or Connect
AppleInsider › Forums › Software › Mac Software › Apple pushes out Java security update
New Posts  All Forums:Forum Nav:

Apple pushes out Java security update

post #1 of 22
Thread Starter 
Apple has released a security update to plug a number of holes that allowed malicious software to run on a user's Mac outside of the Java sandbox.

The Tuesday update for OS X Lion and Mac OS X 10.6 is said to fix "multiple vulnerabilities in Java 1.6.0_29" that could allow a piece of code to be run just by visiting an offending webpage.

From Apple's document:
Quote:
Description: Multiple vulnerabilities exist in Java 1.6.0_29, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating to Java version 1.6.0_31. Further information is available via the Java website at http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html




The OS X Lion version of the update weighs in at 66.9MB and the Mac OS X 10.6 download comes in at 79.7MB. Both can be downloaded through Apple's support pages or via Software Update.

[ View article on AppleInsider ]
post #2 of 22
IMO this took waaay too long. Guess this is why Apple stopped bundling Java...
post #3 of 22
Quote:
Originally Posted by bluefish86 View Post

IMO this took waaay too long. Guess this is why Apple stopped bundling Java...

This might make sense if Apple responded to very vulnerability for every library included with Mac OS quickly. But they don't often leaving open significant vulnerabilities for a very long time.
post #4 of 22
I wonder when Android will get this update, given that nearly none of the devices run the current OS version.
"That (the) world is moving so quickly that iOS is already amongst the older mobile operating systems in active development today." — The Verge
Reply
"That (the) world is moving so quickly that iOS is already amongst the older mobile operating systems in active development today." — The Verge
Reply
post #5 of 22
Quote:
Originally Posted by Macky the Macky View Post

I wonder when Android will get this update, given that nearly none of the devices run the current OS version.

That particular Java issue doesn't apply to Android, nor iOS for that matter AFAIK. I find no mention of it.
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #6 of 22
Quote:
Originally Posted by Gatorguy View Post

That particular Java issue doesn't apply to Android, nor iOS for that matter AFAIK. I find no mention of it.

The Windows version of Java got this update several weeks ago, could be a month. I suspect the vulnerabilities were over there, too, but the press kept silent about them. Only when things pop up on the Apple side will they generate enough page views to make doing the story worthwhile.
post #7 of 22
Quote:
Originally Posted by lukevaxhacker View Post

The Windows version of Java got this update several weeks ago, could be a month. I suspect the vulnerabilities were over there, too, but the press kept silent about them. Only when things pop up on the Apple side will they generate enough page views to make doing the story worthwhile.

Yeah, the vulnerability applied to all desktop OSes. It was fixed for all but OS X back in mid February.
post #8 of 22
This goes to show why Apple did the right thing by handing over Mac Java to Oracle and getting out of the game of rolling their own JDK/JRE.

Apple has always been quite late in updating Java, not just for major releases, but for security fixes as well. This has always been the case, even when Apple was gung ho on Java in the early 2000's.

Due to their previous commitments, they still have an obligation to maintain the Java releases within that commitment, including Java 6. Once Oracle distributes Java 7 for Mac and Java 6 falls into disuse (free support will be discontinued by Oracle in Nov 2012), then Apple will be totally off the hook.

What I don't understand is why Apple took this long to hand over support to Oracle, or Sun when it was still a separate company.
post #9 of 22
Quote:
Originally Posted by bluefish86 View Post

Yeah, the vulnerability applied to all desktop OSes. It was fixed for all but OS X back in mid February.

Then it obviously wouldn't apply to Android or iOS. Thank you sir.
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #10 of 22
Fantastic, I am glad they finally fixed Java's security flaws in the Mac OS X implementation, monthly for the last ten or twelve years.
post #11 of 22
I guess I don't have java installed since the updater says I have nothing to update.
Is there an advanatage to installing java? Does it make web surfing better in any way?
post #12 of 22
Quote:
Originally Posted by steve666 View Post

I guess I don't have java installed since the updater says I have nothing to update.
Is there an advanatage to installing java? Does it make web surfing better in any way?

Only if you go to sites that have Java applets or run Java applications. Seeing as you don't have it show up I'm picking you don't.
post #13 of 22
I wonder if Sun will eventually shut down the JAVA end of its company eventually because of HTML 5?
An Apple man since 1977
Reply
An Apple man since 1977
Reply
post #14 of 22
Then I guess I'll leave it be
post #15 of 22
Quote:
Originally Posted by tylerk36 View Post

I wonder if Sun will eventually shut down the JAVA end of its company eventually because of HTML 5?

