updated 07:22 pm EDT, Tue October 16, 2012
Patches zero-day exploit for Snow Leopard, Lion, ML
Though recent versions of OS X no longer ship with a Java plug-in -- and Apple has ceased developing its own versions and left compatibility to Java owner Oracle -- the company is pushing an updated version of Oracle's latest release of Java SE 6 (version number 1.6.0 build 37) through its own Software Update mechanism. The update fixes a critical "zero-day" exploit reported at the end of last month and is available as separate releases for OS X 10.6, and OS X 10.7 and higher.
For Snow Leopard users, the update is referred to as Java for Mac OS X 10.6 Update 11. Currently the support page download link goes back to the previous update from September (Update 10), but it is available through Software Update. As with the previous update, it configures web browsers not to automatically run Java applets, and instead creates a sort of "Java blocker" on web pages that can be manually overridden by clicking on an area labelled "inactive plug-in." It will also deactivate the Java web plug-in if no applets have been run for "an extended period of time."
The Lion and Mountain Lion version of the update is called "Java for OS X 2012-006" and like the Snow Leopard version, it offers "improved security, reliability and compatibility" but doesn't specify exactly what has changed. The accompanying note says that the update will uninstall any old Apple-provided Java applet plug-ins from all web browsers, and replace it with the "inactive plug-in" blocker described above. Users who click on the "inactive" button will be prompted to download the latest version of the Java plug-in directly from Oracle. The update also removes the Java Preferences application, which is no longer required to configure applet settings.
Oracle, in its release notes for the new version, says that the v1.6.0_37 update adds the compromised Cisco AnyConnect Secure Mobility Client to its blacklist, and closes two bugs related to the zero-day exploit, which affects all versions of Java including Java 7, though this patch is aimed only at Java SE 6. An update for Java 7 (update 9) is available as well for users running Java SE 7 on Macs, but at present is only available directly from Oracle.
Most users Java SE 5, which is also affected by the exploit, is no longer updated and little-used. Users running pre-Snow Leopard Macs or outdated versions of Java are strongly advised to disable the web plug-in and seek alternatives for Java uses or update their systems if possible.