Maybe I'm way off base here but why is it up to Apple to fix and issue with Java? I realize its an API in their OS layer, but still? Java is a Sun Microsystems technology. Microsoft isn't held responsible for issues with the Windows version of Java. Its up to the end user to download the latest version to fix any issues.
If I'm not mistaken, Sun has already done their part and has fixed the exploit on their distributions. So the fix is known and implemented widely. It's really only Apple that isn't co-operating.
The issue with Java on the Mac wouldn't surprise me as the Mac version of Java is FAR behind the windows version (no JavaFX support yet, Apple is still on J2SE, version 5.x, when Windows, Linux and Solaris has had Java 6.x for quite a while now). Apple barely updates Java for Mac; they don't seem to be on top of it. They seem to update certain technologies only when they really feel like it.
Case in point:
Java
Apache
SAMBA
mySQL
Wiki server
all have received only security and bug fix updates since Leopard came out. The one real exception is Safari, but Apple has been pretty lax with keeping Safari updated compared to Firefox, Chrome and Opera. It's nice they didn't require 10.5 or Intel macs for Safari however.
etc. Apple only seems to majorally update these components with new OS releases. SAMBA on OSX is signficantly far behind SAMBA for FreeBSD, SOLARIS and Linux releases.
3.6 Will JavaFX be supported on Linux and Solaris?
The JavaFX 1.1 Desktop Runtime is officially supported on Microsoft Windows and Mac OS X desktops. Sun will be including support for these platforms in a future release in 2009.
Quote:
JavaFX 1.1 SDK Requirements
Ensure that you meet the following requirements prior to installing the JavaFX 1.1 SDK on your system.
Microsoft Windows:
* Processors: Intel Pentium 4, Intel Centrino, Intel Xeon, or Intel Core Duo (or compatible) 1.8 GHz minimum
* Operating systems: Microsoft Windows XP with Service Pack 2 or Windows Vista Home Premium, Business, Ultimate, or Enterprise (certified for 32-bit editions)
* Memory: 512 MB of RAM (1 GB recommended)
* Disk space: 256 MB free disk space
* Web Browsers: Internet Explorer 6 minimum, FireFox 2.0 minimum
* Java SE Development Kit (JDK): JDK 6 Update 7 minimum (JDK 6 Update 13 recommended)
The JDK installation includes the Java Runtime Environment (JRE).
* Apple QuickTime Player: 7.5.5 minimum is required to run the JavaFX Mobile Emulator, which is currently available only on the Microsoft Windows platform. System restart is required after QuickTime installation.
Apple Macintosh:
* Processor: Dual-Core Intel, PowerPC G5
* Operating system: Macintosh OS X 10.4.10 minimum
* Memory: 512 MB of RAM (1 GB recommended)
* Disk space: 256 MB of free disk space
* Web Browsers: Firefox 3.0 minimum, Safari 3 minimum
* Java SE Development Kit (JDK): JDK 5 Update 13 (version 1.5.0_13) minimum (Java for Mac OS X 10.4, Release 7 or Java for Mac OS X 10.5 Update 2 or later)
The JDK installation includes the Java Runtime Environment (JRE).
On the other hand, this and other such reports are indicative of a bigger problem: Apple is letting the ball drop on security, just when more people are learning of the Mac and its legendary safety (at least compared to the rusted-out sieve known as Windows). As a commenter on another site mentioned, they have $20 billion or so laying around ? would it kill them to hire on a team of security experts to tighten up the platform properly?
Also, Snow Leopard, if it does what Apple says it's supposed to do, should implement tighter security standards and be generally more stable an OS. True, Apple developing their own java interpreter hurts them a little, but we should wait and see how they do it in Snow Leopard before skewering them too much on this issue. Pushing out a security update for java without making sure it plays nice with everything else is generally a bigger problem then not getting something out quick enough.
And yes, java is bloated and generally sucks, but it's still better than flash.
I am not sure if this is the same issue, but when I visit the web site http://www.eminemrelapse.net/?p=677 within about 4 seconds the web site closes, my browser reverts to the most recent previous page, iTunes opens automatically and proceeds to open the iTunes store on the Eminem Countdown to Relapse product page. Coincidentally, this is the first time anything like this has happened on my iMAC and it occurred just before reading this Apple Insider posting.
