Future Java 7 security patches will work on Windows XP despite end of official support

Oracle has dispelled rumors that the upcoming security update for Java 7 and those it will release in the future might not work on Windows XP.

“We expect all versions of Java that were supported prior to the Microsoft de-support announcement to continue to work on Windows XP for the foreseeable future,” said Henrik Stahl, vice-president of product management in the Java Platform Group at Oracle, in a blog post Friday.

[ Windows 8 left you blue? Then check out Windows Red, InfoWorld’s plan to fix Microsoft’s contested OS. | Microsoft’s new direction, the touch interface for tablet and desktop apps, the transition from Windows 7 — InfoWorld covers all this and more in the Windows 8 Deep Dive PDF special report. | Stay atop key Microsoft technologies in our Technology: Microsoft newsletter. ]

“Security updates issued by Oracle will continue to be pushed out to Windows XP desktops,” he said.

The next security updates for Java 7 will be released Tuesday and will address 20 security issues that can be exploited remotely without authentication. Some vulnerabilities to be patched in the update have the highest criticality rating (10.0) in the Common Vulnerability Scoring System, Oracle said in an advance notification.

Microsoft ended general support for Windows XP on April 8, leaving users of the 12-year-old OS without access to future security updates. As a result, Oracle announced earlier this year that it too will stop providing official support for Windows XP.

“Users may still continue to use Java 7 updates on Windows XP at their own risk, but support will only be provided against Microsoft Windows releases Windows Vista or later,” the company said on its Java website.

Some people interpreted that to mean that future Java 7 updates will not work on Windows XP, which would have had serious security implications for the thousands of companies and organizations that still use the OS with or without custom support contracts from Microsoft.

However, the implications of Oracle’s announcement is that customers who find issues on Windows XP need to replicate them on later versions of Windows in order to ensure that the company will develop a patch, Stahl said. If the issue only affects Windows XP “Oracle is not required to (and may be unable to) issue a patch or a workaround,” he said.

Java vulnerabilities are frequently targeted by hackers in drive-by download attacks and past reports showed that Java is still widely used in enterprise environments where it’s needed for a variety of business applications.

If Oracle had stopped issuing working Java 7 security updates for Windows XP, it would have forced users of the OS to run outdated and vulnerable versions of the software, but according to Stahl, that won’t happen.

“Don’t believe everything you read on the Internet,” he said in the blog post, referring to rumors that the Java 7 security update will not work on the aging OS. Windows XP users will continue to receive automatic security updates for Java 7 until at least April 2015, when public updates for this version of Java are scheduled to stop, he said.

“We will continue [to] monitor the uptake of Java 7 updates on Windows XP,” Stahl said. “If usage remains high when we get close to that milestone, we will take measures to keep Java users safe.”

The situation is not the same with Java 8, which doesn’t officially support Windows XP and cannot be installed on systems running the OS without manual intervention.

“We are looking at possible ways to address this issue but may decide not to — if you are on Windows XP it’s not clear that it’s worth updating to Java 8 without also updating the OS,” Stahl said.