Right. The Mac community was just up in arms over this. I think I read one article a few weeks ago from a so called security expert who said he was publishing the exploit with instructions how to implement it. I don't recall there being a rebellion. There likely never will be one so long as Macs remain unaffected by such exploits.
Quote:
Originally Posted by MacTripper
Apple should be ashamed of themselves.
This exploit has been in the wild for 6 months before going public.
Then it took Apple months to fix it after the latest OS X update when it did finally go public and the Mac community screamed bloody murder warning everyone to turn off Java.
"God knows how many have been exposed." - Alien 2
This is not the first time Apple has ignored a vital security threat.
The serious Metadata exploit (still not fixed completely) was submitted by many folks, including myself, with back and forth emails to Apple Security folks and then it went unfixed for YEARS!!
It's still technically unfixed, only a warning now that your downloading app/first time running a app. A work around basically.
I started to think, why did Apple take so long to fix this latest Java exploit? Was it so people would download Safari 4 with it's sandboxing of plug-ins?
Pump up the download numbers a little for marketing dept? Along with a forced upgrade on the Windows side?
Why is Apple so slow in fixing the open source parts of OS X? It's a security risk with them not paying enough attention too.
Perhaps it's so many eyes finding the flaws in open source that Apple can't handle it?
Right. The Mac community was just up in arms over this. I think I read one article a few weeks ago from a so called security expert who said he was publishing the exploit with instructions how to implement it. I don't recall there being a rebellion. There likely never will be one so long as Macs remain unaffected by such exploits.
The "Mac community" . . . the one on Mac fansites, of which only a percentage was actually concerned about this. I just wanted to make that distinction, that's all.
Glad to see you're satisfied and you may now realize that by having to roll their own Java integration with OS X that it takes a bit longer to roll in updates and test them thoroughly before a simple apt-get upgrade.
I'm satisfied that they fixed it. I'm disappointed with how long it took to fix it.
Also, I may have been a little premature. Java applets are still super-slow... much slower than on my Windows laptop at work. Looks like Apple still has work to do.
Who still uses Java? Especially on a Mac or an iPhone. Flash, I understand...even Silverlight, but who needs a nasty looking, slow Java applet on their speedy 8-core Mac Pro?
I don't think too many companies are relying on applets running in the browser, but a lot of companies still use Java for enterprise software, and complex web pages (java server pages). It is still the most popular language out there and the most mature and stable technology with amazingly good tools.
A lot of banking sites where I come from still use Java applets, as does Wikipedia for movie/audio playback. As with Wikipedia Java applets might see a comeback as a fallback for browsers which do not support the <video> tag (especially when Theora is used).
There's simply no excuse for Apple taking this long to patch a major security bug for which a patch *does* exist. Since Apple seems to support Java only half-heartedly maybe they should consider coming to an agreement with Sun/Oracle (i.e. pay them) and let them develop an official version of Java for Mac. Maybe Java developers also wouldn't have to endure months until Apple catches up to the Windows/Linux versions.
I can't get it to install. I've tried on two different computers, a PowerPC and an intel Mac. They both end with an error saying the update can't be installed. I have quit the web browser, so that's not the problem. I can't find anything about this difficulty from Apple either.
I can't get it to install. I've tried on two different computers, a PowerPC and an intel Mac. They both end with an error saying the update can't be installed. I have quit the web browser, so that's not the problem. I can't find anything about this difficulty from Apple either.
You should take advantage of their amazing customer support that's so much better than anything you'll find in the PC world...
Java has a vulnerability, Safari 4 can sandbox plug-ins
This is a Snow Leopard only feature although Google claims that sandboxing works on Leopard just fine (in fact, according to them adding sandboxing to Chrome was easiest on OS X compared to the two other supported platforms).
I wonder how many of those was out of fear of the Java exploits running lose?
I?d wager that relatively few people cared about that. I have had Java turned off for a couple years now and don?t recall ever needing to turn it on. It seems that most users don?t even know the difference between Java and JavaScript.
Quote:
Originally Posted by Erunno
This is a Snow Leopard only feature although Google claims that sandboxing works on Leopard just fine (in fact, according to them adding sandboxing to Chrome was easiest on OS X compared to the two other supported platforms).
I hope that Apple moves the sandboxing over to each tab, too. The plug-ins are nice, and perhaps they are the number one cause for browser crashes, but I?d like to be able to also kill a tab if it?s using too many resources. Perhaps even having the Force Quit window show the different tabs when you hold down the option key after the window appears. That would rock!
Java is still important, just not for applets in web pages. Apple's own Final Cut Server user client is written in Java, for example - this enables it to run on both Mac OS X and Windows with minimal changes. Also Apple's WebObjects system is entirely implemented in Java - this runs things like the Apple Online Store.