So, I tried the suggestion of disabling Java, but had the same problem recur. Then I tried disabling JavaScript. The problem then stopped.
Is this the same issue as described earlier in this thread? Is it a different but related problem, or something completely different? Anything else I need to do to protect my computer?
I am not sure if this is the same issue, but when I visit the web site http://www.eminemrelapse.net/?p=677 within about 4 seconds the web site closes, my browser reverts to the most recent previous page, iTunes opens automatically and proceeds to open the iTunes store on the Eminem Countdown to Relapse product page. Coincidentally, this is the first time anything like this has happened on my iMAC and it occurred just before reading this Apple Insider posting.
So, I tried the suggestion of disabling Java, but had the same problem recur. Then I tried disabling JavaScript. The problem then stopped.
Is this the same issue as described earlier in this thread? Is it a different but related problem, or something completely different? Anything else I need to do to protect my computer?
Thanks.
Java and Javasript are very different. I don?t think this should be occurring. Every iTunes Store page has a http link but the user should have to click it before it calls iTunes.app.
Also, Snow Leopard, if it does what Apple says it's supposed to do, should implement tighter security standards and be generally more stable an OS.
<begin rant, don't take it personally>
OH! so now we know why Apple just "forgot" to fix Java in their latest security update, they had 6 months to think about it too. Just attempting a little forced upgrade here? or at least get us thinking "upgrade" because people by and far are not going to pay for Snow, rather wait until they buy a new box and get it free that way, bugs worked out.
Since it's just a "under the hood" upgrade, not many new features after all.
I sure hope Apple isn't adopting Microsoft type tactics here during this tight economy. This is the second time Apple "forgot" to fix a serious widely publicized security issue that went for several months before all hell broke loose.
Apple in my opinion is slipping and slipping bad, they are ignoring serious security issues, they are late in updating their open source components and they are now cozy in bed with people in industry/government who rather see a INSECURE OS X than a secure one.
There is a gradual eroding of security on OS X. It really got going when the Intel processors were used.
I'm going to switch to Ubuntu and Firefox as my surfing browser of choice, this way I'll be back under the "security by obscurity" protection umbrella.
The flogging will continue until the security improves!
Apple has demonstrated a total lack of responsibility in keep OS X Java updated and secure. They should immediately start transferring responsibility for Java to Sun and the Java community, since they are unable and unwilling to devote the resources to meet their past commitments ("We'll make Mac the best platform for Java programmers").
Java and Javasript are very different. I don’t think this should be occurring. Every iTunes Store page has a http link but the user should have to click it before it calls iTunes.app.
Don't click the link at
http : // www. eminemrelapse. net / ?p=677
In the post above from that first time poster Slimshap.
It's extremely badly written site for one thing, that's maybe all that's wrong with it.
1: Turn off Safari's "Open Safe Files" in preferences.
2: If you are running the original user set up with the machine, it being a Admin user and all (not good)
Create another Admin User (lets call it #2) and log into that, change the original Admin to Standard by unchecking "Let this users Administer this computer"
Now log back out and into your regular (now Standard) user. It will require you to enter the Admin 2 name and password to make certain changes. It offers a substancial layer of security.
The reason for this is the Java exploit only has the powers of the user being exploited. So if it's a Admin, your rooted. If a Standard user, then just your files.
One is worse than the other and something like this is bound to happen again. So by being a Standard user, at least you don't get rooted (using sudo)
And last of all, SHAME ON YOU APPLE!!!
6 months and you did nothing! What you waiting for Snow Leopard?
Ok, I'm finished.
No offence, but I find this advice a bit over the top. It's kind of like good advice if you're talking to your mum or something and just want to lock down the computer so she can't really use it in anything but kiddie mode, but it's not necessary for the average user.
Merely turning off Java in the browser and using the same common sense that got you this far in life should be sufficient. Turning off Java alone will protect you from the exploit, this other stuff (like not running an admin account), while sound advice for the paranoid, is overkill for most people IMO.
OH! so now we know why Apple just "forgot" to fix Java in their latest security update, they had 6 months to think about it too. Just attempting a little forced upgrade here? or at least get us thinking "upgrade" because people by and far are not going to pay for Snow, rather wait until they buy a new box and get it free that way, bugs worked out.
Since it's just a "under the hood" upgrade, not many new features after all.
