Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Apple Finally Patches Java Vulnerability

kdawson posted more than 5 years ago | from the gentlemen-restart-your-sandboxes dept.

Security 177

macs4all writes "Apple has finally addressed the Java vulnerability that nearly everyone else patched months ago. Available now for OS X 10.4 and 10.5, and through Apple's Software Update service, this update patches a flaw in the Java Virtual Machine that could potentially allow a malicious Java applet to execute arbitrary code on the machine. Apple had previously advised users to turn off Java temporarily in their Web browsers."

cancel ×

177 comments

Sorry! There are no comments related to the filter you selected.

SAD :( (4, Insightful)

Anonymous Coward | more than 5 years ago | (#28342705)

It is truly sad that Apple still just don't "Get" security. Makes me a sad panda to think it is going to take some sort of devastating worm or virus for them to finally wake up and smell the shit they are pumping out.

Re:SAD :( (3, Funny)

QuantumG (50515) | more than 5 years ago | (#28342821)

Yes, they believe their own press.

Re:SAD :( (2, Insightful)

Anonymous Coward | more than 5 years ago | (#28344509)

Apple has a special interest in being slow about Java. If Java "works beautifully and unproblematically" on the Mac, then that eats into the Cocoa market by a slippery slope of argument:

  1. "Why develop in Cocoa when Java works beautifully on Macs but can also run on other platforms too?"
  2. "Hey now we've got this wonderful Java thing that runs on Windows and Mac"
  3. "Hang on, there are 5 to 10 times as many Windows users so we should target the bigger market"
  4. "Hmm, looks like we're now treating Mac as a second-tier platform; oh well"

The easiest way to stop developers from sliding down slippery argument is to ensure step 1 does not hold.

Re:SAD :( (0)

Anonymous Coward | more than 5 years ago | (#28343147)

Yeah, we Mac users have been hearing for years and years and years about this big, impending trojan that's going to put us in our place. I'll keep waiting...

Re:SAD :( (3, Funny)

QuantumG (50515) | more than 5 years ago | (#28343173)

Joke 1: That, and some non-Apple/Adobe applications eh?
Joke 2: Yeah, so are the Amiga users.

Re:SAD :( (1)

phantomfive (622387) | more than 5 years ago | (#28343305)

Except the Amiga users already got it. It was just too easy/tempting to write viruses for the Amiga, and there were tons of them.

Re:SAD :( (1)

Ash-Fox (726320) | more than 5 years ago | (#28343567)

Except the Amiga users already got it. It was just too easy/tempting to write viruses for the Amiga, and there were tons of them.

As did Apples back then.

I haven't seen any viruses for AmigaOS3.9 or 4.0 yet.

Your sig (1)

Mad Merlin (837387) | more than 5 years ago | (#28343753)

curl -I slashdot.org

is so very much simpler.

Re:SAD :( (0)

Anonymous Coward | more than 5 years ago | (#28343677)

Yeah, we Mac users have been hearing for years and years and years about this big, impending trojan that's going to put us in our place. I'll keep waiting...

Whoever said it hasn't happened? If I had a nice trojan into all Macs, I'd be making it as invisible as possible.

Re:SAD :( (0)

Anonymous Coward | more than 5 years ago | (#28343941)

My mother doesn't lock her front door despite warnings about druggies and kids looking for easy scores. She has never been robbed to this day and she believes it is a perfectly safe practise. Many Mac users are in the same sad deluded state, maybe no one will ever bother robbing you, but damn if they decide to it is gonna be an easy score for them.

Re:SAD :( (3, Insightful)

TinBromide (921574) | more than 5 years ago | (#28343257)

I get the funniest looks when I say that Apple has had the benefit of security via obscurity and when it comes to security measures, Apple is now at the point where Microsoft was in 1998. Yes, mod me troll, but as you do so, you know that Apple hasn't had the same trial by fire that Microsoft has. If you look at the yearly exploit conferences, OS X doesn't fare much better than Windows, and that's only because apple has the benefit of running a bsd based kernel. Picking a more secure solution from the get-go doesn't mean that they can maintain and do the required preventative patching measures.

Re:SAD :( (4, Informative)

interactive_civilian (205158) | more than 5 years ago | (#28343519)

Apple is now at the point where Microsoft was in 1998.

