or Connect
AppleInsider › Forums › Software › Mac Software › After being hacked, Apple pushes out Java update to patch security hole
New Posts  All Forums:Forum Nav:

After being hacked, Apple pushes out Java update to patch security hole

post #1 of 41
Thread Starter 
Just hours after Apple announced that it too was victim to a wide-ranging malware attack, the company released a new version of Java for OS X to plug a hole in the software that can be exploited to install malware onto an affected machine.

Java Update


According to the release notes, "Java for OS X 2013-001 1.0" brings improvements to security, reliability and compatibility by updating Java SE 6 to version 1.6.0_41.

This release updates the Apple-provided system Java SE 6 to version 1.6.0_41 and is for OS X versions 10.7 or later.

This update uninstalls the Apple-provided Java applet plug-in from all web browsers. To use applets on a webpage, click on the region labeled "Missing plug-in" to go download the latest version of the Java applet plug-in from Oracle.

This update also removes the Java Preferences application, which is no longer required to configure applet settings.


Earlier on Tuesday, Apple disclosed that a limited number of employee laptops were attacked by the same group responsible for hacking social networking site Facebook. The company said there is no evidence that vital information was compromised or stolen as a result of the attack.

While not much is known about the Apple breach, the malware deployment is thought to have been disseminated through a Java zero day exploit that hit Facebook's systems late last week.

The Java update can be downloaded via Apple's Support webpage or through Software Update.
post #2 of 41
Snow Leopard?

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply
post #3 of 41
This updated my 10.6 Snow Leopard.
Went to http://www.java.com/en/download/testjava.jsp to confirm.
post #4 of 41

Apple not hacked.

 

Java hacked.

 

Again.

My car keeps crashing whenever I do 150mph. It's a design flaw. People tell me to slow down and drive normally but I should be able to use it as I wish.
Reply
My car keeps crashing whenever I do 150mph. It's a design flaw. People tell me to slow down and drive normally but I should be able to use it as I wish.
Reply
post #5 of 41
The sooner we can kill off Java (and Flash), the better
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #6 of 41
Quote:
Originally Posted by GTR View Post

Apple not hacked.

Java hacked.

Again.
Apple, Inc. hacked.
post #7 of 41

This line from the article is a bit curious:

 

"This update uninstalls the Apple-provided Java applet plug-in from all web browsers."

 

Perhaps the hackers found a way to force browsers to load the (older) Apple-provided Java applet plugin on systems which still have it installed?

 
Reply
 
Reply
post #8 of 41
Quote:
Originally Posted by auxio View Post

This line from the article is a bit curious:

 

"This update uninstalls the Apple-provided Java applet plug-in from all web browsers."

 

Perhaps the hackers found a way to force browsers to load the (older) Apple-provided Java applet plugin on systems which still have it installed?


Very good observation. That's my conclusion as well;  the old Apple Java still around.

Now they say the web site source of this hacking has been found.   Now to hack it into doing nothing !

post #9 of 41
Quote:
Originally Posted by jragosta View Post

The sooner we can kill off Java (and Flash), the better

Simple. Just learn to live without the powerful beneficial features those applications offer.

 

Sort of like suggesting a ban on cars because drunk drivers kill innocent people.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #10 of 41
Quote:
Originally Posted by mstone View Post

Simple. Just learn to live without the powerful beneficial features those applications offer.

Sort of like suggesting a ban on cars because drunk drivers kill innocent people.

Not even close.

There's no need for Java or Flash. They are simply tools used by developers who are too lazy to do proper development.
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #11 of 41
Quote:
Originally Posted by jragosta View Post

There's no need for Java or Flash. They are simply tools used by developers who are too lazy to do proper development.

In your opinion perhaps but I disagree. The reasons to use those tools is because no other tools exist which can provide the same functionality.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #12 of 41
Originally Posted by jragosta View Post
There's no need for Java or Flash. They are simply tools used by developers who are too lazy to do proper development.

 

Agreed, but let's say "modern development". Quite a bit of legitimate work has gone into Java items over the years. 