I sure hope Apple isn't adopting Microsoft type tactics here during this tight economy. This is the second time Apple "forgot" to fix a serious widely publicized security issue that went for several months before all hell broke loose.
Apple in my opinion is slipping and slipping bad, they are ignoring serious security issues, they are late in updating their open source components and they are now cozy in bed with people in industry/government who rather see a INSECURE OS X than a secure one.
There is a gradual eroding of security on OS X. It really got going when the Intel processors were used.
I'm going to switch to Ubuntu and Firefox as my surfing browser of choice, this way I'll be back under the "security by obscurity" protection umbrella.
The flogging will continue until the security improves!
<end rant and flogging>
Wow. What a rant.
The alternative explanation for Java is that Apple just doesn't give a sh*t about Java. You are right that they should have fixed this in the 10.5.7 update, but the "fix" should have been turning off Java IMO.
All that other speculation about Apple "slowly getting worse" on security since the move to intel is just FUD. The more you look into it, the more the facts recede into the distance and you are left with a lot of disgruntled security folks talking about how "bad" Apple is, but few actual facts that point to any kind of problem and absolutely no recognition of the moves Apple *is* making towards greater security.
All I "get" from recent developments is:
Apple doesn't care about Java
the Java guys hate Apple for it
people are "talking trash" about Apple's security (to get back at them).
I'm not saying Apple's security can't be improved, of course it can. They did some great things with Leopard and more are in store for Snow Leopard.
What I'm saying is the relative safety or security of the Mac hasn't really changed since yesterday and that the general trend over the last few years has been towards greater security than in the past. Every new version is more secure than the last and there is every expectation that Snow Leopard will fully implement the security measures added in Leopard and that Snow Leopard will then be on a par with Windows in terms of security enhancements.
Other than Apple's mistake in not turning off Java in the browser with 10.5.7 I just don't see a big security issue here at all.
This is something that was known many months ago. If something was going to happen on a large scale to affect most Mac users as well as the Windows and Linux folks running java, it likely would have already happened.
Some might think that sounds like I'm making it sound like it's not a big deal but it's quite the opposite. Consider the identity theft that could have taken place(or maybe it did) and many would not or do not even know it.
With something like this taking this long there is no reason that Apple can offer to excuse themselves of this. There is a responsibility there in my eyes that they could have at least stated to turn off java. Surely they're worried about their marketing since they advertise Macs as not having such problems but they're rolling the dice with customers data.
When MS had their 20-40 billion in the bank, I held them just as accountable. In my eyes with that much money, they should be able to afford a crack security team with the right focus. Apple is pretty much in that league now and needs to get their act together and spend some of that money on these sort of things that most customers don't see until it's too great of an issue. Exploits are going to happen but Apple's response is how they are going to get measured in the media.
This is nothing new as Apple has had a long history of being slow with security patches. Their success though has made them a target so they need to take steps to avoid being their own victim of success.
I think the difference here is that Apple doesn?t let Sun just put Java on Macs. It comes through Apple?s Software Update app after Apple reworks it a bit. I don?t know too much about it but I hear people bitch about Apple?s Java implementation all the time.
No. Sun doesn't support Java on Macs. Sun reluctantly wrote the JVM for windows because MS wouldn't license it. No windows JVM, no Java.
Sun didn't support the Linux JVM until very recently, it used to be a open source reverse engineering project called Blackdown. Reverse engineered to avoid the licensing fees Sun imposes on packaging a JVM into an operating system. But when Sun decided to start open sourcing and growing closer to IBM with it's Apache ecosystem, they took the Blackdown JVM in-house and support it out of business survival motivation.
Apple and the mobile OS providers actually have to pay Sun for the right to write a JVM. That is because Apple and the mobile OS providers aren't big enough business-wise to force Sun to play for free as business survival, the opposite is partially true.
No. Sun doesn't support Java on Macs. Sun reluctantly wrote the JVM for windows because MS wouldn't license it. No windows JVM, no Java.
Sun didn't support the Linux JVM until very recently, it used to be a open source reverse engineering project called Blackdown. Reverse engineered to avoid the licensing fees Sun imposes on packaging a JVM into an operating system. But when Sun decided to start open sourcing and growing closer to IBM with it's Apache ecosystem, they took the Blackdown JVM in-house and support it out of business survival motivation.
