or Connect
AppleInsider › Forums › Software › Mac OS X › Security firm warns of Java vulnerability in Mac OS X
New Posts  All Forums:Forum Nav:

Security firm warns of Java vulnerability in Mac OS X

post #1 of 55
Thread Starter 
The version of Java that Apple currently includes with Mac OS X contains a critical security vulnerability that has gone unrepaired for months and may put Mac OS X users at risk, Mac security software developer Intego said Wednesday.

The firm says that Java, which can be used to write standalone applications that run across multiple platforms or applets that are embedded in web pages, has a serious flaw that could allow local code on a user's Mac to be executed remotely.

"This can lead to 'drive-by attacks,' where users are attacked simply by visiting a malicious web site and loading a web page," the firm said.

The exploit could allow a third-party to execute code, access or delete files, or run applications on the compromised machine. Combined with other exploits, hackers could even potentially run system-level processes and gain total access over the affected Mac.

Since the vulnerability relies solely on Java, with no native code required, it theoretically exists in all browsers on all platforms that have not been patched. This is the case with Mac OS X 10.5.7 and earlier, meaning the vulnerability affects even the update released just a week ago.

The firm claims that Apple has been aware of the exploit for at least five months, when it was publicly disclosed and fixed by Sun, but has yet to issue a security patch. It was first discovered by Landon Fuller, who has released a proof of concept exemplifying the security hole.

Intego says it has not found any malicious applets in the wild thus far, but the publicity around this vulnerability may entice hackers to target the exploit before Apple issues a security update. The firm's VirusBarrier X5 already blocks potential malware but unless users are sure they trust the site they're viewing, simply disabling Java in the browser may provide the best protection while Apple works on a fix.



To do this, launch Safari, choose Safari > Preferences, click the Security tab, and uncheck Enable Java if it is checked. In Firefox, this setting is found on the Content tab of the program’s preferences. It is safe to leave JavaScript activated, since the vulnerability only affects Java applets.
post #2 of 55
Considering that I have noscript installed in Firefox in addition to having Java disabled browser-wide unless I need it for a specific website, I should be fairly safe for a moment.

Also, "the Apple" sounds much better, as long as you disregard grammar.
post #3 of 55
Quote:
Originally Posted by bobmarleypeople View Post

Considering that I have noscript installed in Firefox in addition to having Java disabled browser-wide unless I need it for a specific website, I should be fairly safe for a moment.

Also, "the Apple" sounds much better, as long as you disregard grammar.

The issue with Java on the Mac wouldn't surprise me as the Mac version of Java is FAR behind the windows version (no JavaFX support yet, Apple is still on J2SE, version 5.x, when Windows, Linux and Solaris has had Java 6.x for quite a while now). Apple barely updates Java for Mac; they don't seem to be on top of it. They seem to update certain technologies only when they really feel like it.

Case in point:
Java
Apache
SAMBA
mySQL
Wiki server

all have received only security and bug fix updates since Leopard came out. The one real exception is Safari, but Apple has been pretty lax with keeping Safari updated compared to Firefox, Chrome and Opera. It's nice they didn't require 10.5 or Intel macs for Safari however.

etc. Apple only seems to majorally update these components with new OS releases. SAMBA on OSX is signficantly far behind SAMBA for FreeBSD, SOLARIS and Linux releases.
post #4 of 55
Oh well. Java sucks anyway and has been turned off for quite some time. I suggest everyone never turn java on again!!
post #5 of 55
I followed that link, then ran the example exploit; sure enough the java applet executes usr/bin/say and your mac talks to you in it's default voice... but from the command line. So it is capable of running commands.

Note that it can't do a sudo rm -f / (which wipes everything from your drive) because it would need to know your password. But it could do less dangerous things, such as deleting things from your home folder, or uploading your files somewhere online maybe. Not nice anyway.

