Oracle pulls Java 6 plug, but Apple likely to keep patching OS X Snow Leopard

Apple on Monday patched Java 6 for OS X, following Oracle's lead and quashing a browser plug-in vulnerability that hackers have been exploiting.

Oracle issued the "out-of-band," or emergency, update for Java 6 and Java 7 to patch two critical vulnerabilities. One of those bugs -- designated CVE-2013-1493 -- has been exploited in the wild since at least Feb. 28, according to security firm FireEye, which discovered the attacks.

Because Apple maintains Java 6 for OS X -- unlike Java 7, which Oracle handles -- it followed with its own update, as usual.

But Oracle also said that Monday's update would be the final for the aging software. "This release is the last of publicly available JDK 6 Updates," Oracle said in its release notes. "Oracle recommends that users migrate to JDK 7 in order to continue receiving public updates and security enhancements."

That advice works for Windows users: Java 7 runs on all Microsoft-supported versions of its operating system, including Windows XP.

However, not all Mac users can upgrade to Java 7, which requires OS X Lion, or its successor, Mountain Lion. According to Web metrics company Net Applications, 37% of all Macs last month ran a version of OS X older than Lion. The majority of those users relied on OS X Snow Leopard, the 2009 operating system that is stubbornly resisting retirement.

But that doesn't necessarily mean that Snow Leopard users will be out in the cold, Java-wise.

Contrary to what Computerworld reported in December, when it said Snow Leopard users would be without Java 6 security updates as soon as Oracle pulled the plug, further investigation has provided more than a glimmer of hope.

Apple relies on Oracle to craft Java 6 patches, and so without Oracle creating patches, Apple would seemingly have nothing to distribute. Not quite.

Oracle will continue to come up with security patches for Java 6, but those will only be distributed to enterprises that have negotiated contract support plans with Oracle. And if the past is any indicator, Apple will have access to those only-for-corporate-customers patches and will use them to draft updates for its own users.

The future is murky, as it always is with Apple support -- unlike Microsoft, the company does not spell out its support policies in black and white -- but there is precedent.

For OS X 10.5, known as Leopard, Apple provided Java 5 updates well after Sun Microsystems, the creator and former owner of Java, stopped serving public patches.

Sun stopped Java 5 support with Java 5 Update 22 (Java 5u22), which it released Nov. 4, 2009. But Apple continued to issue Java 5 updates for Leopard until June 2011, when it released patches that it said pushed the software up to Java 5u30.

Those patches were for flaws that Oracle -- by then it had acquired Sun and taken control of Java -- identified as fixes for its business customers.

If Apple follows that same timeline, it will support Java 6 for approximately a year and a half, or deep into 2014.

There's no guarantee. The closest Apple has come to that was when it deprecated Java, telling developers that it would no longer ship Java with OS X. "The Java runtime shipping in OS X v10.6 Snow Leopard, and OS X v10.5 Leopard, will continue to be supported and maintained through the standard support cycles of those products," Apple said at the time.

Leopard's support cycle has long ended -- the last Java update for OS X 10.5 was issued in mid-2011, and its last security update released in May 2012 -- but Snow Leopard's has not come to an end. (Apple shipped a security update for OS X 10.6 in September, for example, alongside the most recent fixes for Lion and Mountain Lion.)

Apple might want to play it safe and continue to patch Java for Snow Leopard, both because of the recent rash of Java "zero-days," or vulnerabilities exploited before they have been patched, and because Apple was embarrassed last year when a then-unpatched Java bug gave hackers a way toinfect hundreds of thousands of Macs in the widespread "Flashback" malware campaign.

The massive numbers of customers who remain on Snow Leopard -- as of last month, OS X 10.6 powered 27.5% of all Macs -- might also weigh in Apple's decision.

Ironically, Monday's update was a bonus for both Windows and Mac users. Previously, Oracle had said it would end public support for Java 6 with its Feb. 19 update. Oracle had also extended Java 6's EOL, or "end-of-life," twice last year, first from July to November 2012, then again from November 2012 to February 2013.

OS X Lion and Mountain Lion users who require Java should upgrade as soon as possible to Java 7, which Oracle plans to maintain at least until July 2014, and Apple may support even longer.

The next scheduled Java 7 update is set for April 16. If Apple continues support for Java 6 on Snow Leopard, it will issue that update the same day.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about application security in Computerworld's Application Security Topic Center.

Oracle will continue to bundle 'crapware' with Java

Oracle will not stop bundling what critics describe as "crapware" and "foistware" with its Java installer anytime soon, a company representative intimated last week.

The practice of offering up other software alongside Java updates, including emergency security updates to patch critical vulnerabilities, again came under fire last week as new reports surfaced of deceptive installation techniques.

During a conference call with leaders of the Java User Groups (JUG) last week, Doland Smith, who heads Oracle's OpenJDK team, cited contractual obligations that prevented him from discussing the bundling deal in detail. But he hinted that no changes were in the offing.

"When you have a commercial relationship like this, not only are you dealing with your [own] corporate policies on communication, and revenue recognition and all that kind of stuff, but you also have a commercial partnership and agreement that you have to abide by and follow," said Smith during the call.