In 1998, there were tens of thousands of Windows viruses (I remember reading a number like over 40,000, but I can't find a source), while at the same time, MacOS 8 had 7 or so, all of which were protected from freely by the anti-virus program Disinfectant. While I can't find a direct source for my Windows numbers, here's an article [viruslist.com] that makes it look like 1998 was not a very good year for Windows viruses. Even if my memories are off by an order of magnitude or two, it still wasn't a good time for Windows and viruses.

Are you honestly saying that Apple is at that point right now? We have yet to see an actual MacOS X virus in the wild, and there have been how many Trojans in the wild so far? 4?

Re:SAD :( (1)

zonky (1153039) | more than 5 years ago | (#28343529)

You just can't 'protect' against "viruses" (malware is probably a better definition) with a signature based anti-malware app that is post-updated when viruses are discovered.

That is no protection at all.

Re:SAD :( (1)

interactive_civilian (205158) | more than 5 years ago | (#28343679)

That is no protection at all.

Well, that explains every Mac virus, trojan, adware, and any other malware you can think of I have ever been infected by in the 20 years I have been using Macintosh computer. All ZERO of them. And the last anti-virus or any other anti-malware software I used was Disinfectant, which was discontinued in May 1998. I've never even had to clean infected files off of a disk (versus the Windows side where my system has been infected once, disks and external drives have had to be cleaned many times from coming in contact with other people's machines, and I've earned a lot of free beer and dinners for cleaning up other people's infected computers).

Aside from that, how does your response relate at all to reply to the GGPP who was saying that Apple now is like Microsoft in 1998? Where are the thousands of pieces of malware for MacOS X now to rival the thousands that were around for Windows in 1998?

Re:SAD :( (2, Informative)

zonky (1153039) | more than 5 years ago | (#28343781)

OS X, like windows, or linux, is not immune to someone choosing to install malware, whether it is on grounds of greed, social engineering, or otherwise. So don't pretend that it isn't. i.e : http://www.chotocheeta.com/2009/01/23/apple-os-x-gets-a-virus-attack-p2p-distributed-iwork-09-comes-with-osxtrojaniservicesa-trojan-horse/ [chotocheeta.com]

Re:SAD :( (2, Informative)

interactive_civilian (205158) | more than 5 years ago | (#28344527)

So don't pretend that it isn't.

Ummm... Don't put words in my mouth?

I am fully aware that no OS is immune to stupid users. If a user is dumb enough to type in his or her OS's equivalent to "sudo rm -rf /" then they deserve what they get. This is not the point I am trying to make.

You seem to be continuing to ignore my point. The point is, in 1998, Microsoft had numerous malware problems, especially with viruses and worms (which would infect and spread with little or no user interaction). There were literally thousands of viruses, worms, and trojans for Windows (and, for a point of comparison, that is opposed to Apple's 7 or so). The post I replied to said that Apple is *now* where Microsoft was in 1998.

So, please address the original point. If this statement is true, then where are the thousands of viruses, worms, and trojans for OS X? Because to date, there have been ZERO OS X viruses and worms in the wild (and only a couple of concept ones in the lab), and only a handful of trojans (the ones I can think of off the top of my head are the pirated iWork trojan and the fake video codec trojan).

Therefore, Apple right *now* is NOT like Microsoft in 1998. Q.E.D.

Re:SAD :( (1)

AHuxley (892839) | more than 5 years ago | (#28343621)

Still working on it, as a 'enter password for codec, plug, application installer" under OS X.
Click a web link to own or download and own seems a while away in the wild?
I would think the feds and smart hackers have all the Mac OS X tools needed.
Mess with them and its like Windows, point and click.
The low end of the script kid, hacker spectrum are only warming up it seems.

Re:SAD :( (1, Interesting)

Anonymous Coward | more than 5 years ago | (#28343825)

Simply being the target for virus writers doesn't mean what you think it does. If you're going to write a virus that will hit 94% (microsoft marketshare back then) of systems, or 4% of systems (mac market share), which will you pick?

Microsoft has a similar numbers game and is used more often for high value uses. Who wants to write a virus that will steal video clips or artwork? Who wants to write a virus that will steal ssn's en masse?