How many Mac users run without ANY password? If you know any, pass on that they need to have a password set, anything will do, because if and when a vulnerability / exploit exists in the wild, it might just try deleting things using nothing as the password, as in my experience a lot of mac users don't use a password.
post #6 of 55
Also do this (in addition to turning off Java)

1: Turn off Safari's "Open Safe Files" in preferences.

In addition to disabling Java support, Safari's 'Open "safe" files after downloading' must also be disabled to prevent websites from automatically loading a Java WebStart application via a JNLP file

2: If you are running the original user set up with the machine, it being a Admin user and all (not good)

Create another Admin User (lets call it #2) and log into that, change the original Admin to Standard by unchecking "Let this users Administer this computer"

Now log back out and into your regular (now Standard) user. It will require you to enter the Admin 2 name and password to make certain changes. It offers a substancial layer of security.


The reason for this is the Java exploit only has the powers of the user being exploited. So if it's a Admin, your rootable (via application alteration using your requested password.) If a Standard user, then just your files.

One is worse than the other and something like this is bound to happen again. So by being a Standard user, at least you don't get rooted (using sudo)


And last of all, SHAME ON YOU APPLE!!!

6 months and you did nothing! What you waiting for Snow Leopard?

Ok, I'm finished.
The danger is that we sleepwalk into a world where cabals of corporations control not only the mainstream devices and the software on them, but also the entire ecosystem of online services around...
Reply
The danger is that we sleepwalk into a world where cabals of corporations control not only the mainstream devices and the software on them, but also the entire ecosystem of online services around...
Reply
post #7 of 55
Quote:
Originally Posted by btitusjr View Post

Oh well. Java sucks anyway and has been turned off for quite some time. I suggest everyone never turn java on again!!

agreed
post #8 of 55
evil java
whats in a name ? 
beatles
Reply
whats in a name ? 
beatles
Reply
post #9 of 55
Quote:
Originally Posted by MacTripper View Post

The reason for this is the Java exploit only has the powers of the user being exploited. So if it's a Admin, your rooted. If a Standard user, then just your files.

Admin is not root. Admin is a normal user who is a member of the admin group.
As far as I can tell, that gives two extra privileges:

1. Admins can write to the /Applications folder, so malware in an admin account can wipe that, or install itself into it.
2. Admins can 'sudo', but this requires the user's password, so as long as the user isn't a monkey that types in their password without knowing why, that should be fine.

It is still not possible to write to any of the system directories as admin. This is a big difference to windows security. On Windows, Admin is root and you can do anything (as I understand it)

Installing itself into an App is probably the nastiest thing that a piece of malware can do as admin, that it can't do as a normal user. Unfortunately the most precious thing on my Mac (to me) is my data. That is vulnerable to malware whether I'm an admin or not.
post #10 of 55
Yeah, you'd have to travel back in time to the 90s when anybody actually used Java in order to be affected by this exploit. Apple should still be ashamed of themselves for letting it go this long without a fix, just for principle's sake and for their increasingly tarnished reputation, but I can see why they might not care.

On the other hand, this and other such reports are indicative of a bigger problem: Apple is letting the ball drop on security, just when more people are learning of the Mac and its legendary safety (at least compared to the rusted-out sieve known as Windows). As a commenter on another site mentioned, they have $20 billion or so laying around would it kill them to hire on a team of security experts to tighten up the platform properly?
post #11 of 55
Quote:
Originally Posted by brucep View Post

evil java

OH, I AM TERRIFIED!!!
I guess I better use Windows, it is so safe in general!
Did I just say I'd do Windows? Wait....That's stolen software!
Thou Shalt not steal!
"I don't do Windows"
post #12 of 55
Let’s not forget that the iTunes Store uses Java and WebObjects.
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #13 of 55
Maybe I'm way off base here but why is it up to Apple to fix and issue with Java? I realize its an API in their OS layer, but still? Java is a Sun Microsystems technology. Microsoft isn't held responsible for issues with the Windows version of Java. Its up to the end user to download the latest version to fix any issues.

