Apple plugs critical Java security hole affecting Tiger, Leopard

[AppleInsider]

Apple on Monday finally got around to patching a widely-publicized security flaw in the version of Java shipping with Mac OS X, which could leave a Mac open to attack while browsing the web.

The Mac maker came under criticism from a pair of security firms last month for failing to patch the exploit, which it has reportedly been aware of since January.

The vulnerability, which theoretically exists on all platforms supporting Java, could allow a remote user to run code, delete files, and execute applications on a Mac through a maliciously crafted Java applet.

When executed together with a privilege escalation vulnerability, hackers could remotely run any system-level process and get total access to a Mac. This could leave users open to “drive-by attacks," according to security firm Intego, which had recommended that users disable Java until a fix was made available.

On Monday, Apple released Java for Mac OS X 10.5 Update 4 (158MB download) and Java for Mac OS X 10.4, Release 9 (80.11MB), which address the problem on its Leopard and Tiger operating systems but updating Java versions 1.4, 1.5, and 1.6 to new versions.

Apple also noted that there were multiple vulnerabilities in its "Aqua Look and Feel for Java" implementation for Java 1.5 affecting only Mac OS X 10.5.7 and later. The update for Leopard addresses this issue as well by denying access to internal details of Aqua Look and Feel for untrusted Java applets.



Once the updates have been applied, it should be safe for Mac users who disabled Java on their Mac to re-enable it in Safari by choosing Safari > Preferences, clicking the Security tab, and then checking "Enable Java."

[ View this article at AppleInsider.com ]

[Virgil-TB2]

Quote:

Originally Posted by AppleInsider

Apple on Monday finally got around to patching a widely-publicized security flaw in the version of Java shipping with Mac OS X, which could leave a Mac open to attack while browsing the web. ...

Great news.

But after going for so long with Java turned off and seeing absolutely no effect on my browsing at all, I'm gonna leave it off.

It really should be the default setting at this point. No one who really needs and uses java applets is really likely to be on a Mac anyway.

[clickmyface]

Quote:

Originally Posted by AppleInsider

Once the updates have been applied, it should be safe for Mac users who disabled Java on their Mac to re-enable it

LOL. So, probably not even the guys at the security firm who found the vulnerability.

[ltcommander.data]

Better late than never I guess.

In terms of versioning, Java 1.6 is actually up to Update 14 now, while Apple is only supplying Update 13 in this release. I can't really blame them since there probably wasn't enough turn-around time to incorporate Update 14 and the security patch available in Update 13 was more important anyways.

On the flip side, Apple actually incorporated Java 1.4.2 Update 21, which is considerate of them. Sun has EOL'd Java 1.4.2 for consumers and businesses still wanting support for versions greater than Update 19 have to pay Sun. It seems that Apple is paying Sun for continued support for Java 1.4.2 for all Mac users without charging us for the individual updates. Can't really complain about that although it is really Apple's obligation since Apple ships Java 1.4.2 as an integrated component of Tiger and Leopard so they really need to continue supporting for the OSs' lifecycle.

[MacTripper]

Apple should be ashamed of themselves.

This exploit has been in the wild for 6 months before going public.

Then it took Apple months to fix it after the latest OS X update when it did finally go public and the Mac community screamed bloody murder warning everyone to turn off Java.

"God knows how many have been exposed." - Alien 2

This is not the first time Apple has ignored a vital security threat.

The serious Metadata exploit (still not fixed completely) was submitted by many folks, including myself, with back and forth emails to Apple Security folks and then it went unfixed for YEARS!!

It's still technically unfixed, only a warning now that your downloading app/first time running a app. A work around basically.

I started to think, why did Apple take so long to fix this latest Java exploit? Was it so people would download Safari 4 with it's sandboxing of plug-ins?

Pump up the download numbers a little for marketing dept? Along with a forced upgrade on the Windows side?

Why is Apple so slow in fixing the open source parts of OS X? It's a security risk with them not paying enough attention too.

Perhaps it's so many eyes finding the flaws in open source that Apple can't handle it?

Geting like Microsoft slow, Apple is - yoda

[JavaCowboy]

I was very critical of Apple for leaving this vulnerability unpatched. Now, I want to congratulate them for doing the right thing. Better late than never!

But there's more good news. Apple has updated Java *to the most recent version put out by Sun*, which is Java 6 Update 14.