 

Post-Macromedia Flash can burn for all I care. 1tongue.gif1wink.gif

Originally Posted by helia

I can break your arm if I apply enough force, but in normal handshaking this won't happen ever.
Reply

Originally Posted by helia

I can break your arm if I apply enough force, but in normal handshaking this won't happen ever.
Reply
post #13 of 41
Quote:
Originally Posted by mstone View Post

In your opinion perhaps but I disagree. The reasons to use those tools is because no other tools exist which can provide the same functionality.

Nonsense. Name one thing that Java or Flash can do that no other tool can do.

Again, it's mostly lazy developers who keep them going.
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #14 of 41

Great. More of this Java version nightmare. Online web version checker tells me it can't detect Java. Terminal tells me Java 1.6.0_37 (why the 1 in front?). I thought I'd upgraded to Oracle Java 1.7.0_13, but maybe this was disabled. How are regular computer users supposed to cope?

post #15 of 41
Quote:
Originally Posted by jragosta View Post


Nonsense. Name one thing that Java or Flash can do that no other tool can do.

Again, it's mostly lazy developers who keep them going.

I'm no great fan of Java or Flash. But if you mean lazy developers who use tools that make what they want to do easier, then that's a good thing. And what do you mean by doing 'proper development'? Scala maybe - but that runs in the JVM. C++?? - the worst language ever (well almost). Machine code/assembler? - horrors.

 

Manipulating data in registers rather than high-level constructs? Well any programming model that has registers in it and exposes programmers to a memory hierarchy is fundamentally broken (Android, maybe). Registers should be a machine-level optimisation, invisible to programmers like L1, L2, L3 cache (registers are a form of cache - in fact all memory is a level of cache).

 

At the user level, iOS gets this right - no longer do users 'save' their data out to disk. This is handled automatically by the application/OS and thus the distinction of memory levels as far as the user understands is not there. Thus main memory is just a cache for the document you are currently working on.

 

We need that transparency of memory levels in programming models - then we'll be doing proper development (like the conceptually very simple and powerful Turing machine and hopefully passed to Apple via Alan Kay and Bob Barton who understood why programmer-visible registers are bad).

post #16 of 41
Quote:
Originally Posted by jragosta View Post

Quote:
Originally Posted by mstone View Post

In your opinion perhaps but I disagree. The reasons to use those tools is because no other tools exist which can provide the same functionality.

Nonsense. Name one thing that Java or Flash can do that no other tool can do.

Again, it's mostly lazy developers who keep them going.

Got to love those lazy programmers who coded Google's finance application. That is probably one of the most sophisticated programs to ever run in a browser although there are others that cannot be matched using HTML5. I offered one of my own programs for example a year or two ago as an example, I won't bother reposting it as I have nothing to prove, but I suspect some members here remember my medical x-ray program. If one was to uninstall Flash player and visit the Goggle finance page you would see the best Google's engineers were able to do using JS. It is far from feature parity with the Flash version and Google's JS programmers are possibly the best in the industry. 

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #17 of 41
Quote:
Originally Posted by mstone View Post

Got to love those lazy programmers who coded Google's finance application. That is probably one of the most sophisticated programs to ever run in a browser although there are others that cannot be matched using HTML5. I offered one of my own programs for example a year or two ago as an example, I won't bother reposting it as I have nothing to prove, but I suspect some members here remember my medical x-ray program. If one was to uninstall Flash player and visit the Goggle finance page you would see the best Google's engineers were able to do using JS. It is far from feature parity with the Flash version and Google's JS programmers are possibly the best in the industry. 

IOW, you can't name a single thing that Flash or Java will do that couldn't be done by some other method.
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #18 of 41
Quote:
Originally Posted by jragosta View Post

 

IOW, you can't name a single thing that Flash or Java will do that couldn't be done by some other method.

I thought I just provided a perfectly good example of how Flash exceeds any other technology for certain applications. I agree with many others here that the unnecessary use of Flash or Java simply for the ease of development of pointless animations is stupid.

