Apple plugs critical Java security hole affecting Tiger, Leopard

Posted:
in macOS edited January 2014
Apple on Monday finally got around to patching a widely-publicized security flaw in the version of Java shipping with Mac OS X, which could leave a Mac open to attack while browsing the web.



The Mac maker came under criticism from a pair of security firms last month for failing to patch the exploit, which it has reportedly been aware of since January.



The vulnerability, which theoretically exists on all platforms supporting Java, could allow a remote user to run code, delete files, and execute applications on a Mac through a maliciously crafted Java applet.



When executed together with a privilege escalation vulnerability, hackers could remotely run any system-level process and get total access to a Mac. This could leave users open to “drive-by attacks," according to security firm Intego, which had recommended that users disable Java until a fix was made available.



On Monday, Apple released Java for Mac OS X 10.5 Update 4 (158MB download) and Java for Mac OS X 10.4, Release 9 (80.11MB), which address the problem on its Leopard and Tiger operating systems but updating Java versions 1.4, 1.5, and 1.6 to new versions.



Apple also noted that there were multiple vulnerabilities in its "Aqua Look and Feel for Java" implementation for Java 1.5 affecting only Mac OS X 10.5.7 and later. The update for Leopard addresses this issue as well by denying access to internal details of Aqua Look and Feel for untrusted Java applets.







Once the updates have been applied, it should be safe for Mac users who disabled Java on their Mac to re-enable it in Safari by choosing Safari > Preferences, clicking the Security tab, and then checking "Enable Java."
«13

Comments

  • Reply 1 of 43
    virgil-tb2virgil-tb2 Posts: 1,416member
    Quote:
    Originally Posted by AppleInsider View Post


    Apple on Monday finally got around to patching a widely-publicized security flaw in the version of Java shipping with Mac OS X, which could leave a Mac open to attack while browsing the web. ...



    Great news.



    But after going for so long with Java turned off and seeing absolutely no effect on my browsing at all, I'm gonna leave it off.



    It really should be the default setting at this point. No one who really needs and uses java applets is really likely to be on a Mac anyway.
  • Reply 2 of 43
    Quote:
    Originally Posted by AppleInsider View Post




    Once the updates have been applied, it should be safe for Mac users who disabled Java on their Mac to re-enable it



    LOL. So, probably not even the guys at the security firm who found the vulnerability.
  • Reply 3 of 43
    Better late than never I guess.



    In terms of versioning, Java 1.6 is actually up to Update 14 now, while Apple is only supplying Update 13 in this release. I can't really blame them since there probably wasn't enough turn-around time to incorporate Update 14 and the security patch available in Update 13 was more important anyways.



    On the flip side, Apple actually incorporated Java 1.4.2 Update 21, which is considerate of them. Sun has EOL'd Java 1.4.2 for consumers and businesses still wanting support for versions greater than Update 19 have to pay Sun. It seems that Apple is paying Sun for continued support for Java 1.4.2 for all Mac users without charging us for the individual updates. Can't really complain about that although it is really Apple's obligation since Apple ships Java 1.4.2 as an integrated component of Tiger and Leopard so they really need to continue supporting for the OSs' lifecycle.
  • Reply 4 of 43
    mactrippermactripper Posts: 1,328member
    Apple should be ashamed of themselves.



    This exploit has been in the wild for 6 months before going public.



    Then it took Apple months to fix it after the latest OS X update when it did finally go public and the Mac community screamed bloody murder warning everyone to turn off Java.



    "God knows how many have been exposed." - Alien 2



    This is not the first time Apple has ignored a vital security threat.



    The serious Metadata exploit (still not fixed completely) was submitted by many folks, including myself, with back and forth emails to Apple Security folks and then it went unfixed for YEARS!!



    It's still technically unfixed, only a warning now that your downloading app/first time running a app. A work around basically.



    I started to think, why did Apple take so long to fix this latest Java exploit? Was it so people would download Safari 4 with it's sandboxing of plug-ins?



    Pump up the download numbers a little for marketing dept? Along with a forced upgrade on the Windows side?



    Why is Apple so slow in fixing the open source parts of OS X? It's a security risk with them not paying enough attention too.



    Perhaps it's so many eyes finding the flaws in open source that Apple can't handle it?



    Geting like Microsoft slow, Apple is - yoda
  • Reply 5 of 43
    javacowboyjavacowboy Posts: 864member
    I was very critical of Apple for leaving this vulnerability unpatched. Now, I want to congratulate them for doing the right thing. Better late than never!



    But there's more good news. Apple has updated Java *to the most recent version put out by Sun*, which is Java 6 Update 14.



    Since Apple is always well behind Sun on Java versions, this is a very pleasant surprise.
  • Reply 6 of 43
    ossianossian Posts: 18member
    Good to see this fixed at last. Apple seams to be to comfortable with relying on security through obscurity. I hope they are right. I'd prefer it if security got a higher priority.
  • Reply 7 of 43
    Who still uses Java? Especially on a Mac or an iPhone. Flash, I understand...even Silverlight, but who needs a nasty looking, slow Java applet on their speedy 8-core Mac Pro?
  • Reply 8 of 43
    irelandireland Posts: 17,798member
    158mb wt?
  • Reply 9 of 43
    lorrelorre Posts: 396member
    Quote:
    Originally Posted by MadisonTate View Post


    Who still uses Java? Especially on a Mac or an iPhone. Flash, I understand...even Silverlight, but who needs a nasty looking, slow Java applet on their speedy 8-core Mac Pro?



    Photobucket has a bulk uploader applet that works great imo.



    I'll take Java applets over Flash stuff any day... well written Java applets will run much better than Flash equivalents and with JavaFX, they can look just as good. Too bad Sun's latest efforts are too little too late...