Mac Mini (Mid 2011) 2.5 GHz Core i5

120 GB SSD/500 GB HD/8 GB RAM

AMD Radeon HD 6630M 256 MB

Reply

Mac Mini (Mid 2011) 2.5 GHz Core i5

120 GB SSD/500 GB HD/8 GB RAM

AMD Radeon HD 6630M 256 MB

Reply
post #14 of 55
Quote:
Originally Posted by macxpress View Post

Maybe I'm way off base here but why is it up to Apple to fix and issue with Java? I realize its an API in their OS layer, but still? Java is a Sun Microsystems technology. Microsoft isn't held responsible for issues with the Windows version of Java. Its up to the end user to download the latest version to fix any issues.

Yes, unfortunately you are way off base. Sun does not support Java on the Mac. It has to be done through Apple. Go to the java website yourself and try to download the updated version.
post #15 of 55
Quote:
Originally Posted by macxpress View Post

Maybe I'm way off base here but why is it up to Apple to fix and issue with Java? I realize its an API in their OS layer, but still? Java is a Sun Microsystems technology. Microsoft isn't held responsible for issues with the Windows version of Java. Its up to the end user to download the latest version to fix any issues.

I think the difference here is that Apple doesnt let Sun just put Java on Macs. It comes through Apples Software Update app after Apple reworks it a bit. I dont know too much about it but I hear people bitch about Apples Java implementation all the time.
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #16 of 55
Quote:
Originally Posted by solipsism View Post

Lets not forget that the iTunes Store uses Java and WebObjects.

Java Applets?
post #17 of 55
I'm not a fan of Java either but it's still pretty widely in use, and it's inconvenient to have to enable it every time you need it. I typically defend Apple's choices, though their unwillingness to deal with this over such a long timeframe is totally unacceptable to me. And from a shareholder's perspective, Mac OSX would be much more difficult to market without it's impeccable reputation for security. Let's hope nobody makes wide use of this.
post #18 of 55
Quote:
Originally Posted by webfrasse View Post

Java Applets?

I have no idea, but Im certain that it is not WebKit or HTML-based. I have tried to find detailed info about how the iTS portal works, but there just doesnt seem to be any.
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #19 of 55
Quote:
Originally Posted by JasonX View Post

Yes, unfortunately you are way off base. Sun does not support Java on the Mac. It has to be done through Apple. Go to the java website yourself and try to download the updated version.

Which is kind of my point. It shouldn't be up to Apple to do this. This isn't an Apple technology. But I believe it has more to do with what solipsism said. Apple chooses not to let Sun just implement java for OS X. I'm sure Sun Microsystems would be glad to support Java for OS X if Apple would let them support it.

In a way, this is sometimes a bad thing. Apple can't do everything even though it tries. They develop video drivers for the video chips, develop their own Java, etc. They should learn to let others do some of the work for them.

Mac Mini (Mid 2011) 2.5 GHz Core i5

120 GB SSD/500 GB HD/8 GB RAM

AMD Radeon HD 6630M 256 MB

Reply

Mac Mini (Mid 2011) 2.5 GHz Core i5

120 GB SSD/500 GB HD/8 GB RAM

AMD Radeon HD 6630M 256 MB

Reply
post #20 of 55
Quote:
Originally Posted by Weebull View Post

Installing itself into an App is probably the nastiest thing that a piece of malware can do as admin, that it can't do as a normal user.


Like I said, if your running as Admin and get exploited it will get root.

Maybe not right away, but the next time you run that app that demands a admin password...

Hmm, I would target...Disk Utility! <evil grin>

Does Apple do anything to check the interegty of OS X and apps from previous manipulations?

I don't think so.


Apple in my opinion doesn't do a heck of a lot of "what if, then what if, then what else" scenarios.