Currently, the Java installer for Windows includes an offer for the Ask.com browser toolbar. Unless users explicitly uncheck a box on the Java installation screen -- in other words, opt out -- the toolbar automatically downloads and installs, and the browser's default search engine changes to Ask.com.

That raised the ire of long-time Windows blogger Ed Bott of ZDNet, and also got the attention of Ben Edelman, an associate professor at Harvard and expert on adware, online fraud and Internet privacy.

In pieces published Jan. 22, both Bott and Edelman took aim at Oracle for bundling the Ask.com toolbar with Java.

Bott found that the Ask.com toolbar was not immediately installed, but waited 10 minutes after Java finished to kick in. "I've never seen a legitimate program with an installer that behaves this way," said Bott, who speculated that the technique was an attempt to hide the toolbar's installation from technically-astute users.

Edelman was also caustic in his criticism of Oracle and the Ask.com toolbar installation, deeming the latter deceptive. Even worse, Edelman said, was that the offer was included with critical Java updates that patched recent "zero-day" vulnerabilities being exploited by criminals.

"The Java update is only needed as a result of a serious security flaw in Java," said Edelman. "It is troubling to see Oracle profit from this security flaw by using a security update as an opportunity to push users to install extra advertising software."

By bundling adware with its security updates, Oracle is teaching users to distrust its patching process, Edelman added.

Oracle's Smith disagreed.

"It's not specifically a security issue. It's a commercial, business-side issue," he said during last week's call. "The reason it's tied with security is that it's showing up when we push out new installers on the Windows platform. Really, it's not related to security directly."

Smith also defended the practice by saying Oracle had inherited the deal when it acquired Sun Microsystems, the creator of Java, in 2010. "This is not a new business, this is not something that Oracle started," Smith said. "This is a business that Sun initiated a long time ago."

Sun had bundled third-party software with Java since at least 2005, when it offered a Google toolbar. In the following years, Sun made similar arrangements with Microsoft and Yahoo, before switching to Ask.com.

While Smith stopped far short of saying that Oracle would drop the bundling, he tried to sooth obviously ruffled feathers among the JUG community. "It's something that we are looking at and constantly evaluating whether it's worth doing," he said. "What I can say is, we hear you loud and clear. We're aware of the concerns and we're looking at what we can do moving forward."

He also declined to give the JUG leaders an explanation for the odd installation behavior of the Ask.com toolbar, even as he agreed with another caller that it was "squirrelly."

"I agree that on the surface, when you look at, it's like, 'Why is it that way?'" Smith said. "It could be that we are never able to give a satisfactory answer. But I hope at some point we can clarify what that's about and why."

Ask.com did not immediately reply to a request for comment on the toolbar's installation process and the status of its deal with Oracle.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Oracle takes stake in PaaS vendor Engine Yard

Oracle has taken a minority stake in Engine Yard, maker of a PaaS (platform as a service) for Ruby, PHP and Node.js applications, the company announced Tuesday. Financial terms were not disclosed.

Oracle and Engine Yard "are expected to connect their respective PaaS offerings to enable more rapid development of applications in a secure, reliable and scalable environment," according to a statement.

Engine Yard will remain an independent company, Oracle said.

Oracle's move is meant to give users of its recently announced Oracle Cloud PaaS, which offers the ability to write and deploy Java EE-based applications, more development options, particularly for Web applications rather than heavier-duty enterprise applications for which Java EE is often used.

The move is good for Engine Yard and its customers, CEO John Dillon said in a blog post on Tuesday.

"This is a great day for our organization and for our customers," he wrote. "The resulting partnership with Oracle will give Engine Yard access to new technologies and allow us to increase the technical investment we make in our products."

Oracle may also have been interested in investing in Engine Yard because of its broad partner ecosystem. Engine Yard customers can tap a wide variety of "Add-On" platform services from partners, such as application monitoring, continuous integration and recurring billing.

It wasn't immediately clear Tuesday when the integration between Oracle's PaaS and Engine Yard would be completed, nor whether Oracle may some day seek to acquire Engine Yard.

While Oracle is well-known for its long run of acquisitions, it has also taken partial stakes in companies before, such as its 2010 investment in Infiniband vendor Mellanox.

Chris Kanaracus covers enterprise software and general technology breaking news for The IDG News Service. Chris' email address is Chris_Kanaracus@idg.com

OpenWorld 2012: What's in store

A wealth of software, hardware and "engineered systems" news is on tap

With each year, Oracle becomes a bigger company and in turn, so does its annual OpenWorld conference, which kicks off Sunday in San Francisco.

In fact, Oracle's long run of acquisitions, spanning from applications to middleware to hardware, has resulted in so many partner and customer constituencies that it's now co-locating a number of additional shows, including MySQL Connect and JavaOne, along with the main OpenWorld program.

Here's a look at what's scheduled for the week, as well as what sort of surprises Oracle may have in store.

Database 12c: Despite its forays into business applications and hardware, at its core Oracle remains a database company, and it will announce version 12c, with the c standing for "cloud," during OpenWorld.