Apple and the mobile OS providers actually have to pay Sun for the right to write a JVM. That is because Apple and the mobile OS providers aren't big enough business-wise to force Sun to play for free as business survival, the opposite is partially true.
Thanks for the reply, I always wondered how that works. Can you explain Apple supposed use of Java on the front end and WebObjects on the back end for iTunes Store portal in iTunes, and not WebKit?
Thanks for the reply, I always wondered how that works. Can you explain Apple supposed use of Java on the front end and WebObjects on the back end for iTunes Store portal in iTunes, and not WebKit?
Sorry, I don't have knowledge of that.
I might guess though that Webkit is optimized for browser rendering of HTML and HTML interactions. But WebObjects began its design at Next for industrial strength internet commerce using the same OO-design principles as NextStep (remember the design actually started before the web was popular at all, the internet was still wild-west lack of standards).
If WebObjects was all done all over again from scratch I would think it would become AJAX related, but still integrated in a very NextStep/Cocoa manner. Then WebKit would become very useful.
Turning off Java alone will protect you from the exploit, this other stuff (like not running an admin account), while sound advice for the paranoid, is overkill for most people IMO.
Yes just turning off Java will help protect against this particular exploit.
However one must think about hardening their machine against exploits that they don't see, before they hit.
Exploits that would have a much more deadlier potential if the user runs as Admin with application altering potential.
Remember this exploit has been in the wild for 6 months before made public. Who knows how many have been exposed?
Also if you read about this Java exploit, it only has as much power as the user being exploited.
Run as User and get hit, it's just files potential.
Run as Admin and get hit, it's you applications being altered.
If your application(s) get altered, it can then ask for a Admin password and gain ROOT.
Java is a slow program, but is also everywhere. At least according to Sun's website.
I don't use it, rarely come across a site that needs it, but Apple needs to fix it. Makes me wonder how many other issues are out there that Apple isn't working on fast enough.
Comments
Maybe I'm way off base here but why is it up to Apple to fix and issue with Java? I realize its an API in their OS layer, but still? Java is a Sun Microsystems technology. Microsoft isn't held responsible for issues with the Windows version of Java. Its up to the end user to download the latest version to fix any issues.
If I'm not mistaken, Sun has already done their part and has fixed the exploit on their distributions. So the fix is known and implemented widely. It's really only Apple that isn't co-operating.
The issue with Java on the Mac wouldn't surprise me as the Mac version of Java is FAR behind the windows version (no JavaFX support yet, Apple is still on J2SE, version 5.x, when Windows, Linux and Solaris has had Java 6.x for quite a while now). Apple barely updates Java for Mac; they don't seem to be on top of it. They seem to update certain technologies only when they really feel like it.
Case in point:
Java
Apache
SAMBA
mySQL
Wiki server
all have received only security and bug fix updates since Leopard came out. The one real exception is Safari, but Apple has been pretty lax with keeping Safari updated compared to Firefox, Chrome and Opera. It's nice they didn't require 10.5 or Intel macs for Safari however.
etc. Apple only seems to majorally update these components with new OS releases. SAMBA on OSX is signficantly far behind SAMBA for FreeBSD, SOLARIS and Linux releases.
http://javafx.com/faq/
3.6 Will JavaFX be supported on Linux and Solaris?
The JavaFX 1.1 Desktop Runtime is officially supported on Microsoft Windows and Mac OS X desktops. Sun will be including support for these platforms in a future release in 2009.
JavaFX 1.1 SDK Requirements
Ensure that you meet the following requirements prior to installing the JavaFX 1.1 SDK on your system.
Microsoft Windows:
* Processors: Intel Pentium 4, Intel Centrino, Intel Xeon, or Intel Core Duo (or compatible) 1.8 GHz minimum
* Operating systems: Microsoft Windows XP with Service Pack 2 or Windows Vista Home Premium, Business, Ultimate, or Enterprise (certified for 32-bit editions)
* Memory: 512 MB of RAM (1 GB recommended)
* Disk space: 256 MB free disk space
* Web Browsers: Internet Explorer 6 minimum, FireFox 2.0 minimum
* Java SE Development Kit (JDK): JDK 6 Update 7 minimum (JDK 6 Update 13 recommended)
The JDK installation includes the Java Runtime Environment (JRE).
* Apple QuickTime Player: 7.5.5 minimum is required to run the JavaFX Mobile Emulator, which is currently available only on the Microsoft Windows platform. System restart is required after QuickTime installation.