Their self delusional eggshell security is finally cracked. (tough love
The danger is that we sleepwalk into a world where cabals of corporations control not only the mainstream devices and the software on them, but also the entire ecosystem of online services around...
Reply
The danger is that we sleepwalk into a world where cabals of corporations control not only the mainstream devices and the software on them, but also the entire ecosystem of online services around...
Reply
post #21 of 55
An interesting thing to note....

The Mac ships with Java (yes an older version)
Windows... as a result of the old Java lawsuit... does not ship with java
Ubuntu... does not ship with java as a default install

However.... we recently ran a large encompassing online event whereby we were able to ascertain specifically how many people were running java... for "normal" users. What that means is the mom & pops of this world along with more sophisticated computer users. The results were... ~37%.

An interesting thing to see since Sun was claiming ~70% penetration. I honestly don't trust Sun's numbers...

Java is evil and ugly on any OS since it never actually gives an OS integrated experience. That is IMHO one of its greatest downfalls.
post #22 of 55
Quote:
Originally Posted by macxpress View Post

Maybe I'm way off base here but why is it up to Apple to fix and issue with Java? I realize its an API in their OS layer, but still? Java is a Sun Microsystems technology. Microsoft isn't held responsible for issues with the Windows version of Java. Its up to the end user to download the latest version to fix any issues.

If I'm not mistaken, Sun has already done their part and has fixed the exploit on their distributions. So the fix is known and implemented widely. It's really only Apple that isn't co-operating.
post #23 of 55
Quote:
Originally Posted by lakorai View Post

The issue with Java on the Mac wouldn't surprise me as the Mac version of Java is FAR behind the windows version (no JavaFX support yet, Apple is still on J2SE, version 5.x, when Windows, Linux and Solaris has had Java 6.x for quite a while now). Apple barely updates Java for Mac; they don't seem to be on top of it. They seem to update certain technologies only when they really feel like it.

Case in point:
Java
Apache
SAMBA
mySQL
Wiki server

all have received only security and bug fix updates since Leopard came out. The one real exception is Safari, but Apple has been pretty lax with keeping Safari updated compared to Firefox, Chrome and Opera. It's nice they didn't require 10.5 or Intel macs for Safari however.

etc. Apple only seems to majorally update these components with new OS releases. SAMBA on OSX is signficantly far behind SAMBA for FreeBSD, SOLARIS and Linux releases.

http://javafx.com/faq/

Quote:
3.6 Will JavaFX be supported on Linux and Solaris?

The JavaFX 1.1 Desktop Runtime is officially supported on Microsoft Windows and Mac OS X desktops. Sun will be including support for these platforms in a future release in 2009.

Quote:
JavaFX 1.1 SDK Requirements

Ensure that you meet the following requirements prior to installing the JavaFX 1.1 SDK on your system.

Microsoft Windows:

* Processors: Intel Pentium 4, Intel Centrino, Intel Xeon, or Intel Core Duo (or compatible) 1.8 GHz minimum
* Operating systems: Microsoft Windows XP with Service Pack 2 or Windows Vista Home Premium, Business, Ultimate, or Enterprise (certified for 32-bit editions)
* Memory: 512 MB of RAM (1 GB recommended)
* Disk space: 256 MB free disk space
* Web Browsers: Internet Explorer 6 minimum, FireFox 2.0 minimum
* Java SE Development Kit (JDK): JDK 6 Update 7 minimum (JDK 6 Update 13 recommended)
The JDK installation includes the Java Runtime Environment (JRE).
* Apple QuickTime Player: 7.5.5 minimum is required to run the JavaFX Mobile Emulator, which is currently available only on the Microsoft Windows platform. System restart is required after QuickTime installation.

Apple Macintosh:

* Processor: Dual-Core Intel, PowerPC G5
* Operating system: Macintosh OS X 10.4.10 minimum
* Memory: 512 MB of RAM (1 GB recommended)
* Disk space: 256 MB of free disk space
* Web Browsers: Firefox 3.0 minimum, Safari 3 minimum
* Java SE Development Kit (JDK): JDK 5 Update 13 (version 1.5.0_13) minimum (Java for Mac OS X 10.4, Release 7 or Java for Mac OS X 10.5 Update 2 or later)
The JDK installation includes the Java Runtime Environment (JRE).

post #24 of 55
Quote:
Originally Posted by webfrasse View Post

Java Applets?

