Apple pushes out Java security update

Posted:
in Mac Software edited January 2014


Apple has released a security update to plug a number of holes that allowed malicious software to run on a user's Mac outside of the Java sandbox.



The Tuesday update for OS X Lion and Mac OS X 10.6 is said to fix "multiple vulnerabilities in Java 1.6.0_29" that could allow a piece of code to be run just by visiting an offending webpage.



From Apple's document:

Quote:

Description: Multiple vulnerabilities exist in Java 1.6.0_29, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating to Java version 1.6.0_31. Further information is available via the Java website at http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html











The OS X Lion version of the update weighs in at 66.9MB and the Mac OS X 10.6 download comes in at 79.7MB. Both can be downloaded through Apple's support pages or via Software Update.



[ View article on AppleInsider ]

«1

Comments

  • Reply 1 of 21
    bluefish86bluefish86 Posts: 115member
    IMO this took waaay too long. Guess this is why Apple stopped bundling Java...
  • Reply 2 of 21
    wizard69wizard69 Posts: 13,377member
    Quote:
    Originally Posted by bluefish86 View Post


    IMO this took waaay too long. Guess this is why Apple stopped bundling Java...



    This might make sense if Apple responded to very vulnerability for every library included with Mac OS quickly. But they don't often leaving open significant vulnerabilities for a very long time.
  • Reply 3 of 21
    I wonder when Android will get this update, given that nearly none of the devices run the current OS version.
  • Reply 4 of 21
    gatorguygatorguy Posts: 24,176member
    Quote:
    Originally Posted by Macky the Macky View Post


    I wonder when Android will get this update, given that nearly none of the devices run the current OS version.



    That particular Java issue doesn't apply to Android, nor iOS for that matter AFAIK. I find no mention of it.
  • Reply 5 of 21
    Quote:
    Originally Posted by Gatorguy View Post


    That particular Java issue doesn't apply to Android, nor iOS for that matter AFAIK. I find no mention of it.



    The Windows version of Java got this update several weeks ago, could be a month. I suspect the vulnerabilities were over there, too, but the press kept silent about them. Only when things pop up on the Apple side will they generate enough page views to make doing the story worthwhile.
  • Reply 6 of 21
    bluefish86bluefish86 Posts: 115member
    Quote:
    Originally Posted by lukevaxhacker View Post


    The Windows version of Java got this update several weeks ago, could be a month. I suspect the vulnerabilities were over there, too, but the press kept silent about them. Only when things pop up on the Apple side will they generate enough page views to make doing the story worthwhile.



    Yeah, the vulnerability applied to all desktop OSes. It was fixed for all but OS X back in mid February.
  • Reply 7 of 21
    javacowboyjavacowboy Posts: 864member
    This goes to show why Apple did the right thing by handing over Mac Java to Oracle and getting out of the game of rolling their own JDK/JRE.



    Apple has always been quite late in updating Java, not just for major releases, but for security fixes as well. This has always been the case, even when Apple was gung ho on Java in the early 2000's.



    Due to their previous commitments, they still have an obligation to maintain the Java releases within that commitment, including Java 6. Once Oracle distributes Java 7 for Mac and Java 6 falls into disuse (free support will be discontinued by Oracle in Nov 2012), then Apple will be totally off the hook.



    What I don't understand is why Apple took this long to hand over support to Oracle, or Sun when it was still a separate company.
  • Reply 8 of 21
    gatorguygatorguy Posts: 24,176member
    Quote:
    Originally Posted by bluefish86 View Post


    Yeah, the vulnerability applied to all desktop OSes. It was fixed for all but OS X back in mid February.



    Then it obviously wouldn't apply to Android or iOS. Thank you sir.
  • Reply 9 of 21
    bwikbwik Posts: 565member
    Fantastic, I am glad they finally fixed Java's security flaws in the Mac OS X implementation, monthly for the last ten or twelve years.
  • Reply 10 of 21
    steve666steve666 Posts: 2,600member
    I guess I don't have java installed since the updater says I have nothing to update.

    Is there an advanatage to installing java? Does it make web surfing better in any way?
  • Reply 11 of 21
    Quote:
    Originally Posted by steve666 View Post


    I guess I don't have java installed since the updater says I have nothing to update.

    Is there an advanatage to installing java? Does it make web surfing better in any way?