Since Apple is always well behind Sun on Java versions, this is a very pleasant surprise.

[Ossian]

Good to see this fixed at last. Apple seams to be to comfortable with relying on security through obscurity. I hope they are right. I'd prefer it if security got a higher priority.

[MadisonTate]

Who still uses Java? Especially on a Mac or an iPhone. Flash, I understand...even Silverlight, but who needs a nasty looking, slow Java applet on their speedy 8-core Mac Pro?

[Ireland]

158mb wt?

[Lorre]

Quote:

Originally Posted by MadisonTate

Who still uses Java? Especially on a Mac or an iPhone. Flash, I understand...even Silverlight, but who needs a nasty looking, slow Java applet on their speedy 8-core Mac Pro?

Photobucket has a bulk uploader applet that works great imo.

I'll take Java applets over Flash stuff any day... well written Java applets will run much better than Flash equivalents and with JavaFX, they can look just as good. Too bad Sun's latest efforts are too little too late...

Java applets have a bad rep from back in the day, as you just proved

[ltcommander.data]

Quote:

Originally Posted by JavaCowboy

I was very critical of Apple for leaving this vulnerability unpatched. Now, I want to congratulate them for doing the right thing. Better late than never!

But there's more good news. Apple has updated Java *to the most recent version put out by Sun*, which is Java 6 Update 14.

Since Apple is always well behind Sun on Java versions, this is a very pleasant surprise.

Apple is actually still behind. Apple's Java 1.6 is only up to Update 13 while the latest is Update 14. Apple is on par with Java 1.5 at Update 19. Significantly, Apple is ahead on Java 1.4.2 with Update 21 which is a paid update from Sun, since free consumer support for all other OS for Java 1.4.2 ended at Update 19.

[a_greer]

Am I the only one a little disturbed by this, itt took so long, much longer than any other vendor...so long that the researcher released the research to light a fire under them...

surte Windows has more volnerabilities, but Apple didnt seem to handle this one well at all...

[Kolchak]

I haven't run any of my browsers with Java enabled in over a decade. The first thing I do whenever I get a new browser is turn Java off. I only turn it on temporarily if I know that a site actually needs Java, like some online calculators.

[ghostface147]

Well I guess this doesn't apply to us Snow Leopard users, must be already protected.

[Beauty of Bath]

Most everyone takes 'security through obscurity' to mean one thing, Mac market share is too small to attract serious criminals. This runs contrary to the sporadic reports of Apple equipment, Macs, ipods, iPhones being targets for criminals. There is another kind of obscurity that assists security, don't tell people where to aim their attacks.

Kind of like locks on a door, if you know where they are you aim your battering ram at them. If you don't know where they are there's some trial and error involved in finding them. Now lets say for argument Apple has a great security technology developed in house, what should their approach be, broadcast it from the rooftops or keep it a secret?

I seriously doubt that Apple has a single great security technology that defeats the bad guys, I do think it extremely likely they have several unique technologies that make things more difficult for the bad guys, and they aren't likely to tell you or me about them.

[mdriftmeyer]

Quote:

Originally Posted by JavaCowboy

I was very critical of Apple for leaving this vulnerability unpatched. Now, I want to congratulate them for doing the right thing. Better late than never!

But there's more good news. Apple has updated Java *to the most recent version put out by Sun*, which is Java 6 Update 14.

Since Apple is always well behind Sun on Java versions, this is a very pleasant surprise.

Glad to see you're satisfied and you may now realize that by having to roll their own Java integration with OS X that it takes a bit longer to roll in updates and test them thoroughly before a simple apt-get upgrade.

[mdriftmeyer]

Quote:

Originally Posted by ghostface147

Well I guess this doesn't apply to us Snow Leopard users, must be already protected.

Testing rolls down hill. Get SL ready and then test in the back catalog.

[MadisonTate]

Quote:

Originally Posted by Lorre

Photobucket has a bulk uploader applet that works great imo.

I'll take Java applets over Flash stuff any day... well written Java applets will run much better than Flash equivalents and with JavaFX, they can look just as good. Too bad Sun's latest efforts are too little too late...

Java applets have a bad rep from back in the day, as you just proved

Actually, it's just the inconvenience. You have to download a 15-20MB thing that ends up showing you an applet that makes your computer look like something from the late 80s. It looks bad on Windows. On OS X, it sticks out like a sore thumb. Now, if you're running Linux or Solaris, it might be an improvement!