Servlets for WOF. The DirectToClient Java Applets has been deprecated.

I'm hoping they return WOF to her roots and deploy WOF 6.0 on ObjC/Cocoa.
post #25 of 55
OOOH NOOOO !!!

Looks like the snake oil merchants are trying to drum up business again.
post #26 of 55
Quote:
Originally Posted by lakorai View Post

Apple is still on J2SE, version 5.x, when Windows, Linux and Solaris has had Java 6.x for quite a while now).

OS X has Java 6 but only the 64-bit version.

$ /System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Commands/java -version
java version "1.6.0_07"
Java(TM) SE Runtime Environment (build 1.6.0_07-b06-153)
Java HotSpot(TM) 64-Bit Server VM (build 1.6.0_07-b06-57, mixed mode)
$
post #27 of 55
Quote:
Originally Posted by Shunnabunich View Post

On the other hand, this and other such reports are indicative of a bigger problem: Apple is letting the ball drop on security, just when more people are learning of the Mac and its legendary safety (at least compared to the rusted-out sieve known as Windows). As a commenter on another site mentioned, they have $20 billion or so laying around would it kill them to hire on a team of security experts to tighten up the platform properly?

Guess you didn't see the reports about Apple hiring Ivan Krstic, a well known security engineer who worked on OLPC? http://www.appleinsider.com/articles...ed_critic.html

Also, Snow Leopard, if it does what Apple says it's supposed to do, should implement tighter security standards and be generally more stable an OS. True, Apple developing their own java interpreter hurts them a little, but we should wait and see how they do it in Snow Leopard before skewering them too much on this issue. Pushing out a security update for java without making sure it plays nice with everything else is generally a bigger problem then not getting something out quick enough.

And yes, java is bloated and generally sucks, but it's still better than flash.
post #28 of 55
I am not sure if this is the same issue, but when I visit the web site http://www.eminemrelapse.net/?p=677 within about 4 seconds the web site closes, my browser reverts to the most recent previous page, iTunes opens automatically and proceeds to open the iTunes store on the Eminem Countdown to Relapse product page. Coincidentally, this is the first time anything like this has happened on my iMAC and it occurred just before reading this Apple Insider posting.

So, I tried the suggestion of disabling Java, but had the same problem recur. Then I tried disabling JavaScript. The problem then stopped.

Is this the same issue as described earlier in this thread? Is it a different but related problem, or something completely different? Anything else I need to do to protect my computer?

Thanks.
post #29 of 55
Quote:
Originally Posted by Slimshap View Post

I am not sure if this is the same issue, but when I visit the web site http://www.eminemrelapse.net/?p=677 within about 4 seconds the web site closes, my browser reverts to the most recent previous page, iTunes opens automatically and proceeds to open the iTunes store on the Eminem Countdown to Relapse product page. Coincidentally, this is the first time anything like this has happened on my iMAC and it occurred just before reading this Apple Insider posting.

So, I tried the suggestion of disabling Java, but had the same problem recur. Then I tried disabling JavaScript. The problem then stopped.

Is this the same issue as described earlier in this thread? Is it a different but related problem, or something completely different? Anything else I need to do to protect my computer?

Thanks.

Java and Javasript are very different. I dont think this should be occurring. Every iTunes Store page has a http link but the user should have to click it before it calls iTunes.app.
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #30 of 55
Quote:
Originally Posted by floccus View Post

Also, Snow Leopard, if it does what Apple says it's supposed to do, should implement tighter security standards and be generally more stable an OS.