They're really apples and oranges.
post #16 of 22
Quote:
Originally Posted by tylerk36 View Post

I wonder if Sun will eventually shut down the JAVA end of its company eventually because of HTML 5?

It sounds like you are making the age-old mistake of confusing Java with JavaScript. JavaScript is primarily a Web technology although it is used in a tiny fraction of non-Web applications. Java is used in some Web applications, but is also used for applications that appear to be standalone. The very popular US Government-owned graphics editor and analysis application, ImageJ, is Java-based. Virtually all Mac torrent clients are Java-based. My firm uses a vertical market Oracle integrated database that is administered via the company's browser-based applet running within a browser. Before the OEM switched to Java, there was no Mac-based solution to administering the database. The application is no longer in development, but it shows you just how important Java is to the Mac. Microsoft's last version of Windows Media Player for Mac was Java-based.

On the one hand, you may rightfully assert that each example cited above and many others can be rewritten in Objective-C and compiled in a binary application. On the other hand, you will have to admit that the large number and variety of applications involved means that the changeover will take several years if Java were slated to go away. In some cases such as the case of my firm's vertical-market administration client, it is likely that we would never have a binary replacement.
post #17 of 22
Quote:
Originally Posted by steve666 View Post

I guess I don't have java installed since the updater says I have nothing to update.
Is there an advanatage to installing java? Does it make web surfing better in any way?

If you browse to a website which uses Java, Safari will prompt you to install Java if you don't have it installed. So you can just wait until you need it.

If you want to install it anyways, you can launch the Java Preferences application (found in Applications -> Utilities).
 
Reply
 
Reply
post #18 of 22
Apple releasing this is probably a direct response to Firefox now blacklisting older versions of java.

https://threatpost.com/en_us/blogs/m...ocklist-040312

Apparently, there have been a recent string of attacks using the vulnerability which was patched in this version.
post #19 of 22
Quote:
Originally Posted by auxio View Post

If you browse to a website which uses Java, Safari will prompt you to install Java if you don't have it installed. So you can just wait until you need it.

If you want to install it anyways, you can launch the Java Preferences application (found in Applications -> Utilities).

I've never seen that warning but i do have websites that just won't function well with safari but that could be another issue
post #20 of 22
Quote:
Originally Posted by Gatorguy View Post

Then it obviously wouldn't apply to Android or iOS. Thank you sir.

Thank goodness - seeing as how the overwhelming majority of Android users never get updates.
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #21 of 22
Quote:
Originally Posted by Mr. Me View Post

It sounds like you are making the age-old mistake of confusing Java with JavaScript. JavaScript is primarily a Web technology although it is used in a tiny fraction of non-Web applications. Java is used in some Web applications, but is also used for applications that appear to be standalone. The very popular US Government-owned graphics editor and analysis application, ImageJ, is Java-based. Virtually all Mac torrent clients are Java-based. My firm uses a vertical market Oracle integrated database that is administered via the company's browser-based applet running within a browser. Before the OEM switched to Java, there was no Mac-based solution to administering the database. The application is no longer in development, but it shows you just how important Java is to the Mac. Microsoft's last version of Windows Media Player for Mac was Java-based.

On the one hand, you may rightfully assert that each example cited above and many others can be rewritten in Objective-C and compiled in a binary application. On the other hand, you will have to admit that the large number and variety of applications involved means that the changeover will take several years if Java were slated to go away. In some cases such as the case of my firm's vertical-market administration client, it is likely that we would never have a binary replacement.

I have a 'mission critical' app at my business that relies on Java. Installing patch as we speak.

Ars has posted a link to this site which gives instructions on how to determine if your machine is already infected.

So far all my machines have tested clean.
post #22 of 22
Quote:
Originally Posted by backtomac View Post

I have a 'mission critical' app at my business that relies on Java. Installing patch as we speak.

Ars has posted a link to this site which gives instructions on how to determine if your machine is already infected.

So far all my machines have tested clean.

Being rather new to the Mac OS, I'm happy to say that mine tested clean too. I followed the link in a Forbes article, An Easy Way To Check Your Mac For The Flashback Malware, and then downloaded the quick check utility from this page: https://github.com/jils/FlashbackChecker/wiki

Judging by what I've read, I've assumed that VirusBarrier Express is one of the better Mac virus protection programs? Do the more experienced users here agree with that?
If two people always agree, then one of them is redundant.
Reply
If two people always agree, then one of them is redundant.
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac Software
AppleInsider › Forums › Software › Mac Software › Apple pushes out Java security update