Have you seen the Hulu Desktop application or Pandora's desktop application? They remind me of Cocoa applications. Gorgeous enough to look like part of the OS. Hulu Desktop even gives Front Row a run for its money.

[solipsism]

Quote:

Originally Posted by ghostface147

Well I guess this doesn't apply to us Snow Leopard users, must be already protected.

No update for my SL either.

[solipsism]

Quote:

Originally Posted by MadisonTate

Have you seen the Hulu Desktop application or Pandora's desktop application? They remind me of Cocoa applications. Gorgeous enough to look like part of the OS. Hulu Desktop even gives Front Row a run for its money.

Are you referencing those apps to Java? I have used Hulu Deskop and it appears to be completely Flash, save for the the Cocoa wrapper.

I think it’s a bit busy, while Front Row is a bit too vanilla, but it is nice. I often prefer it to the website. It’s built with 10 Foot User Interface Guidleines so it’ll work quite well for Win or OS X media center. I’d like this to get added to the AppleTV, even if it means a hack, though for adding to the AppleTV I would have rather it was built with Silverlight so it could tap into the GPU.

[bobthedino]

Java is still important, just not for applets in web pages. Apple's own Final Cut Server user client is written in Java, for example - this enables it to run on both Mac OS X and Windows with minimal changes. Also Apple's WebObjects system is entirely implemented in Java - this runs things like the Apple Online Store.

For developers working on web services and web sites, having an up-to-date and secure Java is just as relevant as ever, and it is important that the Mac keeps up with the other platforms. For many, the additional benefits of running on a Mac (compared to Windows) make it more than worth the effort, no least because it's a proper UNIX system, and the server side of many web sites will be UNIX- or Linux-based.

[TBell]

Right. The Mac community was just up in arms over this. I think I read one article a few weeks ago from a so called security expert who said he was publishing the exploit with instructions how to implement it. I don't recall there being a rebellion. There likely never will be one so long as Macs remain unaffected by such exploits.

Quote:

Originally Posted by MacTripper

Apple should be ashamed of themselves.

This exploit has been in the wild for 6 months before going public.

Then it took Apple months to fix it after the latest OS X update when it did finally go public and the Mac community screamed bloody murder warning everyone to turn off Java.

"God knows how many have been exposed." - Alien 2

This is not the first time Apple has ignored a vital security threat.

The serious Metadata exploit (still not fixed completely) was submitted by many folks, including myself, with back and forth emails to Apple Security folks and then it went unfixed for YEARS!!

It's still technically unfixed, only a warning now that your downloading app/first time running a app. A work around basically.

I started to think, why did Apple take so long to fix this latest Java exploit? Was it so people would download Safari 4 with it's sandboxing of plug-ins?

Pump up the download numbers a little for marketing dept? Along with a forced upgrade on the Windows side?

Why is Apple so slow in fixing the open source parts of OS X? It's a security risk with them not paying enough attention too.

Perhaps it's so many eyes finding the flaws in open source that Apple can't handle it?

Geting like Microsoft slow, Apple is - yoda

[Quadra 610]

Quote:

Originally Posted by TBell

Right. The Mac community was just up in arms over this. I think I read one article a few weeks ago from a so called security expert who said he was publishing the exploit with instructions how to implement it. I don't recall there being a rebellion. There likely never will be one so long as Macs remain unaffected by such exploits.

The "Mac community" . . . the one on Mac fansites, of which only a percentage was actually concerned about this. I just wanted to make that distinction, that's all.

[JavaCowboy]

Quote:

Originally Posted by mdriftmeyer

Glad to see you're satisfied and you may now realize that by having to roll their own Java integration with OS X that it takes a bit longer to roll in updates and test them thoroughly before a simple apt-get upgrade.

I'm satisfied that they fixed it. I'm disappointed with how long it took to fix it.

Also, I may have been a little premature. Java applets are still super-slow... much slower than on my Windows laptop at work. Looks like Apple still has work to do.

[Mario]

Quote:

Originally Posted by MadisonTate

Who still uses Java? Especially on a Mac or an iPhone. Flash, I understand...even Silverlight, but who needs a nasty looking, slow Java applet on their speedy 8-core Mac Pro?