For developers working on web services and web sites, having an up-to-date and secure Java is just as relevant as ever, and it is important that the Mac keeps up with the other platforms. For many, the additional benefits of running on a Mac (compared to Windows) make it more than worth the effort, no least because it's a proper UNIX system, and the server side of many web sites will be UNIX- or Linux-based.
Yes, but for how much longer? Seeing Federighi on-stage was a breath of fresh air as I used to work with him. When he left and EOF floundered it was obvious they were going from ObjC to Java in WOF back in the day.
Now that everything is moving back to ObjC as it should, moving WOF to Cocoa will be a snap and the leverage of added value from Foundation/AppKit to WOF will be enormous.
Adding CoreData/CoreImaging and more on the server side to off-load heavy lifting and giving one the option to hook in HTML5, Javascript/Ajax and more on the front end would be very nice indeed.
Apple's push in the Enterprise is going to need Server-side meat other than Java to make XServers and OS X Server even more compelling.
Surely it requires three vulnerabilities for this Java exploit to work. First in Java to allow a request for unacceptable permissions to be made by the java code, then in Safari to pass the request onto the OS, then in the OS to grant them.
There is more to this than a Java patch and a great deal that can be done to secure our systems.
Yes, but for how much longer? Seeing Federighi on-stage was a breath of fresh air as I used to work with him. When he left and EOF floundered it was obvious they were going from ObjC to Java in WOF back in the day.
Now that everything is moving back to ObjC as it should, moving WOF to Cocoa will be a snap and the leverage of added value from Foundation/AppKit to WOF will be enormous.
Have you ever held a full-time job as a programmer? I'm not trying to insult you, just trying to understand why would make such a statement. In my experience, switching stable production systems to entirely new frameworks and technologies is extremely hard. Despite Apple's change of attitude toward Java and Objective-C, rewriting WebObjects, the iTunes store, the AppStore (and their iPhone equivalents), not to mention the Apple online store will be require an enormous amount of work (re-coding, re-testing, QA, tons of errors in production, re-coding, re-testing, etc). It's a potential disaster. Apple is smart enough not to do this. They know that rewriting things takes forever...look how long it took OS X to come out.
Quote:
Adding CoreData/CoreImaging and more on the server side to off-load heavy lifting and giving one the option to hook in HTML5, Javascript/Ajax and more on the front end would be very nice indeed.
You do understand the distinction between server-side and client-side programming in web applications, don't you? WebObjects produces HTML/JavaScript/CSS. It doesn't use Applets or any other Java client-side technologies. It's all server-side. There's absolutely nothing preventing Apple from using a Java back-end and an HTML5/AJAX front-end.
Quote:
Apple's push in the Enterprise is going to need Server-side meat other than Java to make XServers and OS X Server even more compelling.
You do know that Java is pretty much the preferred server-side technology for the enterprise, don't you? I've worked for a couple of Fortune 500 companies, and they both used Java extensively. Hell, I'm sure they would lose lots of enterprise business if they replaced the Java buzz-word with the Objective-C buzz-word. Aside from that, Java is battle-tested under heavy loads in enterprise scenarios on enterprise servers. Objective-C has not.
End of story.
Do some basic research before claiming to know anything about this stuff.
I can't get it to install. I've tried on two different computers, a PowerPC and an intel Mac. They both end with an error saying the update can't be installed. I have quit the web browser, so that's not the problem. I can't find anything about this difficulty from Apple either.
First, enable Java and then close Safari. After that, then do the update.
Btw, looks like there's a patch for that app iDVD that Apple seems to want to get rid of. At least that's what I'm hearing. Anyone else hear more about iDVD?
I hope that Apple moves the sandboxing over to each tab, too. The plug-ins are nice, and perhaps they are the number one cause for browser crashes, but I?d like to be able to also kill a tab if it?s using too many resources. Perhaps even having the Force Quit window show the different tabs when you hold down the option key after the window appears. That would rock!
I think you are confusing process-per-tab with sandboxing here. Sandboxing is a security feature which drastically limits the execution environment to a heavily controlled subset. How and where Apple will use sandboxing in Safari is still not known (to me, at least). From what I could gather at the WWDC keynote Safari 4 on Snow Leopard will support out of process plug-ins. Process-per-tab will probably require substantial rewrites of the whole Safari architecture so I don't hold my breath that we will see it before Safari 5 (if at all).
And it begs the question why this features are not available for Leopard users if Google is able to do so with Chrome (hint: quick money grab).
Apple is smart enough not to do this. They know that rewriting things takes forever...look how long it took OS X to come out.
Even more important, what business benefits would Apple's business have from such a rewrite? I reckon close to none. You are right, some people here clearly confuse server-side and client-side programming.