CEO Larry Ellison already publicly revealed this fact recently and also described some of the release's new features, which include support for multitenancy and "pluggable" databases.

But the deep-dive into 12c probably won't come until Monday, when co-president Mark Hurd and database chief Andy Mendelsohn deliver a joint keynote.

While Oracle will no doubt make sure 12c's debut is nice and splashy, as with past versions most customers probably won't upgrade until 12c release 2, preferring to feel comfortable that the bugs have been worked out.

Engineered systems news: There seems to be little doubt that Oracle will announce a next-generation version of the Exadata database machine, the first and flagship member of its family of "engineered systems" combining software with servers, networking and storage.

Ellison has a keynote slated for Sunday which seems like the probable launch pad for an Exadata announcement, as well as other new engineered systems products.

With Oracle already having analytics-related machines in the market with Exadata and the Big Data appliance, as well as an application server box called Exalogic, its next step could be systems that add a layer of pre-integrated business applications.

Hard times for hardware: Oracle has de-emphasized commodity servers in favor of the engineered systems, which can really be looked at as delivery vehicles for lots of separately licensed Oracle software that draws lucrative annual maintenance revenue year after year.

Still, top-line hardware revenues have been in decline. And although the hardware systems business "was very profitable" in fiscal 2012, "the profitability of this business as we measure it did not grow from the prior fiscal year," Oracle said in a recently filed proxy statement. As a result, systems chief John Fowler didn't get a cash bonus, according to the proxy.

Last year, Oracle announced the SPARC SuperCluster T4-4 system. This year, it may feature a sequel to that high-profile release.

The status of Fusion Applications: It took Oracle a bit longer than hoped-for to bring its next-generation Fusion Applications to market, but the suite of ERP (enterprise resource planning), CRM (customer relationship management), HCM (human capital management) and other software finally became generally available last year.

But Oracle has a number of updates to provide with respect to Fusion, namely the rate of customer adoption and live projects, as well as a public subscription price list for deployments in its recently launched cloud service.

The "top level message" for Fusion Applications will be a "focus on customer adoption and their success," Oracle executive vice president of application development Steve Miranda said during a "Tweet chat" eventthis week on Twitter.

Miranda also acknowledged the lack of public pricing, which is common among SaaS vendors, but said Oracle's fees are "competitive."

MySQL Connect: Anyone looking for a concrete sense of where Oracle is headed with the development of its open-source MySQL database should attend a joint keynote scheduled for Saturday featuring Tomas Ulin, vice president of MySQL engineering, and Edward Screven, Oracle's chief corporate architect.

The talk will give showgoers a look at "Oracle's MySQL strategy, and the key latest developments including product releases, roadmap and community," according to the event's description.

While many MySQL users expressed fear over the database's future following Oracle's acquisition of previous owner Sun Microsystems, the presence of Screven, a longtime Oracle employee who reports directly to Ellison, could underscore the vendor's commitment to the platform.

Bottomless cups of Java: The JavaOne conference, which starts Sunday, will give attendees a look at where the open-source Java programming language is going from a number of perspectives.

A keynote covering Oracle's future strategy for Java, as well as a technical Java keynote, are scheduled for Sunday. Later in the week, a keynote covering Java community issues is on tap. This is all on top of some 400 planned sessions.

Oracle's Amazon Web Services?: Ellison also revealed during last week's earnings call that Oracle will announce a new IaaS (infrastructure as a service) offering at OpenWorld, but didn't mention many details.

The CEO may provide more information on Sunday, but it seems more likely that the nitty-gritty details will come on Wednesday during a keynote by Fowler and other executives.

One general question that may be answered is whether Oracle is interested in competing head-to-head with the likes of Amazon Web Services and Rackspace for all sorts of IaaS business, or mostly planning to offer the IaaS to existing customers who would ordinarily use those other services.

Overall, Oracle's entry into IaaS "is likely to mean one thing: lower prices for computing power from all of the big incumbents," Canaccord Genuity analyst Richard Davis said in a research note issued Friday.

This is good news for "disruptive technology startups" and SaaS (software as a service) vendors as well, according to Davis.

Bragging rights: San Franciscans are still reeling from the last big software event held at the Moscone Center, Salesforce.com's Dreamforce. That show reportedly drew 90,000 registered attendees, a figure helped by the fact there was no charge to attend keynotes as well as a number of musical events.

Salesforce.com CEO Marc Benioff crowed that this year's Dreamforce was the industry's largest-ever "vendor-led" enterprise technology event.

Given that he and Ellison have a long-standing rivalry, it's not so surprising that Oracle is offering a special US$75 "Discover Pass" to OpenWorld, which provides entry to keynotes, the exhibition hall, the Oracle music festival and other aspects of the show, albeit none of the 2,000 sessions.

Oracle isn't promising that more than 90,000 people will show up in San Francisco for OpenWorld, but the vendor is still making some big claims.

Some 50,000 showgoers from 123 countries will attend in person, on top of a cool million tuning in online, and the show will have a $120 million economic impact on the Bay area, according to an official blog post.

Chris Kanaracus covers enterprise software and general technology breaking news for The IDG News Service. Chris' email address is Chris_Kanaracus@idg.com