 

Try to access the Official US Time site www.time.gov

 

You need either Flash or Java as that is the only way to access the atomic clocks of the National Institute of Technology.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #19 of 41
Quote:
Originally Posted by mstone View Post

I thought I just provided a perfectly good example of how Flash exceeds any other technology for certain applications. I agree with many others here that the unnecessary use of Flash or Java simply for the ease of development of pointless animations is stupid.

Try to access the Official US Time site www.time.gov

You need either Flash or Java as that is the only way to access the atomic clocks of the National Institute of Technology.

Nonsense. You said that you could not substitute other programming languages for Flash or Java. None of your examples support your contention. In fact, that last example is just silly. There's absolutely nothing difficult about accessing atomic clocks - ANY language could easily do that.

Even if Flash or Java might be easier for some things (which you haven't proven, btw), that's a long way from your claim that it's the only way to do those things.
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #20 of 41
Quote:
Originally Posted by jragosta View Post

Quote:
Originally Posted by mstone View Post

I thought I just provided a perfectly good example of how Flash exceeds any other technology for certain applications. I agree with many others here that the unnecessary use of Flash or Java simply for the ease of development of pointless animations is stupid.

Try to access the Official US Time site www.time.gov

You need either Flash or Java as that is the only way to access the atomic clocks of the National Institute of Technology.

Nonsense. You said that you could not substitute other programming languages for Flash or Java. None of your examples support your contention. In fact, that last example is just silly. There's absolutely nothing difficult about accessing atomic clocks - ANY language could easily do that.

Even if Flash or Java might be easier for some things (which you haven't proven, btw), that's a long way from your claim that it's the only way to do those things.

Ok then please refer me to the better finance app than Google's and the better way to access the atomic clocks than time.gov and I will use those applications instead. I'm happy to give up Flash and Java as long as there is an equivalent platform to replace it.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #21 of 41
Quote:
Originally Posted by jragosta View Post


Nonsense. Name one thing that Java or Flash can do that no other tool can do.

Again, it's mostly lazy developers who keep them going.

 

You're a simple minded fool if you believe this. Just because 90% of the world does simple work or basic application doesn't mean something like Java in it's entirety is lazy. I'd love for you to walk downstairs and tell the guys on the floor below me (some of the best in the business) they are all lazy keeping nearly a billion dollars worth of global applications running 24/7.

 

Nevermind go any further than skin deep in the SAP world and you'll be in a sea of Java.

I'm not a pessimist. I'm an optimist, with experience.
Reply
I'm not a pessimist. I'm an optimist, with experience.
Reply
post #22 of 41
Quote:
Originally Posted by mstone View Post

Simple. Just learn to live without the powerful beneficial features those applications offer.

 

Sort of like suggesting a ban on cars because drunk drivers kill innocent people.

 

Powerful beneficial features? I haven't used Flash in years and I've had Java turned off ever since Apple suggested it.

I hardly notice the difference at all. The occasional site I run into that needs Flash? — I've found I don't need it (they're usually luddites anyway.)

post #23 of 41

BTW where is this update?  Software update shows nothing.

post #24 of 41
Quote:
Originally Posted by DESuserIGN View Post

Quote:
Originally Posted by mstone View Post

Simple. Just learn to live without the powerful beneficial features those applications offer.

 

Sort of like suggesting a ban on cars because drunk drivers kill innocent people.

 

Powerful beneficial features? I haven't used Flash in years and I've had Java turned off ever since Apple suggested it.

I hardly notice the difference at all. The occasional site I run into that needs Flash? — I've found I don't need it (they're usually luddites anyway.)

Thanks for reaffirming my point. If your needs do not include Flash or Java then you can disable them and carry on. For those who need the enhanced functionality they can utilize it and their clientele can either install the necessary plugins or not as they decide. No cause for some sort of enforced abolishment of the platform. To each their own, use it or not, your choice.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #25 of 41
Originally Posted by WelshDog View Post
BTW where is this update?  Software update shows nothing.