Btw, looks like there's a patch for that app iDVD that Apple seems to want to get rid of. At least that's what I'm hearing. Anyone else hear more about iDVD?
Comments
Apple should be ashamed of themselves.
This exploit has been in the wild for 6 months before going public.
Then it took Apple months to fix it after the latest OS X update when it did finally go public and the Mac community screamed bloody murder warning everyone to turn off Java.
"God knows how many have been exposed." - Alien 2
This is not the first time Apple has ignored a vital security threat.
The serious Metadata exploit (still not fixed completely) was submitted by many folks, including myself, with back and forth emails to Apple Security folks and then it went unfixed for YEARS!!
It's still technically unfixed, only a warning now that your downloading app/first time running a app. A work around basically.
I started to think, why did Apple take so long to fix this latest Java exploit? Was it so people would download Safari 4 with it's sandboxing of plug-ins?
Pump up the download numbers a little for marketing dept? Along with a forced upgrade on the Windows side?
Why is Apple so slow in fixing the open source parts of OS X? It's a security risk with them not paying enough attention too.
Perhaps it's so many eyes finding the flaws in open source that Apple can't handle it?
Geting like Microsoft slow, Apple is - yoda
Right. The Mac community was just up in arms over this. I think I read one article a few weeks ago from a so called security expert who said he was publishing the exploit with instructions how to implement it. I don't recall there being a rebellion. There likely never will be one so long as Macs remain unaffected by such exploits.
The "Mac community" . . . the one on Mac fansites, of which only a percentage was actually concerned about this. I just wanted to make that distinction, that's all.
Glad to see you're satisfied and you may now realize that by having to roll their own Java integration with OS X that it takes a bit longer to roll in updates and test them thoroughly before a simple apt-get upgrade.
I'm satisfied that they fixed it. I'm disappointed with how long it took to fix it.
Also, I may have been a little premature. Java applets are still super-slow... much slower than on my Windows laptop at work. Looks like Apple still has work to do.
Who still uses Java? Especially on a Mac or an iPhone. Flash, I understand...even Silverlight, but who needs a nasty looking, slow Java applet on their speedy 8-core Mac Pro?
I don't think too many companies are relying on applets running in the browser, but a lot of companies still use Java for enterprise software, and complex web pages (java server pages). It is still the most popular language out there and the most mature and stable technology with amazingly good tools.
There's simply no excuse for Apple taking this long to patch a major security bug for which a patch *does* exist. Since Apple seems to support Java only half-heartedly maybe they should consider coming to an agreement with Sun/Oracle (i.e. pay them) and let them develop an official version of Java for Mac. Maybe Java developers also wouldn't have to endure months until Apple catches up to the Windows/Linux versions.
I can't get it to install. I've tried on two different computers, a PowerPC and an intel Mac. They both end with an error saying the update can't be installed. I have quit the web browser, so that's not the problem. I can't find anything about this difficulty from Apple either.
You should take advantage of their amazing customer support that's so much better than anything you'll find in the PC world...
Seriously. Do it.
...There's simply no excuse for Apple taking this long to patch a major security bug for which a patch *does* exist...
Sure there is, it's called 'running everything through the marketing department first' dam the security!
Java has a vulnerability, Safari 4 can sandbox plug-ins, thus this would be a powerful reason to get people to update to Safari 4.
Fix the Java issue afterwards, so what if it takes 9 months! Look at the results!
"11 million updated to Safari 4!!"
I wonder how many of those was out of fear of the Java exploits running lose?
Java has a vulnerability, Safari 4 can sandbox plug-ins
This is a Snow Leopard only feature although Google claims that sandboxing works on Leopard just fine (in fact, according to them adding sandboxing to Chrome was easiest on OS X compared to the two other supported platforms).
I wonder how many of those was out of fear of the Java exploits running lose?
I?d wager that relatively few people cared about that. I have had Java turned off for a couple years now and don?t recall ever needing to turn it on. It seems that most users don?t even know the difference between Java and JavaScript.
This is a Snow Leopard only feature although Google claims that sandboxing works on Leopard just fine (in fact, according to them adding sandboxing to Chrome was easiest on OS X compared to the two other supported platforms).
I hope that Apple moves the sandboxing over to each tab, too. The plug-ins are nice, and perhaps they are the number one cause for browser crashes, but I?d like to be able to also kill a tab if it?s using too many resources. Perhaps even having the Force Quit window show the different tabs when you hold down the option key after the window appears. That would rock!
Java is still important, just not for applets in web pages. Apple's own Final Cut Server user client is written in Java, for example - this enables it to run on both Mac OS X and Windows with minimal changes. Also Apple's WebObjects system is entirely implemented in Java - this runs things like the Apple Online Store.
