The last publicly available release of Java 6 is to be released on February 19th 2013. After that date all new security updates, patches, and fixes for both the runtime and SDK of Java SE 6 will only be available through My Oracle Support, and will therefore only be available to users with a commercial license with Oracle.
In view of this, at the end of last year Oracle began automatically replacing instances of Java SE 6 with Java SE 7 via auto-update. In the announcement, Oracle said that they
... will start auto-updating Windows 32-bit, Java Runtime Environment (JRE) users from JRE 6 to JRE 7 in December 2012.
The Java auto-update mechanism is designed to keep Java users up-to-date with the latest security fixes. To achieve this goal Windows users that rely on Java’s auto-update mechanism will have their JRE 6 replaced with JRE 7.
In December 2012 Oracle will start to auto-update a sample of users from JRE 6 to JRE 7 to evaluate the auto-update mechanism, user experience and seamless migration. Oracle will then start auto-updating all Windows 32-bit users from JRE 6 to JRE 7 with the update release of Java, Java SE 7 Update 11 (Java SE 7u11), due in February 2013.
The move has proved somewhat controversial. On a blog post Wayne Citrin, Chief Technology Officer of Java/NET interpretability vendor JNBridge wrote
This is absolutely astonishing. Oracle has decided that, in order to fix extensively-reported security problems, they will not only update Java 7 (their latest version of Java), they will also completely delete a completely separate product. Yes, Java 6 is a separate product from Java 7. They can be installed side-by-side, and many users have both Java 6 and Java 7 installed on their machines. Some of their applications depend on Java 6, and others might depend on Java 7, and these dependencies are typically hard-coded or configured to point to the correct, and different, file locations. Can you imagine if Microsoft released an update to .NET 4.0 that also removed .NET 2.0? This is just as serious.
Worse, it appears that they are taking it upon themselves to replace installations of Java 6 with Java 7 even if the users have only Java 6 on their machines.
As a result, he says, "You should strongly consider turning off automatic Java updates".
InfoQ spoke to Citrin to clarify his position. "I actually think the best thing that the user could do is update their browser plug-in to the latest Java 7," he told us, "or simply disable Java in the browser." He also had a number of suggestions for how Oracle could deal with the current situation
a. Change from side-by-side installs to in-place installs -- Java 7 gets installed in place of Java 6. That would require strict backward compatibility to older versions so that the user would not notice. Probably not a good option at this time, but would have been the best long-term answer.
b. Continue providing updates to Java 6 for at least a little while longer. Kicks the can down the road, but ultimately doesn't solve the problem.
c. As part of the Java 7 update, check whether the user’s Java browser plug-in is something other than Java 7. If not, switch it. This would probably be the best all-around solution. Most of the attacks come through the browser, and most people wouldn't notice. It would be unlikely to break anything.
Oracle has in fact taken a number of precautions with the update process. For enterprise users the most important is that the Java auto-update process updates only the latest version of Java on a user's Windows machine - if you have multiple versions of Java installed, only the most recent one will be replaced. In addition, where an enterprise manages the Java versions on behalf of users, auto-update is generally turned off and therefore they won't be affected. That said, Citrin tells us that whilst enterprise customers should not be affected by auto-updates, it has happened "according to the customer we spoke to. They’re an ISV, and they had several customers report problems."
The subject of silent automatic updates for Java was also discussed on the security conference call last week. This isn't a silent update, of course, but as with the Ask toolbar, users often click through installers without reading them, a point that Citrin also made when we spoke to him. Given that, it is interesting to review Donald Smith's comments on auto-updates in this context
The challenge is of course that you get - if that was a feature that came out, you have an ecosystem with a long history of it not working that way, and you would suddenly have a large segment of people saying, "How do I prevent this from happening?"
As Java is increasingly targeted by malware and virus writers, it is certainly a challenge for Oracle to encourage users to keep up-to-date.
InfoQ did contact Oracle for clarifications on this story but they declined to comment.