<begin rant, don't take it personally>


OH! so now we know why Apple just "forgot" to fix Java in their latest security update, they had 6 months to think about it too. Just attempting a little forced upgrade here? or at least get us thinking "upgrade" because people by and far are not going to pay for Snow, rather wait until they buy a new box and get it free that way, bugs worked out.

Since it's just a "under the hood" upgrade, not many new features after all.


I sure hope Apple isn't adopting Microsoft type tactics here during this tight economy. This is the second time Apple "forgot" to fix a serious widely publicized security issue that went for several months before all hell broke loose.

Apple in my opinion is slipping and slipping bad, they are ignoring serious security issues, they are late in updating their open source components and they are now cozy in bed with people in industry/government who rather see a INSECURE OS X than a secure one.

There is a gradual eroding of security on OS X. It really got going when the Intel processors were used.

http://www.securecomputing.net.au/Ne...worldwide.aspx

I'm going to switch to Ubuntu and Firefox as my surfing browser of choice, this way I'll be back under the "security by obscurity" protection umbrella.

The flogging will continue until the security improves!

<end rant and flogging>
The danger is that we sleepwalk into a world where cabals of corporations control not only the mainstream devices and the software on them, but also the entire ecosystem of online services around...
Reply
The danger is that we sleepwalk into a world where cabals of corporations control not only the mainstream devices and the software on them, but also the entire ecosystem of online services around...
Reply
post #31 of 55
Apple has demonstrated a total lack of responsibility in keep OS X Java updated and secure. They should immediately start transferring responsibility for Java to Sun and the Java community, since they are unable and unwilling to devote the resources to meet their past commitments ("We'll make Mac the best platform for Java programmers").
post #32 of 55
Quote:
Originally Posted by solipsism View Post

Java and Javasript are very different. I don’t think this should be occurring. Every iTunes Store page has a http link but the user should have to click it before it calls iTunes.app.

Don't click the link at

http : // www. eminemrelapse. net / ?p=677


In the post above from that first time poster Slimshap.

It's extremely badly written site for one thing, that's maybe all that's wrong with it.

Maybe.
The danger is that we sleepwalk into a world where cabals of corporations control not only the mainstream devices and the software on them, but also the entire ecosystem of online services around...
Reply
The danger is that we sleepwalk into a world where cabals of corporations control not only the mainstream devices and the software on them, but also the entire ecosystem of online services around...
Reply
post #33 of 55
Quote:
Originally Posted by MacTripper View Post

Also do this (in addition to turning off Java)

1: Turn off Safari's "Open Safe Files" in preferences.

2: If you are running the original user set up with the machine, it being a Admin user and all (not good)

Create another Admin User (lets call it #2) and log into that, change the original Admin to Standard by unchecking "Let this users Administer this computer"

Now log back out and into your regular (now Standard) user. It will require you to enter the Admin 2 name and password to make certain changes. It offers a substancial layer of security.


The reason for this is the Java exploit only has the powers of the user being exploited. So if it's a Admin, your rooted. If a Standard user, then just your files.

One is worse than the other and something like this is bound to happen again. So by being a Standard user, at least you don't get rooted (using sudo)


And last of all, SHAME ON YOU APPLE!!!

6 months and you did nothing! What you waiting for Snow Leopard?

Ok, I'm finished.

No offence, but I find this advice a bit over the top. It's kind of like good advice if you're talking to your mum or something and just want to lock down the computer so she can't really use it in anything but kiddie mode, but it's not necessary for the average user.

Merely turning off Java in the browser and using the same common sense that got you this far in life should be sufficient. Turning off Java alone will protect you from the exploit, this other stuff (like not running an admin account), while sound advice for the paranoid, is overkill for most people IMO.
In Windows, a window can be a document, it can be an application, or it can be a window that contains other documents or applications. Theres just no consistency. Its just a big grab bag of monkey...
Reply
In Windows, a window can be a document, it can be an application, or it can be a window that contains other documents or applications. Theres just no consistency. Its just a big grab bag of monkey...
Reply
post #34 of 55
Quote:
Originally Posted by MacTripper View Post

<begin rant, don't take it personally>


OH! so now we know why Apple just "forgot" to fix Java in their latest security update, they had 6 months to think about it too. Just attempting a little forced upgrade here? or at least get us thinking "upgrade" because people by and far are not going to pay for Snow, rather wait until they buy a new box and get it free that way, bugs worked out.