I don't think too many companies are relying on applets running in the browser, but a lot of companies still use Java for enterprise software, and complex web pages (java server pages). It is still the most popular language out there and the most mature and stable technology with amazingly good tools.

[Erunno]

A lot of banking sites where I come from still use Java applets, as does Wikipedia for movie/audio playback. As with Wikipedia Java applets might see a comeback as a fallback for browsers which do not support the <video> tag (especially when Theora is used).

There's simply no excuse for Apple taking this long to patch a major security bug for which a patch *does* exist. Since Apple seems to support Java only half-heartedly maybe they should consider coming to an agreement with Sun/Oracle (i.e. pay them) and let them develop an official version of Java for Mac. Maybe Java developers also wouldn't have to endure months until Apple catches up to the Windows/Linux versions.

[bryand]

I can't get it to install. I've tried on two different computers, a PowerPC and an intel Mac. They both end with an error saying the update can't be installed. I have quit the web browser, so that's not the problem. I can't find anything about this difficulty from Apple either.

[chronster]

Quote:

Originally Posted by bryand

I can't get it to install. I've tried on two different computers, a PowerPC and an intel Mac. They both end with an error saying the update can't be installed. I have quit the web browser, so that's not the problem. I can't find anything about this difficulty from Apple either.

You should take advantage of their amazing customer support that's so much better than anything you'll find in the PC world...

Seriously. Do it.

[MacTripper]

Quote:

Originally Posted by Erunno

...There's simply no excuse for Apple taking this long to patch a major security bug for which a patch *does* exist...

Sure there is, it's called 'running everything through the marketing department first' dam the security!

Java has a vulnerability, Safari 4 can sandbox plug-ins, thus this would be a powerful reason to get people to update to Safari 4.

Fix the Java issue afterwards, so what if it takes 9 months! Look at the results!

"11 million updated to Safari 4!!"

I wonder how many of those was out of fear of the Java exploits running lose?

[teckstud]

Dang -that patch hole fix took a long time to download and install.

[Erunno]

Quote:

Originally Posted by MacTripper

Java has a vulnerability, Safari 4 can sandbox plug-ins

This is a Snow Leopard only feature although Google claims that sandboxing works on Leopard just fine (in fact, according to them adding sandboxing to Chrome was easiest on OS X compared to the two other supported platforms).

[solipsism]

Quote:

Originally Posted by MacTripper

I wonder how many of those was out of fear of the Java exploits running lose?

I’d wager that relatively few people cared about that. I have had Java turned off for a couple years now and don’t recall ever needing to turn it on. It seems that most users don’t even know the difference between Java and JavaScript.

Quote:

Originally Posted by Erunno

This is a Snow Leopard only feature although Google claims that sandboxing works on Leopard just fine (in fact, according to them adding sandboxing to Chrome was easiest on OS X compared to the two other supported platforms).

I hope that Apple moves the sandboxing over to each tab, too. The plug-ins are nice, and perhaps they are the number one cause for browser crashes, but I’d like to be able to also kill a tab if it’s using too many resources. Perhaps even having the Force Quit window show the different tabs when you hold down the option key after the window appears. That would rock!

[mdriftmeyer]

Quote:

Originally Posted by bobthedino

Java is still important, just not for applets in web pages. Apple's own Final Cut Server user client is written in Java, for example - this enables it to run on both Mac OS X and Windows with minimal changes. Also Apple's WebObjects system is entirely implemented in Java - this runs things like the Apple Online Store.

For developers working on web services and web sites, having an up-to-date and secure Java is just as relevant as ever, and it is important that the Mac keeps up with the other platforms. For many, the additional benefits of running on a Mac (compared to Windows) make it more than worth the effort, no least because it's a proper UNIX system, and the server side of many web sites will be UNIX- or Linux-based.

Yes, but for how much longer? Seeing Federighi on-stage was a breath of fresh air as I used to work with him. When he left and EOF floundered it was obvious they were going from ObjC to Java in WOF back in the day.

Now that everything is moving back to ObjC as it should, moving WOF to Cocoa will be a snap and the leverage of added value from Foundation/AppKit to WOF will be enormous.

Adding CoreData/CoreImaging and more on the server side to off-load heavy lifting and giving one the option to hook in HTML5, Javascript/Ajax and more on the front end would be very nice indeed.