For developers working on web services and web sites, having an up-to-date and secure Java is just as relevant as ever, and it is important that the Mac keeps up with the other platforms. For many, the additional benefits of running on a Mac (compared to Windows) make it more than worth the effort, no least because it's a proper UNIX system, and the server side of many web sites will be UNIX- or Linux-based.
Yes, but for how much longer? Seeing Federighi on-stage was a breath of fresh air as I used to work with him. When he left and EOF floundered it was obvious they were going from ObjC to Java in WOF back in the day.
Now that everything is moving back to ObjC as it should, moving WOF to Cocoa will be a snap and the leverage of added value from Foundation/AppKit to WOF will be enormous.
Adding CoreData/CoreImaging and more on the server side to off-load heavy lifting and giving one the option to hook in HTML5, Javascript/Ajax and more on the front end would be very nice indeed.
Apple's push in the Enterprise is going to need Server-side meat other than Java to make XServers and OS X Server even more compelling.
There is more to this than a Java patch and a great deal that can be done to secure our systems.
Yes, but for how much longer? Seeing Federighi on-stage was a breath of fresh air as I used to work with him. When he left and EOF floundered it was obvious they were going from ObjC to Java in WOF back in the day.
Now that everything is moving back to ObjC as it should, moving WOF to Cocoa will be a snap and the leverage of added value from Foundation/AppKit to WOF will be enormous.
Have you ever held a full-time job as a programmer? I'm not trying to insult you, just trying to understand why would make such a statement. In my experience, switching stable production systems to entirely new frameworks and technologies is extremely hard. Despite Apple's change of attitude toward Java and Objective-C, rewriting WebObjects, the iTunes store, the AppStore (and their iPhone equivalents), not to mention the Apple online store will be require an enormous amount of work (re-coding, re-testing, QA, tons of errors in production, re-coding, re-testing, etc). It's a potential disaster. Apple is smart enough not to do this. They know that rewriting things takes forever...look how long it took OS X to come out.
Adding CoreData/CoreImaging and more on the server side to off-load heavy lifting and giving one the option to hook in HTML5, Javascript/Ajax and more on the front end would be very nice indeed.
You do understand the distinction between server-side and client-side programming in web applications, don't you? WebObjects produces HTML/JavaScript/CSS. It doesn't use Applets or any other Java client-side technologies. It's all server-side. There's absolutely nothing preventing Apple from using a Java back-end and an HTML5/AJAX front-end.
Apple's push in the Enterprise is going to need Server-side meat other than Java to make XServers and OS X Server even more compelling.
You do know that Java is pretty much the preferred server-side technology for the enterprise, don't you? I've worked for a couple of Fortune 500 companies, and they both used Java extensively. Hell, I'm sure they would lose lots of enterprise business if they replaced the Java buzz-word with the Objective-C buzz-word. Aside from that, Java is battle-tested under heavy loads in enterprise scenarios on enterprise servers. Objective-C has not.
End of story.
Do some basic research before claiming to know anything about this stuff.
I can't get it to install. I've tried on two different computers, a PowerPC and an intel Mac. They both end with an error saying the update can't be installed. I have quit the web browser, so that's not the problem. I can't find anything about this difficulty from Apple either.
First, enable Java and then close Safari. After that, then do the update.
http://support.apple.com/downloads/
Btw, looks like there's a patch for that app iDVD that Apple seems to want to get rid of. At least that's what I'm hearing. Anyone else hear more about iDVD?
I hope that Apple moves the sandboxing over to each tab, too. The plug-ins are nice, and perhaps they are the number one cause for browser crashes, but I?d like to be able to also kill a tab if it?s using too many resources. Perhaps even having the Force Quit window show the different tabs when you hold down the option key after the window appears. That would rock!
I think you are confusing process-per-tab with sandboxing here. Sandboxing is a security feature which drastically limits the execution environment to a heavily controlled subset. How and where Apple will use sandboxing in Safari is still not known (to me, at least). From what I could gather at the WWDC keynote Safari 4 on Snow Leopard will support out of process plug-ins. Process-per-tab will probably require substantial rewrites of the whole Safari architecture so I don't hold my breath that we will see it before Safari 5 (if at all).
And it begs the question why this features are not available for Leopard users if Google is able to do so with Chrome (hint: quick money grab).
Apple is smart enough not to do this. They know that rewriting things takes forever...look how long it took OS X to come out.
Even more important, what business benefits would Apple's business have from such a rewrite? I reckon close to none. You are right, some people here clearly confuse server-side and client-side programming.
I had a half a dozen other updates that weren't mentioned so I'll just provide the link to them:
http://support.apple.com/downloads/
Btw, looks like there's a patch for that app iDVD that Apple seems to want to get rid of. At least that's what I'm hearing. Anyone else hear more about iDVD?
Here's just one link of many about iDVD:
http://www.9to5mac.com/iLife-iDVD-