Since it's just a "under the hood" upgrade, not many new features after all.


I sure hope Apple isn't adopting Microsoft type tactics here during this tight economy. This is the second time Apple "forgot" to fix a serious widely publicized security issue that went for several months before all hell broke loose.

Apple in my opinion is slipping and slipping bad, they are ignoring serious security issues, they are late in updating their open source components and they are now cozy in bed with people in industry/government who rather see a INSECURE OS X than a secure one.

There is a gradual eroding of security on OS X. It really got going when the Intel processors were used.

http://www.securecomputing.net.au/Ne...worldwide.aspx

I'm going to switch to Ubuntu and Firefox as my surfing browser of choice, this way I'll be back under the "security by obscurity" protection umbrella.

The flogging will continue until the security improves!

<end rant and flogging>

Wow. What a rant.

The alternative explanation for Java is that Apple just doesn't give a sh*t about Java. You are right that they should have fixed this in the 10.5.7 update, but the "fix" should have been turning off Java IMO.

All that other speculation about Apple "slowly getting worse" on security since the move to intel is just FUD. The more you look into it, the more the facts recede into the distance and you are left with a lot of disgruntled security folks talking about how "bad" Apple is, but few actual facts that point to any kind of problem and absolutely no recognition of the moves Apple *is* making towards greater security.

All I "get" from recent developments is:
  • Apple doesn't care about Java
  • the Java guys hate Apple for it
  • people are "talking trash" about Apple's security (to get back at them).

I'm not saying Apple's security can't be improved, of course it can. They did some great things with Leopard and more are in store for Snow Leopard.

What I'm saying is the relative safety or security of the Mac hasn't really changed since yesterday and that the general trend over the last few years has been towards greater security than in the past. Every new version is more secure than the last and there is every expectation that Snow Leopard will fully implement the security measures added in Leopard and that Snow Leopard will then be on a par with Windows in terms of security enhancements.

Other than Apple's mistake in not turning off Java in the browser with 10.5.7 I just don't see a big security issue here at all.
In Windows, a window can be a document, it can be an application, or it can be a window that contains other documents or applications. Theres just no consistency. Its just a big grab bag of monkey...
Reply
In Windows, a window can be a document, it can be an application, or it can be a window that contains other documents or applications. Theres just no consistency. Its just a big grab bag of monkey...
Reply
post #35 of 55
Some need to keep a clearer mind on this.

This is something that was known many months ago. If something was going to happen on a large scale to affect most Mac users as well as the Windows and Linux folks running java, it likely would have already happened.

Some might think that sounds like I'm making it sound like it's not a big deal but it's quite the opposite. Consider the identity theft that could have taken place(or maybe it did) and many would not or do not even know it.

With something like this taking this long there is no reason that Apple can offer to excuse themselves of this. There is a responsibility there in my eyes that they could have at least stated to turn off java. Surely they're worried about their marketing since they advertise Macs as not having such problems but they're rolling the dice with customers data.

When MS had their 20-40 billion in the bank, I held them just as accountable. In my eyes with that much money, they should be able to afford a crack security team with the right focus. Apple is pretty much in that league now and needs to get their act together and spend some of that money on these sort of things that most customers don't see until it's too great of an issue. Exploits are going to happen but Apple's response is how they are going to get measured in the media.

This is nothing new as Apple has had a long history of being slow with security patches. Their success though has made them a target so they need to take steps to avoid being their own victim of success.
post #36 of 55
Quote:
Originally Posted by solipsism View Post

I think the difference here is that Apple doesnt let Sun just put Java on Macs. It comes through Apples Software Update app after Apple reworks it a bit. I dont know too much about it but I hear people bitch about Apples Java implementation all the time.