Apple's push in the Enterprise is going to need Server-side meat other than Java to make XServers and OS X Server even more compelling.

[PXT]

Surely it requires three vulnerabilities for this Java exploit to work. First in Java to allow a request for unacceptable permissions to be made by the java code, then in Safari to pass the request onto the OS, then in the OS to grant them.

There is more to this than a Java patch and a great deal that can be done to secure our systems.

[JavaCowboy]

Quote:

Originally Posted by mdriftmeyer

Yes, but for how much longer? Seeing Federighi on-stage was a breath of fresh air as I used to work with him. When he left and EOF floundered it was obvious they were going from ObjC to Java in WOF back in the day.

Now that everything is moving back to ObjC as it should, moving WOF to Cocoa will be a snap and the leverage of added value from Foundation/AppKit to WOF will be enormous.

Have you ever held a full-time job as a programmer? I'm not trying to insult you, just trying to understand why would make such a statement. In my experience, switching stable production systems to entirely new frameworks and technologies is extremely hard. Despite Apple's change of attitude toward Java and Objective-C, rewriting WebObjects, the iTunes store, the AppStore (and their iPhone equivalents), not to mention the Apple online store will be require an enormous amount of work (re-coding, re-testing, QA, tons of errors in production, re-coding, re-testing, etc). It's a potential disaster. Apple is smart enough not to do this. They know that rewriting things takes forever...look how long it took OS X to come out.

Quote:

Adding CoreData/CoreImaging and more on the server side to off-load heavy lifting and giving one the option to hook in HTML5, Javascript/Ajax and more on the front end would be very nice indeed.

You do understand the distinction between server-side and client-side programming in web applications, don't you? WebObjects produces HTML/JavaScript/CSS. It doesn't use Applets or any other Java client-side technologies. It's all server-side. There's absolutely nothing preventing Apple from using a Java back-end and an HTML5/AJAX front-end.

Quote:

Apple's push in the Enterprise is going to need Server-side meat other than Java to make XServers and OS X Server even more compelling.

You do know that Java is pretty much the preferred server-side technology for the enterprise, don't you? I've worked for a couple of Fortune 500 companies, and they both used Java extensively. Hell, I'm sure they would lose lots of enterprise business if they replaced the Java buzz-word with the Objective-C buzz-word. Aside from that, Java is battle-tested under heavy loads in enterprise scenarios on enterprise servers. Objective-C has not.

End of story.

Do some basic research before claiming to know anything about this stuff.

[VisualZone]

Quote:

Originally Posted by bryand

I can't get it to install. I've tried on two different computers, a PowerPC and an intel Mac. They both end with an error saying the update can't be installed. I have quit the web browser, so that's not the problem. I can't find anything about this difficulty from Apple either.

First, enable Java and then close Safari. After that, then do the update.

[Bergermeister]

Java? Isn't that a nice coffee?

[VisualZone]

I had a half a dozen other updates that weren't mentioned so I'll just provide the link to them:

http://support.apple.com/downloads/

Btw, looks like there's a patch for that app iDVD that Apple seems to want to get rid of. At least that's what I'm hearing. Anyone else hear more about iDVD?

[Erunno]

Quote:

Originally Posted by solipsism

I hope that Apple moves the sandboxing over to each tab, too. The plug-ins are nice, and perhaps they are the number one cause for browser crashes, but I’d like to be able to also kill a tab if it’s using too many resources. Perhaps even having the Force Quit window show the different tabs when you hold down the option key after the window appears. That would rock!

I think you are confusing process-per-tab with sandboxing here. Sandboxing is a security feature which drastically limits the execution environment to a heavily controlled subset. How and where Apple will use sandboxing in Safari is still not known (to me, at least). From what I could gather at the WWDC keynote Safari 4 on Snow Leopard will support out of process plug-ins. Process-per-tab will probably require substantial rewrites of the whole Safari architecture so I don't hold my breath that we will see it before Safari 5 (if at all).

And it begs the question why this features are not available for Leopard users if Google is able to do so with Chrome (hint: quick money grab).

[Erunno]

Quote:

Originally Posted by JavaCowboy

Apple is smart enough not to do this. They know that rewriting things takes forever...look how long it took OS X to come out.

Even more important, what business benefits would Apple's business have from such a rewrite? I reckon close to none. You are right, some people here clearly confuse server-side and client-side programming.