Apple Macintosh:
* Processor: Dual-Core Intel, PowerPC G5
* Operating system: Macintosh OS X 10.4.10 minimum
* Memory: 512 MB of RAM (1 GB recommended)
* Disk space: 256 MB of free disk space
* Web Browsers: Firefox 3.0 minimum, Safari 3 minimum
* Java SE Development Kit (JDK): JDK 5 Update 13 (version 1.5.0_13) minimum (Java for Mac OS X 10.4, Release 7 or Java for Mac OS X 10.5 Update 2 or later)
The JDK installation includes the Java Runtime Environment (JRE).
Java Applets?
Servlets for WOF. The DirectToClient Java Applets has been deprecated.
I'm hoping they return WOF to her roots and deploy WOF 6.0 on ObjC/Cocoa.
Looks like the snake oil merchants are trying to drum up business again.
Apple is still on J2SE, version 5.x, when Windows, Linux and Solaris has had Java 6.x for quite a while now).
OS X has Java 6 but only the 64-bit version.
$ /System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Commands/java -version
java version "1.6.0_07"
Java(TM) SE Runtime Environment (build 1.6.0_07-b06-153)
Java HotSpot(TM) 64-Bit Server VM (build 1.6.0_07-b06-57, mixed mode)
$
On the other hand, this and other such reports are indicative of a bigger problem: Apple is letting the ball drop on security, just when more people are learning of the Mac and its legendary safety (at least compared to the rusted-out sieve known as Windows). As a commenter on another site mentioned, they have $20 billion or so laying around ? would it kill them to hire on a team of security experts to tighten up the platform properly?
Guess you didn't see the reports about Apple hiring Ivan Krstic, a well known security engineer who worked on OLPC? http://www.appleinsider.com/articles...ed_critic.html
Also, Snow Leopard, if it does what Apple says it's supposed to do, should implement tighter security standards and be generally more stable an OS. True, Apple developing their own java interpreter hurts them a little, but we should wait and see how they do it in Snow Leopard before skewering them too much on this issue. Pushing out a security update for java without making sure it plays nice with everything else is generally a bigger problem then not getting something out quick enough.
And yes, java is bloated and generally sucks, but it's still better than flash.
So, I tried the suggestion of disabling Java, but had the same problem recur. Then I tried disabling JavaScript. The problem then stopped.
Is this the same issue as described earlier in this thread? Is it a different but related problem, or something completely different? Anything else I need to do to protect my computer?
Thanks.
I am not sure if this is the same issue, but when I visit the web site http://www.eminemrelapse.net/?p=677 within about 4 seconds the web site closes, my browser reverts to the most recent previous page, iTunes opens automatically and proceeds to open the iTunes store on the Eminem Countdown to Relapse product page. Coincidentally, this is the first time anything like this has happened on my iMAC and it occurred just before reading this Apple Insider posting.
So, I tried the suggestion of disabling Java, but had the same problem recur. Then I tried disabling JavaScript. The problem then stopped.
Is this the same issue as described earlier in this thread? Is it a different but related problem, or something completely different? Anything else I need to do to protect my computer?
Thanks.
Java and Javasript are very different. I don?t think this should be occurring. Every iTunes Store page has a http link but the user should have to click it before it calls iTunes.app.
Also, Snow Leopard, if it does what Apple says it's supposed to do, should implement tighter security standards and be generally more stable an OS.
<begin rant, don't take it personally>
OH! so now we know why Apple just "forgot" to fix Java in their latest security update, they had 6 months to think about it too. Just attempting a little forced upgrade here? or at least get us thinking "upgrade" because people by and far are not going to pay for Snow, rather wait until they buy a new box and get it free that way, bugs worked out.
Since it's just a "under the hood" upgrade, not many new features after all.
I sure hope Apple isn't adopting Microsoft type tactics here during this tight economy. This is the second time Apple "forgot" to fix a serious widely publicized security issue that went for several months before all hell broke loose.
Apple in my opinion is slipping and slipping bad, they are ignoring serious security issues, they are late in updating their open source components and they are now cozy in bed with people in industry/government who rather see a INSECURE OS X than a secure one.
There is a gradual eroding of security on OS X. It really got going when the Intel processors were used.
http://www.securecomputing.net.au/Ne...worldwide.aspx
I'm going to switch to Ubuntu and Firefox as my surfing browser of choice, this way I'll be back under the "security by obscurity" protection umbrella.
