Apple plugs critical Java security hole affecting Tiger, Leopard
Apple on Monday finally got around to patching a widely-publicized security flaw in the version of Java shipping with Mac OS X, which could leave a Mac open to attack while browsing the web.
The Mac maker came under criticism from a pair of security firms last month for failing to patch the exploit, which it has reportedly been aware of since January.
The vulnerability, which theoretically exists on all platforms supporting Java, could allow a remote user to run code, delete files, and execute applications on a Mac through a maliciously crafted Java applet.
When executed together with a privilege escalation vulnerability, hackers could remotely run any system-level process and get total access to a Mac. This could leave users open to “drive-by attacks," according to security firm Intego, which had recommended that users disable Java until a fix was made available.
On Monday, Apple released Java for Mac OS X 10.5 Update 4 (158MB download) and Java for Mac OS X 10.4, Release 9 (80.11MB), which address the problem on its Leopard and Tiger operating systems but updating Java versions 1.4, 1.5, and 1.6 to new versions.
Apple also noted that there were multiple vulnerabilities in its "Aqua Look and Feel for Java" implementation for Java 1.5 affecting only Mac OS X 10.5.7 and later. The update for Leopard addresses this issue as well by denying access to internal details of Aqua Look and Feel for untrusted Java applets.
Once the updates have been applied, it should be safe for Mac users who disabled Java on their Mac to re-enable it in Safari by choosing Safari > Preferences, clicking the Security tab, and then checking "Enable Java."
The Mac maker came under criticism from a pair of security firms last month for failing to patch the exploit, which it has reportedly been aware of since January.
The vulnerability, which theoretically exists on all platforms supporting Java, could allow a remote user to run code, delete files, and execute applications on a Mac through a maliciously crafted Java applet.
When executed together with a privilege escalation vulnerability, hackers could remotely run any system-level process and get total access to a Mac. This could leave users open to “drive-by attacks," according to security firm Intego, which had recommended that users disable Java until a fix was made available.
On Monday, Apple released Java for Mac OS X 10.5 Update 4 (158MB download) and Java for Mac OS X 10.4, Release 9 (80.11MB), which address the problem on its Leopard and Tiger operating systems but updating Java versions 1.4, 1.5, and 1.6 to new versions.
Apple also noted that there were multiple vulnerabilities in its "Aqua Look and Feel for Java" implementation for Java 1.5 affecting only Mac OS X 10.5.7 and later. The update for Leopard addresses this issue as well by denying access to internal details of Aqua Look and Feel for untrusted Java applets.
Once the updates have been applied, it should be safe for Mac users who disabled Java on their Mac to re-enable it in Safari by choosing Safari > Preferences, clicking the Security tab, and then checking "Enable Java."
Comments
Apple on Monday finally got around to patching a widely-publicized security flaw in the version of Java shipping with Mac OS X, which could leave a Mac open to attack while browsing the web. ...
Great news.
But after going for so long with Java turned off and seeing absolutely no effect on my browsing at all, I'm gonna leave it off.
It really should be the default setting at this point. No one who really needs and uses java applets is really likely to be on a Mac anyway.
Once the updates have been applied, it should be safe for Mac users who disabled Java on their Mac to re-enable it
LOL. So, probably not even the guys at the security firm who found the vulnerability.
In terms of versioning, Java 1.6 is actually up to Update 14 now, while Apple is only supplying Update 13 in this release. I can't really blame them since there probably wasn't enough turn-around time to incorporate Update 14 and the security patch available in Update 13 was more important anyways.
On the flip side, Apple actually incorporated Java 1.4.2 Update 21, which is considerate of them. Sun has EOL'd Java 1.4.2 for consumers and businesses still wanting support for versions greater than Update 19 have to pay Sun. It seems that Apple is paying Sun for continued support for Java 1.4.2 for all Mac users without charging us for the individual updates. Can't really complain about that although it is really Apple's obligation since Apple ships Java 1.4.2 as an integrated component of Tiger and Leopard so they really need to continue supporting for the OSs' lifecycle.
This exploit has been in the wild for 6 months before going public.
Then it took Apple months to fix it after the latest OS X update when it did finally go public and the Mac community screamed bloody murder warning everyone to turn off Java.
"God knows how many have been exposed." - Alien 2
This is not the first time Apple has ignored a vital security threat.
The serious Metadata exploit (still not fixed completely) was submitted by many folks, including myself, with back and forth emails to Apple Security folks and then it went unfixed for YEARS!!
It's still technically unfixed, only a warning now that your downloading app/first time running a app. A work around basically.
I started to think, why did Apple take so long to fix this latest Java exploit? Was it so people would download Safari 4 with it's sandboxing of plug-ins?
