Store. Mountain Lion is now available as an upgrade for both Snow Leopard and Lion.

Naturally, since Lion and Mountain Lion have been available as upgrades for Snow Leopard, it makes sense for Apple to release a Java 6 update for users who upgraded from Snow Leopard. But what’s a little bit baffling is that Apple also chose to release that Java update for Snow Leopard as well. How could Apple release a Java security update for Snow Leopard while neglecting to release a major security update for its own Safari browser? It boggles the mind! It’s a bit like replacing only a car’s fan belt when the entire engine is known to be in imminent danger of failing.

It’s less clear than ever what Apple’s plans are regarding security updates for Snow Leopard.

Poor Snow Leopard is being left out of the loop.

Apple has historically released security updates for the current and one previous release of its Mac operating system. It was presumed that Apple would follow this pattern and drop support for Snow Leopard when Mountain Lion was released. Mac rumor sites have revealed that Apple is working on an update to Lion, version 10.7.5. No such updates for Snow Leopard are actively being developed. Perhaps it shouldn’t be any great surprise that Apple released a Java update for Snow Leopard while neglecting to release a Safari update.

Come to think of it, Apple did something similar with Leopard, releasing its final security update for Leopard’s version of Safari in July 2011 while releasing a Leopard-specific security update to disable outdated and vulnerable versions of Flash Player in May 2012.  In between, Apple released several Safari security updates for Snow Leopard and Lion, but not for Leopard.

Nevertheless, Apple’s security update policy is still rather confusing. It would be nice if Apple were to publish a clear written policy showing exactly how long its customers could expect to get security updates for any given product. By comparison, Microsoft lists clear lifecycle end dates for each version of its operating system and other products.

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh's security research has been featured by many fine publications such as CNET, CBS News, ZDNet UK, Lifehacker, CIO, Macworld, The Register, and MacTech Magazine. Look for more of Josh's articles at security.thejoshmeister.com and follow him on Twitter. View all posts by Joshua Long →