The flogging will continue until the security improves!
<end rant and flogging>
Java and Javasript are very different. I don’t think this should be occurring. Every iTunes Store page has a http link but the user should have to click it before it calls iTunes.app.
Don't click the link at
http : // www. eminemrelapse. net / ?p=677
In the post above from that first time poster Slimshap.
It's extremely badly written site for one thing, that's maybe all that's wrong with it.
Maybe.
Also do this (in addition to turning off Java)
1: Turn off Safari's "Open Safe Files" in preferences.
2: If you are running the original user set up with the machine, it being a Admin user and all (not good)
Create another Admin User (lets call it #2) and log into that, change the original Admin to Standard by unchecking "Let this users Administer this computer"
Now log back out and into your regular (now Standard) user. It will require you to enter the Admin 2 name and password to make certain changes. It offers a substancial layer of security.
The reason for this is the Java exploit only has the powers of the user being exploited. So if it's a Admin, your rooted. If a Standard user, then just your files.
One is worse than the other and something like this is bound to happen again. So by being a Standard user, at least you don't get rooted (using sudo)
And last of all, SHAME ON YOU APPLE!!!
6 months and you did nothing! What you waiting for Snow Leopard?
Ok, I'm finished.
No offence, but I find this advice a bit over the top. It's kind of like good advice if you're talking to your mum or something and just want to lock down the computer so she can't really use it in anything but kiddie mode, but it's not necessary for the average user.
Merely turning off Java in the browser and using the same common sense that got you this far in life should be sufficient. Turning off Java alone will protect you from the exploit, this other stuff (like not running an admin account), while sound advice for the paranoid, is overkill for most people IMO.
<begin rant, don't take it personally>
OH! so now we know why Apple just "forgot" to fix Java in their latest security update, they had 6 months to think about it too. Just attempting a little forced upgrade here? or at least get us thinking "upgrade" because people by and far are not going to pay for Snow, rather wait until they buy a new box and get it free that way, bugs worked out.
Since it's just a "under the hood" upgrade, not many new features after all.
I sure hope Apple isn't adopting Microsoft type tactics here during this tight economy. This is the second time Apple "forgot" to fix a serious widely publicized security issue that went for several months before all hell broke loose.
Apple in my opinion is slipping and slipping bad, they are ignoring serious security issues, they are late in updating their open source components and they are now cozy in bed with people in industry/government who rather see a INSECURE OS X than a secure one.
There is a gradual eroding of security on OS X. It really got going when the Intel processors were used.
http://www.securecomputing.net.au/Ne...worldwide.aspx
I'm going to switch to Ubuntu and Firefox as my surfing browser of choice, this way I'll be back under the "security by obscurity" protection umbrella.
The flogging will continue until the security improves!
<end rant and flogging>
Wow. What a rant.
The alternative explanation for Java is that Apple just doesn't give a sh*t about Java. You are right that they should have fixed this in the 10.5.7 update, but the "fix" should have been turning off Java IMO.
All that other speculation about Apple "slowly getting worse" on security since the move to intel is just FUD. The more you look into it, the more the facts recede into the distance and you are left with a lot of disgruntled security folks talking about how "bad" Apple is, but few actual facts that point to any kind of problem and absolutely no recognition of the moves Apple *is* making towards greater security.
All I "get" from recent developments is:
- Apple doesn't care about Java
- the Java guys hate Apple for it
- people are "talking trash" about Apple's security (to get back at them).
I'm not saying Apple's security can't be improved, of course it can. They did some great things with Leopard and more are in store for Snow Leopard.What I'm saying is the relative safety or security of the Mac hasn't really changed since yesterday and that the general trend over the last few years has been towards greater security than in the past. Every new version is more secure than the last and there is every expectation that Snow Leopard will fully implement the security measures added in Leopard and that Snow Leopard will then be on a par with Windows in terms of security enhancements.
Other than Apple's mistake in not turning off Java in the browser with 10.5.7 I just don't see a big security issue here at all.
This is something that was known many months ago. If something was going to happen on a large scale to affect most Mac users as well as the Windows and Linux folks running java, it likely would have already happened.