 

You have to navigate to Software Update in the Apple Menu for updates to show up in the App Store. It's stupid, but hey.

Originally Posted by helia

I can break your arm if I apply enough force, but in normal handshaking this won't happen ever.
Reply

Originally Posted by helia

I can break your arm if I apply enough force, but in normal handshaking this won't happen ever.
Reply
post #26 of 41
Quote:
Originally Posted by jragosta View Post

The sooner we can kill off Java (and Flash), the better

 

Steve Jobs' hard stand on keeping Flash off iOS is making the world better, contrary to what Adobe and Google said at the time.

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply
post #27 of 41

Actually the "Time Widget" seems to work perfectly well without java or flash.

 

Quote:
Originally Posted by mstone View Post

Try to access the Official US Time site www.time.gov

 

You need either Flash or Java as that is the only way to access the atomic clocks of the National Institute of Technology.

 

I do agree though that Flash does some things that HTML won't. But I see no reason for that in a browser, just as I see no reason to use flash to play video. I find the free TOS application (now TDWaterhouse) far better for good financial info than Google. But GoogleFinance with flash is very nice [best on the web, that I've seen, that is.]

post #28 of 41
Quote:
Originally Posted by thataveragejoe View Post

 

You're a simple minded fool if you believe this. Just because 90% of the world does simple work or basic application doesn't mean something like Java in it's entirety is lazy. I'd love for you to walk downstairs and tell the guys on the floor below me (some of the best in the business) they are all lazy keeping nearly a billion dollars worth of global applications running 24/7.

 

Nevermind go any further than skin deep in the SAP world and you'll be in a sea of Java.

 

While I agree that java does not equate with lazy programming, it seems pretty obvious that it is a mess security wise. In which case, it seems imprudent to stake the success of a "billion dollar" global enterprise on it's continued use in an increasingly hostile environment. I have no idea if it can be fixed, but it's essential nature, at least as it has evolved, seems like it could ensure security difficulties.

post #29 of 41
Quote:
Originally Posted by DESuserIGN View Post

Actually the "Time Widget" seems to work perfectly well without java or flash.

Really? Try to right click on the widget. In my experience it displays the Flash options, but I have Flash so I'm not sure what you are experiencing however the web page does say that Flash Player is required

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #30 of 41

Righto!

Quote:
Originally Posted by mstone View Post

Really? Try to right click on the widget. In my experience it displays the Flash options, but I have Flash so I'm not sure what you are experiencing however the web page does say that Flash Player is required

 

Sorry, I'm not on my own computer and although clicktoflash is installed, it's not enabled.

But honestly, Flash or Java aren't necessary for such a thing, even if it is a handy solution.

post #31 of 41

So Apple finally lost their patience? Applet removed from all browsers (not just disabled) and Java preferences app gone from /Applications/Utilities. Apple's Java is now a command-line only Java. If you want applets you need to go to oracle.com.

post #32 of 41
Quote:
Originally Posted by mstone View Post

Thanks for reaffirming my point. If your needs do not include Flash or Java then you can disable them and carry on. For those who need the enhanced functionality they can utilize it and their clientele can either install the necessary plugins or not as they decide. No cause for some sort of enforced abolishment of the platform. To each their own, use it or not, your choice.

Still waiting for those things that can only be done with Flash or Java. So far, the only example was a simple time display tool that could have been written in any language.

There's absolutely nothing that Java or Flash requires that couldn't be done with a secure platform.
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #33 of 41

Seems like the unspoken point of contention in this thread is how much functionality can be offered through a web browser. Half of you are arguing about java on the desktop, the other half via web, a third half on servers, and no one is clarifying which. Backend, server-side java is apples and oranges to any client java runtime.

Bit like the evolution-vs-creationism 'debate,' which is only possible due to one side fatally misunderstanding what the other actually is.

 

FWIW, flash is a lousy platform for video delivery, but I have no problem with flash being used by animation houses (Harvey Birdman, MLP, etc).

