PDA

View Full Version : How to verify that you're running Oracle's Java JRE 7 and not Apple JRE 6




DeBilbao
Oct 2, 2012, 03:43 AM
How to verify that you're running Oracle's Java JRE 7 and not Apple JRE 6

Java is one of the most used programming languages, being present in a lot of devices, including our Macs. One of its strong features is its cross-system compatibility, so you only need to think in Java language and rely on the Java Runtime Environment (JRE) that need to be present in the system that intend to use the application - in Java they're called applets - you want to run.

Java applications are most commonly used within a browser, using a Java plug-in, but you can also standalone applications that use the JRE. There's a lot of misunderstanding around this and Java is not only present in Safari, but rather you can say that it can be used as long as it is activated in your Mac.

And being a runtime environment, a place in which the user can run software... it's exposed to a lot of security issues. I'm quite sure anyone who has a minimum contact with Apple related news has read something about Flashback, a piece of malware that appeared as Flash Player installer and installed some bad stuff in your system even if you decided not to enter the administrator password.

With OS X Lion, Apple decided not to deliver the Java Runtime Environment to end users, offering a download from their servers as soon as the user need to run a piece of Java software.

This is a wrong approach. Definately, you protect a lot of users, but you leave unprotected a lot of end users that need Java to run many online services: from banking to e-shopping, many websites need Java.

This was even wrong because Apple offered their own implementation of the JRE version 6, while the rest of the operating systems - Windows, Linux or Solaris - run the official distribution from Oracle, now that the database giant acquired Sun.

Any piece of software delivered to the end user computer need an strategy to get it updated as soon as a vulnerability surfaces. And in this case Apple did it really wrong. The exploit that let the Flashback execution could be run in any Mac after Oracle deployed the new patched 7 version, and after a lot of time, Apple didn't update it and rather decided to forget about it.

Now the JRE is also available from the official website http://www.java.com for users running OS X 10.7.3 and above, but even though you have installed it, you must take care and check if Apple JRE 6 is not taking over Oracle JRE 7. Let's see how.

Once you have downloaded the jre-7u6-macosx-x64.dmg file and installed it, you can go to a new icon in the new preference pane callled "Java". In the General tab you can press de About button and see that Oracle JRE 7 is installed.

http://i49.tinypic.com/6ntp2x.jpg
But if we go to Applications > Utiities > Java Preferences Sin embargo, we can see that we have also JRE 6 from Apple installed and checked.

Of course, this only applies to users that have previously downloaded the Apple JRE.
http://i47.tinypic.com/2v2mv.jpg
So, how can we know which JRE is actually being executed when we try to use a Java applet?

You can use the Terminal to enter the command java -version that will bring this output:

java version "1.6.0_35"
Java(TM) SE Runtime Environment (build 1.6.0_35-b10-428-11M3811)
Java HotSpot(TM) 64-Bit Server VM (build 20.10-b01-428, mixed mode)

So even though I have Oracle's JRE 7 installed, I'm running Apple's JRE 6. And if I try to uncheck the Apple JRE 6 in the Java Preferences app, I can't run applets at all.

After some reading in the Oracle website in http://www.java.com/en/download/faq/java_mac.xml I have understand what's happening, and I'll explain to you how to fix it.

You can see exactly what's happening by reading http://docs.oracle.com/javase/7/docs/webnotes/install/mac/mac-preferences.html:

Note for Users of Macs that Include Apple Java 6

If you are running a release of Mac OS X that includes Apple Java 6, for example 10.7.3 or 10.7.4, there is an important difference about the installation of Oracle Java (both JRE and JDK) that you should be aware of.

The Applications -> Utilities -> Java Preferences application is part of Apple's implementation of Java. Once Apple no longer distributes Java as part of their release, the Java Preferences application is retired.

Under Apple's implementation of Java, it was possible to have multiple JREs installed, and the Java Preferences app was used to determine the first compatible version that would be used. The following instructions show how to change the default JRE.



Launch Java Preferences. The Java Preferences window contains a list of installed JREs. Java applications and command line tools use the listed order to determine the first compatible version to use.
The Vendor column indicates whether the Java release is supplied by Apple or Oracle. The Version column specifies the version of Java that is installed.
To make JRE 7 the default version of Java, re-order the list by dragging Java SE 7 to the top of the list.