Some might think that sounds like I'm making it sound like it's not a big deal but it's quite the opposite. Consider the identity theft that could have taken place(or maybe it did) and many would not or do not even know it.
With something like this taking this long there is no reason that Apple can offer to excuse themselves of this. There is a responsibility there in my eyes that they could have at least stated to turn off java. Surely they're worried about their marketing since they advertise Macs as not having such problems but they're rolling the dice with customers data.
When MS had their 20-40 billion in the bank, I held them just as accountable. In my eyes with that much money, they should be able to afford a crack security team with the right focus. Apple is pretty much in that league now and needs to get their act together and spend some of that money on these sort of things that most customers don't see until it's too great of an issue. Exploits are going to happen but Apple's response is how they are going to get measured in the media.
This is nothing new as Apple has had a long history of being slow with security patches. Their success though has made them a target so they need to take steps to avoid being their own victim of success.
I think the difference here is that Apple doesn?t let Sun just put Java on Macs. It comes through Apple?s Software Update app after Apple reworks it a bit. I don?t know too much about it but I hear people bitch about Apple?s Java implementation all the time.
No. Sun doesn't support Java on Macs. Sun reluctantly wrote the JVM for windows because MS wouldn't license it. No windows JVM, no Java.
Sun didn't support the Linux JVM until very recently, it used to be a open source reverse engineering project called Blackdown. Reverse engineered to avoid the licensing fees Sun imposes on packaging a JVM into an operating system. But when Sun decided to start open sourcing and growing closer to IBM with it's Apache ecosystem, they took the Blackdown JVM in-house and support it out of business survival motivation.
Apple and the mobile OS providers actually have to pay Sun for the right to write a JVM. That is because Apple and the mobile OS providers aren't big enough business-wise to force Sun to play for free as business survival, the opposite is partially true.
No. Sun doesn't support Java on Macs. Sun reluctantly wrote the JVM for windows because MS wouldn't license it. No windows JVM, no Java.
Sun didn't support the Linux JVM until very recently, it used to be a open source reverse engineering project called Blackdown. Reverse engineered to avoid the licensing fees Sun imposes on packaging a JVM into an operating system. But when Sun decided to start open sourcing and growing closer to IBM with it's Apache ecosystem, they took the Blackdown JVM in-house and support it out of business survival motivation.
Apple and the mobile OS providers actually have to pay Sun for the right to write a JVM. That is because Apple and the mobile OS providers aren't big enough business-wise to force Sun to play for free as business survival, the opposite is partially true.
Thanks for the reply, I always wondered how that works. Can you explain Apple supposed use of Java on the front end and WebObjects on the back end for iTunes Store portal in iTunes, and not WebKit?
Thanks for the reply, I always wondered how that works. Can you explain Apple supposed use of Java on the front end and WebObjects on the back end for iTunes Store portal in iTunes, and not WebKit?
Sorry, I don't have knowledge of that.
I might guess though that Webkit is optimized for browser rendering of HTML and HTML interactions. But WebObjects began its design at Next for industrial strength internet commerce using the same OO-design principles as NextStep (remember the design actually started before the web was popular at all, the internet was still wild-west lack of standards).
If WebObjects was all done all over again from scratch I would think it would become AJAX related, but still integrated in a very NextStep/Cocoa manner. Then WebKit would become very useful.
Turning off Java alone will protect you from the exploit, this other stuff (like not running an admin account), while sound advice for the paranoid, is overkill for most people IMO.
Yes just turning off Java will help protect against this particular exploit.
However one must think about hardening their machine against exploits that they don't see, before they hit.
Exploits that would have a much more deadlier potential if the user runs as Admin with application altering potential.
Remember this exploit has been in the wild for 6 months before made public. Who knows how many have been exposed?
Also if you read about this Java exploit, it only has as much power as the user being exploited.
Run as User and get hit, it's just files potential.
Run as Admin and get hit, it's you applications being altered.
If your application(s) get altered, it can then ask for a Admin password and gain ROOT.
End of story.
I don't use it, rarely come across a site that needs it, but Apple needs to fix it. Makes me wonder how many other issues are out there that Apple isn't working on fast enough.
Java is evil and ugly on any OS since it never actually gives an OS integrated experience. That is IMHO one of its greatest downfalls.
wow, that must be why the NeoOffice guys use java for the GUI right?
seriously, how can anyone "love" or "hate" java? It's a f*king programming language for god's sake