Pump up the download numbers a little for marketing dept? Along with a forced upgrade on the Windows side?
Why is Apple so slow in fixing the open source parts of OS X? It's a security risk with them not paying enough attention too.
Perhaps it's so many eyes finding the flaws in open source that Apple can't handle it?
Geting like Microsoft slow, Apple is - yoda
But there's more good news. Apple has updated Java *to the most recent version put out by Sun*, which is Java 6 Update 14.
Since Apple is always well behind Sun on Java versions, this is a very pleasant surprise.
Who still uses Java? Especially on a Mac or an iPhone. Flash, I understand...even Silverlight, but who needs a nasty looking, slow Java applet on their speedy 8-core Mac Pro?
Photobucket has a bulk uploader applet that works great imo.
I'll take Java applets over Flash stuff any day... well written Java applets will run much better than Flash equivalents and with JavaFX, they can look just as good. Too bad Sun's latest efforts are too little too late...
Java applets have a bad rep from back in the day, as you just proved
I was very critical of Apple for leaving this vulnerability unpatched. Now, I want to congratulate them for doing the right thing. Better late than never!
But there's more good news. Apple has updated Java *to the most recent version put out by Sun*, which is Java 6 Update 14.
Since Apple is always well behind Sun on Java versions, this is a very pleasant surprise.
Apple is actually still behind. Apple's Java 1.6 is only up to Update 13 while the latest is Update 14. Apple is on par with Java 1.5 at Update 19. Significantly, Apple is ahead on Java 1.4.2 with Update 21 which is a paid update from Sun, since free consumer support for all other OS for Java 1.4.2 ended at Update 19.
surte Windows has more volnerabilities, but Apple didnt seem to handle this one well at all...
Kind of like locks on a door, if you know where they are you aim your battering ram at them. If you don't know where they are there's some trial and error involved in finding them. Now lets say for argument Apple has a great security technology developed in house, what should their approach be, broadcast it from the rooftops or keep it a secret?
I seriously doubt that Apple has a single great security technology that defeats the bad guys, I do think it extremely likely they have several unique technologies that make things more difficult for the bad guys, and they aren't likely to tell you or me about them.
I was very critical of Apple for leaving this vulnerability unpatched. Now, I want to congratulate them for doing the right thing. Better late than never!
But there's more good news. Apple has updated Java *to the most recent version put out by Sun*, which is Java 6 Update 14.
Since Apple is always well behind Sun on Java versions, this is a very pleasant surprise.
Glad to see you're satisfied and you may now realize that by having to roll their own Java integration with OS X that it takes a bit longer to roll in updates and test them thoroughly before a simple apt-get upgrade.
Well I guess this doesn't apply to us Snow Leopard users, must be already protected.
Testing rolls down hill. Get SL ready and then test in the back catalog.
Photobucket has a bulk uploader applet that works great imo.
I'll take Java applets over Flash stuff any day... well written Java applets will run much better than Flash equivalents and with JavaFX, they can look just as good. Too bad Sun's latest efforts are too little too late...
Java applets have a bad rep from back in the day, as you just proved
Actually, it's just the inconvenience. You have to download a 15-20MB thing that ends up showing you an applet that makes your computer look like something from the late 80s. It looks bad on Windows. On OS X, it sticks out like a sore thumb. Now, if you're running Linux or Solaris, it might be an improvement!
Have you seen the Hulu Desktop application or Pandora's desktop application? They remind me of Cocoa applications. Gorgeous enough to look like part of the OS. Hulu Desktop even gives Front Row a run for its money.
Well I guess this doesn't apply to us Snow Leopard users, must be already protected.
No update for my SL either.
Have you seen the Hulu Desktop application or Pandora's desktop application? They remind me of Cocoa applications. Gorgeous enough to look like part of the OS. Hulu Desktop even gives Front Row a run for its money.
Are you referencing those apps to Java? I have used Hulu Deskop and it appears to be completely Flash, save for the the Cocoa wrapper.
I think it?s a bit busy, while Front Row is a bit too vanilla, but it is nice. I often prefer it to the website. It?s built with 10 Foot User Interface Guidleines so it?ll work quite well for Win or OS X media center. I?d like this to get added to the AppleTV, even if it means a hack, though for adding to the AppleTV I would have rather it was built with Silverlight so it could tap into the GPU.
For developers working on web services and web sites, having an up-to-date and secure Java is just as relevant as ever, and it is important that the Mac keeps up with the other platforms. For many, the additional benefits of running on a Mac (compared to Windows) make it more than worth the effort, no least because it's a proper UNIX system, and the server side of many web sites will be UNIX- or Linux-based.