[this account has been abandoned]

Reply

[this account has been abandoned]

Reply
post #34 of 41
Quote:
Originally Posted by jragosta View Post

Still waiting for those things that can only be done with Flash or Java. So far, the only example was a simple time display tool that could have been written in any language.

There's absolutely nothing that Java or Flash requires that couldn't be done with a secure platform.

I don't know where you get this notion of any language. I'm talking about a browser. It only understands Javascript or something with a runtime environment like Flash, Java, or Silverlight. Javascript has become the go to environment for those who want Flash-like features without Flash. It works like Flash in some regards but it is far from ideal in many situations because there are so many different implementations of JS in the different browsers.

 

There are many issues with complex animation in Javascript. One significant difference with Flash vs Javascript is that Flash uses the functionality of MovieClips. The the MovieClip entity can be extremely complex and can be manipulated as a whole which is much more powerful than the Javascript method of controlling the DOM and using Divs as their container. This is the essential reason that Flash is so much better at animation than Javascript. 

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #35 of 41
@jragosta

Java is just the most popular programming language as of today but you know better, alright? What is you amazing curriculum and career portfolio when it comes to "proper development"? Please show us all, right now I won't hold my breath...
post #36 of 41
Originally Posted by Sensi View Post
Java is just the most popular programming language as of today…

 

Because of Android. Because of terrible software written for Android. If Google had any form of curation whatsoever, Java would be steeply on the fall into obscurity.

Originally Posted by helia

I can break your arm if I apply enough force, but in normal handshaking this won't happen ever.
Reply

Originally Posted by helia

I can break your arm if I apply enough force, but in normal handshaking this won't happen ever.
Reply
post #37 of 41
Quote:
Originally Posted by Tallest Skil View Post

Originally Posted by Sensi View Post
Java is just the most popular programming language as of today…

 

Because of Android. Because of terrible software written for Android. If Google had any form of curation whatsoever, Java would be steeply on the fall into obscurity.

Java programming for servers, or as you mention Android OS which is not really Java, has nothing to do with the Java applets that run in a browser which is the topic at hand since that is how the hackers compromised the laptops. Several commenters, I believe, have confused the two different Java implementations. It is true that Java such as .jsp server side programming is extremely common in large enterprise level applications such as SAP, Oracle, and many other huge companies. These major software businesses are supporting millions of lines of Java code and are not likely to scrap it and start over anytime soon, so yes it is a very popular programming language. As far as Java applets running in a browser is concerned, it is almost entirely extinct already as Flash has by a large degree replaced it.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #38 of 41
Quote:
Originally Posted by mstone View Post

In your opinion perhaps but I disagree. The reasons to use those tools is because no other tools exist which can provide the same functionality.

CSS, HTML5 and Javascript sIFR. Credible and efficient replacements for 20 year old Flash, and java. Only lazy devs wish to hold onto flash, as they don't have to think, instead of code. Have a read. http://en.wikipedia.org/wiki/Scalable_Inman_Flash_Replacement
post #39 of 41
Quote:
Originally Posted by Kr00 View Post

CSS, HTML5 and Javascript sIFR. Credible and efficient replacements for 20 year old Flash, and java. Only lazy devs wish to hold onto flash, as they don't have to think, instead of code. Have a read. http://en.wikipedia.org/wiki/Scalable_Inman_Flash_Replacement

 

Perhaps you should read it too.

 

Quote:
sIFR requires JavaScript to be enabled and the Flash plugin installed...

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #40 of 41

Java SE 7u15 is the latest release by Oracle, OS X is still with Java SE 6?

 

*All* software contains vulnerabilities (that includes both OS X and iOS) and it's just a matter of patching them early.

 

Java technologies are used everywhere (eg, twitter runs Scala which runs on the JVM, Android runs darvik JVM, eBay and Amazon both use Java Servlets) so Oracle just have to be on the ball with updates.   As for the browser plug-in, I only use it rarely, maybe that's why Oracle doesn't pay too much attention to it.

New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac Software
AppleInsider › Forums › Software › Mac Software › After being hacked, Apple pushes out Java update to patch security hole