No. Sun doesn't support Java on Macs. Sun reluctantly wrote the JVM for windows because MS wouldn't license it. No windows JVM, no Java.

Sun didn't support the Linux JVM until very recently, it used to be a open source reverse engineering project called Blackdown. Reverse engineered to avoid the licensing fees Sun imposes on packaging a JVM into an operating system. But when Sun decided to start open sourcing and growing closer to IBM with it's Apache ecosystem, they took the Blackdown JVM in-house and support it out of business survival motivation.

Apple and the mobile OS providers actually have to pay Sun for the right to write a JVM. That is because Apple and the mobile OS providers aren't big enough business-wise to force Sun to play for free as business survival, the opposite is partially true.
.
Reply
.
Reply
post #37 of 55
Quote:
Originally Posted by Hiro View Post

No. Sun doesn't support Java on Macs. Sun reluctantly wrote the JVM for windows because MS wouldn't license it. No windows JVM, no Java.

Sun didn't support the Linux JVM until very recently, it used to be a open source reverse engineering project called Blackdown. Reverse engineered to avoid the licensing fees Sun imposes on packaging a JVM into an operating system. But when Sun decided to start open sourcing and growing closer to IBM with it's Apache ecosystem, they took the Blackdown JVM in-house and support it out of business survival motivation.

Apple and the mobile OS providers actually have to pay Sun for the right to write a JVM. That is because Apple and the mobile OS providers aren't big enough business-wise to force Sun to play for free as business survival, the opposite is partially true.

Thanks for the reply, I always wondered how that works. Can you explain Apple supposed use of Java on the front end and WebObjects on the back end for iTunes Store portal in iTunes, and not WebKit?
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #38 of 55
Quote:
Originally Posted by solipsism View Post

Thanks for the reply, I always wondered how that works. Can you explain Apple supposed use of Java on the front end and WebObjects on the back end for iTunes Store portal in iTunes, and not WebKit?

Sorry, I don't have knowledge of that.

I might guess though that Webkit is optimized for browser rendering of HTML and HTML interactions. But WebObjects began its design at Next for industrial strength internet commerce using the same OO-design principles as NextStep (remember the design actually started before the web was popular at all, the internet was still wild-west lack of standards).

If WebObjects was all done all over again from scratch I would think it would become AJAX related, but still integrated in a very NextStep/Cocoa manner. Then WebKit would become very useful.
.
Reply
.
Reply
post #39 of 55
Quote:
Originally Posted by Virgil-TB2 View Post

Turning off Java alone will protect you from the exploit, this other stuff (like not running an admin account), while sound advice for the paranoid, is overkill for most people IMO.

Yes just turning off Java will help protect against this particular exploit.

However one must think about hardening their machine against exploits that they don't see, before they hit.

Exploits that would have a much more deadlier potential if the user runs as Admin with application altering potential.

Remember this exploit has been in the wild for 6 months before made public. Who knows how many have been exposed?



Also if you read about this Java exploit, it only has as much power as the user being exploited.

Run as User and get hit, it's just files potential.

Run as Admin and get hit, it's you applications being altered.

If your application(s) get altered, it can then ask for a Admin password and gain ROOT.

End of story.
The danger is that we sleepwalk into a world where cabals of corporations control not only the mainstream devices and the software on them, but also the entire ecosystem of online services around...
Reply
The danger is that we sleepwalk into a world where cabals of corporations control not only the mainstream devices and the software on them, but also the entire ecosystem of online services around...
Reply
post #40 of 55
Java is a slow program, but is also everywhere. At least according to Sun's website.

I don't use it, rarely come across a site that needs it, but Apple needs to fix it. Makes me wonder how many other issues are out there that Apple isn't working on fast enough.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › Security firm warns of Java vulnerability in Mac OS X