Note that if you install only Oracle Java JRE 7, it will not appear in this list. You must install the full JDK in order for JRE 7 to be listed.

So we must install the Java Develoment Kit and not the Java Runtime Environment if we want to run the patched JRE. Even though we're not developers, but it's the only way I've seen to resolve the problem.

To install the JDK you must go to http://www.oracle.com/technetwork/java/javase/downloads/jdk7u7-downloads-1836413.html and download the installer.
http://i45.tinypic.com/15dqq03.jpg
Once installed, you will see the Oracle's version in the Java Preference app, but Apple's version is still checked, and being the first in the list it will take precedence from Oracle's version.
http://i48.tinypic.com/2vv0xg6.jpg
You can drag the Oracle version and drop it into the top of the list. This way it takes precedence and I also recommend to uncheck Apple's JRE 6.
http://i47.tinypic.com/erzdx0.jpg

Back to the Terminal app, the java -version command output inform us that we're running the correct version.

java version "1.7.0_07"
Java(TM) SE Runtime Environment (build 1.7.0_07-b10)
Java HotSpot(TM) 64-Bit Server VM (build 23.3-b01, mixed mode)

And to verify that Java applets can be run, we can go to http://java.com/es/download/installed.jsp to run a small applet that will check if we're running the correct version.

http://i45.tinypic.com/nl4y2d.jpg


In my opinion, Oracle and Apple should talk to get this totally transparent for the end user. Until then, I recommend you to verify if you're running the correct version and act accordingly so you are protected from those at least annoying security issues.

;) ;) ;)



kot
Oct 2, 2012, 08:26 AM
I'm not exactly sure that java 7 is more secure.

Weaselboy
Oct 2, 2012, 09:01 AM
You are confusing the Java plugin (for applets) with the Java runtime (for stand alone applications).

If you install Java 7 over top Java 6 in OS X it will replace the Jave 6 plugin with the Java 7 plugin automatically. The user does not need to do anything.

Set your system back to Java 6 at the top of that list and the Java test site you linked will still show you have Java 7 because the plugin is 7.

The JDK panel just sets the priority for stand alone Java runtime apps and has nothing to do with the web plugin.

http://i.imgur.com/7UEdx.png

DeBilbao
Oct 2, 2012, 01:45 PM
Weaselboy, thank you very much for the explanation.

Definitely, I was wrong and I was confusing the Java Runtime Environment required for the standalone apps with the Java Plugin that browsers use.

So if I want to be surfing the web with the latest plugin installed the only thing I need is to update Java from the Oracle website.

And if I want to get my standalone applications using the same version, I need to do what I explained in my post.

Am I right?

Weaselboy
Oct 2, 2012, 01:50 PM
Weaselboy, thank you very much for the explanation.

Definitely, I was wrong and I was confusing the Java Runtime Environment required for the standalone apps with the Java Plugin that browsers use.

So if I want to be surfing the web with the latest plugin installed the only thing I need is to update Java from the Oracle website.

And if I want to get my standalone applications using the same version, I need to do what I explained in my post.

Am I right?

Exactly. Neither Apple nor Oracle has done a very good job explaining all this IMO. It is no wonder there is confusion. :)

ssn637
Oct 2, 2012, 03:52 PM
I've also found that if I remove the JRE 1.6 from my system in favor of JRE 1.7 then my Adobe Creative Suite 6 applications fail to start.

dyn
Oct 2, 2012, 04:19 PM
OS X comes with the JDK commands pre-installed which is why running java --version will only show 1.7 when you install the JDK. If you haven't installed Java already it will prompt you when you either start the Java Preferences, use any of the pre-installed Java commands or when something needs Java.

The prompt will install Java provided by Apple which is the 1.6 version (current 1.6 build 35). If you want the 1.7 you need to go to java.com/oracle.com to download it.

So as you can see it is not exactly separated with Mountain Lion. There still is a lot of Java stuff from Apple. That'll probably be removed with later ML updates. We currently are in a transition phase from Apple to Oracle. The way it is done now makes it less painful but it does create some confusion for OS X users ("why are there java commands on my ML install, I thought Apple doesn't support it in ML?!").