    Only if you go to sites that have Java applets or run Java applications. Seeing as you don't have it show up I'm picking you don't.
  • Reply 12 of 21
    tylerk36tylerk36 Posts: 1,037member
    I wonder if Sun will eventually shut down the JAVA end of its company eventually because of HTML 5?
  • Reply 13 of 21
    steve666steve666 Posts: 2,600member
    Then I guess I'll leave it be
  • Reply 14 of 21
    bedouinbedouin Posts: 331member
    Quote:
    Originally Posted by tylerk36 View Post


    I wonder if Sun will eventually shut down the JAVA end of its company eventually because of HTML 5?



    They're really apples and oranges.
  • Reply 15 of 21
    mr. memr. me Posts: 3,221member
    Quote:
    Originally Posted by tylerk36 View Post


    I wonder if Sun will eventually shut down the JAVA end of its company eventually because of HTML 5?



    It sounds like you are making the age-old mistake of confusing Java with JavaScript. JavaScript is primarily a Web technology although it is used in a tiny fraction of non-Web applications. Java is used in some Web applications, but is also used for applications that appear to be standalone. The very popular US Government-owned graphics editor and analysis application, ImageJ, is Java-based. Virtually all Mac torrent clients are Java-based. My firm uses a vertical market Oracle integrated database that is administered via the company's browser-based applet running within a browser. Before the OEM switched to Java, there was no Mac-based solution to administering the database. The application is no longer in development, but it shows you just how important Java is to the Mac. Microsoft's last version of Windows Media Player for Mac was Java-based.



    On the one hand, you may rightfully assert that each example cited above and many others can be rewritten in Objective-C and compiled in a binary application. On the other hand, you will have to admit that the large number and variety of applications involved means that the changeover will take several years if Java were slated to go away. In some cases such as the case of my firm's vertical-market administration client, it is likely that we would never have a binary replacement.
  • Reply 16 of 21
    auxioauxio Posts: 2,717member
    Quote:
    Originally Posted by steve666 View Post


    I guess I don't have java installed since the updater says I have nothing to update.

    Is there an advanatage to installing java? Does it make web surfing better in any way?



    If you browse to a website which uses Java, Safari will prompt you to install Java if you don't have it installed. So you can just wait until you need it.



    If you want to install it anyways, you can launch the Java Preferences application (found in Applications -> Utilities).
  • Reply 17 of 21
    Apple releasing this is probably a direct response to Firefox now blacklisting older versions of java.



    https://threatpost.com/en_us/blogs/m...ocklist-040312



    Apparently, there have been a recent string of attacks using the vulnerability which was patched in this version.
  • Reply 18 of 21
    steve666steve666 Posts: 2,600member
    Quote:
    Originally Posted by auxio View Post


    If you browse to a website which uses Java, Safari will prompt you to install Java if you don't have it installed. So you can just wait until you need it.



    If you want to install it anyways, you can launch the Java Preferences application (found in Applications -> Utilities).



    I've never seen that warning but i do have websites that just won't function well with safari but that could be another issue
  • Reply 19 of 21
    jragostajragosta Posts: 10,473member
    Quote:
    Originally Posted by Gatorguy View Post


    Then it obviously wouldn't apply to Android or iOS. Thank you sir.



    Thank goodness - seeing as how the overwhelming majority of Android users never get updates.
  • Reply 20 of 21
    backtomacbacktomac Posts: 4,579member
    Quote:
    Originally Posted by Mr. Me View Post


    It sounds like you are making the age-old mistake of confusing Java with JavaScript. JavaScript is primarily a Web technology although it is used in a tiny fraction of non-Web applications. Java is used in some Web applications, but is also used for applications that appear to be standalone. The very popular US Government-owned graphics editor and analysis application, ImageJ, is Java-based. Virtually all Mac torrent clients are Java-based. My firm uses a vertical market Oracle integrated database that is administered via the company's browser-based applet running within a browser. Before the OEM switched to Java, there was no Mac-based solution to administering the database. The application is no longer in development, but it shows you just how important Java is to the Mac. Microsoft's last version of Windows Media Player for Mac was Java-based.



    On the one hand, you may rightfully assert that each example cited above and many others can be rewritten in Objective-C and compiled in a binary application. On the other hand, you will have to admit that the large number and variety of applications involved means that the changeover will take several years if Java were slated to go away. In some cases such as the case of my firm's vertical-market administration client, it is likely that we would never have a binary replacement.



    I have a 'mission critical' app at my business that relies on Java. Installing patch as we speak.



    Ars has posted a link to this site which gives instructions on how to determine if your machine is already infected.



    So far all my machines have tested clean.
Sign In or Register to comment.