    Java applets have a bad rep from back in the day, as you just proved
  • Reply 10 of 43
    Quote:
    Originally Posted by JavaCowboy View Post


    I was very critical of Apple for leaving this vulnerability unpatched. Now, I want to congratulate them for doing the right thing. Better late than never!



    But there's more good news. Apple has updated Java *to the most recent version put out by Sun*, which is Java 6 Update 14.



    Since Apple is always well behind Sun on Java versions, this is a very pleasant surprise.



    Apple is actually still behind. Apple's Java 1.6 is only up to Update 13 while the latest is Update 14. Apple is on par with Java 1.5 at Update 19. Significantly, Apple is ahead on Java 1.4.2 with Update 21 which is a paid update from Sun, since free consumer support for all other OS for Java 1.4.2 ended at Update 19.
  • Reply 11 of 43
    a_greera_greer Posts: 4,594member
    Am I the only one a little disturbed by this, itt took so long, much longer than any other vendor...so long that the researcher released the research to light a fire under them...



    surte Windows has more volnerabilities, but Apple didnt seem to handle this one well at all...
  • Reply 12 of 43
    kolchakkolchak Posts: 1,398member
    I haven't run any of my browsers with Java enabled in over a decade. The first thing I do whenever I get a new browser is turn Java off. I only turn it on temporarily if I know that a site actually needs Java, like some online calculators.
  • Reply 13 of 43
    ghostface147ghostface147 Posts: 1,629member
    Well I guess this doesn't apply to us Snow Leopard users, must be already protected.
  • Reply 14 of 43
    Most everyone takes 'security through obscurity' to mean one thing, Mac market share is too small to attract serious criminals. This runs contrary to the sporadic reports of Apple equipment, Macs, ipods, iPhones being targets for criminals. There is another kind of obscurity that assists security, don't tell people where to aim their attacks.



    Kind of like locks on a door, if you know where they are you aim your battering ram at them. If you don't know where they are there's some trial and error involved in finding them. Now lets say for argument Apple has a great security technology developed in house, what should their approach be, broadcast it from the rooftops or keep it a secret?



    I seriously doubt that Apple has a single great security technology that defeats the bad guys, I do think it extremely likely they have several unique technologies that make things more difficult for the bad guys, and they aren't likely to tell you or me about them.
  • Reply 15 of 43
    mdriftmeyermdriftmeyer Posts: 7,503member
    Quote:
    Originally Posted by JavaCowboy View Post


    I was very critical of Apple for leaving this vulnerability unpatched. Now, I want to congratulate them for doing the right thing. Better late than never!



    But there's more good news. Apple has updated Java *to the most recent version put out by Sun*, which is Java 6 Update 14.



    Since Apple is always well behind Sun on Java versions, this is a very pleasant surprise.



    Glad to see you're satisfied and you may now realize that by having to roll their own Java integration with OS X that it takes a bit longer to roll in updates and test them thoroughly before a simple apt-get upgrade.
  • Reply 16 of 43
    mdriftmeyermdriftmeyer Posts: 7,503member
    Quote:
    Originally Posted by ghostface147 View Post


    Well I guess this doesn't apply to us Snow Leopard users, must be already protected.



    Testing rolls down hill. Get SL ready and then test in the back catalog.
  • Reply 17 of 43
    Quote:
    Originally Posted by Lorre View Post


    Photobucket has a bulk uploader applet that works great imo.



    I'll take Java applets over Flash stuff any day... well written Java applets will run much better than Flash equivalents and with JavaFX, they can look just as good. Too bad Sun's latest efforts are too little too late...



    Java applets have a bad rep from back in the day, as you just proved



    Actually, it's just the inconvenience. You have to download a 15-20MB thing that ends up showing you an applet that makes your computer look like something from the late 80s. It looks bad on Windows. On OS X, it sticks out like a sore thumb. Now, if you're running Linux or Solaris, it might be an improvement!



    Have you seen the Hulu Desktop application or Pandora's desktop application? They remind me of Cocoa applications. Gorgeous enough to look like part of the OS. Hulu Desktop even gives Front Row a run for its money.
  • Reply 18 of 43
    solipsismsolipsism Posts: 25,726member
    Quote:
    Originally Posted by ghostface147 View Post


    Well I guess this doesn't apply to us Snow Leopard users, must be already protected.



    No update for my SL either.
  • Reply 19 of 43
    solipsismsolipsism Posts: 25,726member
    Quote:
    Originally Posted by MadisonTate View Post


    Have you seen the Hulu Desktop application or Pandora's desktop application? They remind me of Cocoa applications. Gorgeous enough to look like part of the OS. Hulu Desktop even gives Front Row a run for its money.



    Are you referencing those apps to Java? I have used Hulu Deskop and it appears to be completely Flash, save for the the Cocoa wrapper.



    I think it?s a bit busy, while Front Row is a bit too vanilla, but it is nice. I often prefer it to the website. It?s built with 10 Foot User Interface Guidleines so it?ll work quite well for Win or OS X media center. I?d like this to get added to the AppleTV, even if it means a hack, though for adding to the AppleTV I would have rather it was built with Silverlight so it could tap into the GPU.
  • Reply 20 of 43
    Java is still important, just not for applets in web pages. Apple's own Final Cut Server user client is written in Java, for example - this enables it to run on both Mac OS X and Windows with minimal changes. Also Apple's WebObjects system is entirely implemented in Java - this runs things like the Apple Online Store.



    For developers working on web services and web sites, having an up-to-date and secure Java is just as relevant as ever, and it is important that the Mac keeps up with the other platforms. For many, the additional benefits of running on a Mac (compared to Windows) make it more than worth the effort, no least because it's a proper UNIX system, and the server side of many web sites will be UNIX- or Linux-based.
Sign In or Register to comment.