How many macs handle SSN's en masse? Its a return on investment. Until businesses start doing heavy lifting with macs, they won't be a target. That being said, let me quote myself:

If you look at the yearly exploit conferences, OS X doesn't fare much better than Windows

Number of viruses is not caused primarily by insecurity. Its a correlation relationship, not a causation one. There are quite a few linux malware programs, but you don't hear people arguing that mac os x is more or less secure than linux. Its because linux presents a juicier target (always on servers that handle database heavy lifting.)

Re:SAD :( (1)

TinBromide (921574) | more than 5 years ago | (#28343831)

For the record, I have no clue why that was posted as AC.

Re:SAD :( (3, Informative)

pauljlucas (529435) | more than 5 years ago | (#28343603)

... [A]pple has the benefit of running a bsd based kernel.

It's a Mach-based kernel in a BSD-like environment.

Re:SAD :( (1)

MidnightBrewer (97195) | more than 5 years ago | (#28344815)

So the only reason that they're managing to stay secure is because they picked an inherently more secure operating system? Not to mention that they're actively patching a system which has to date never had a virus? Yeah, Apple really is dropping the ball on this one.

I will, however, agree that it would be nice if Apple would be more timely; it's not like they don't have enough money to hire new programmers if the current bunch is spread around too thin. Telling people to just turn Java off for a few months is a bit lame.

Re:SAD :( (1)

MtViewGuy (197597) | more than 5 years ago | (#28343951)

With the increasing use of Macs (Mac Minis, iMacs, Mac Pros and the MacBook series of notebooks) to connect to the Internet, the ignorance of Mac users to a potential major malware attack is something that Apple needs to address soon, because many Mac users think that they don't need malware protection. One major malware attack directed specifically against Macs will finally convince Mac users to address this issue very quickly, that's to be sure.

Windows since Windows XP Service Pack 2 forces you to practice safe computing because the OS gives you warning about at least installing an antivirus program and firewall programs. As such, today's machines running Windows XP and Windows Vista mandates you have Windows Update at least in Notify mode and users have a full Internet security suite (or its free equivalents) installed. My current home computer (an HP Pavilion a6400f running Windows Vista Home Premium Edition)--because of these security mandates from the operating system itself--has Windows Update already patched to the latest security level (including Service Pack 2) and runs Norton Internet Security 2008; as a result, I don't see any issues with malware affecting my system. :-)

Apple: It Just Works (TM)* (0, Troll)

Anonymous Coward | more than 5 years ago | (#28342737)

*we know what's best for you

Re:Apple: It Just Works (TM)* (1, Funny)

Anonymous Coward | more than 5 years ago | (#28343345)

I don't know about others but this Java vulnerability update makes my Mac feel a lot faster.

In other news (0, Troll)

Anonymous Coward | more than 5 years ago | (#28342743)

In other news, a major car manufacturer finally did a recall on a faulty transmission found in their economy class sedan. This defect caused the car to explode if driven in third gear or higher. The manufacturer previous advised users to just keep their vehicles under 30mph (48 kph) and everything would be fine.

Also, an oven manufacturer recently found a defect in the temperature management system for the oven. The manufacturer advised to keep the oven under 200 degrees to prevent a cascading failure.

It's a shame that Apple doesn't consider software defects to be a potentially life threatening condition. Someone successfully stealing your identity could be just in the same ballpark as a major car malfunction or an exploding stove.

Re:In other news (0)

Anonymous Coward | more than 5 years ago | (#28343193)

You couldn't troll any harder.

Re:In other news (0)

Anonymous Coward | more than 5 years ago | (#28344567)

It's a shame that Apple doesn't consider software defects to be a potentially life threatening condition. Someone successfully stealing your identity could be just in the same ballpark as a major car malfunction or an exploding stove.

By that logic, using Windows is very nearly constantly a potentially life-threatening condition (when isn't there an exploit for some hole in it?), and Microsoft should have recalled it years ago. ;)

Internet Explorer alone would qualify as a serial killer!

Old versions. (4, Insightful)

saintlupus (227599) | more than 5 years ago | (#28342747)

...and this means that we can expect Vic20_love to come along any moment now and complain that his OS X 10.1 machine from 19-dickity-6 doesn't have a patch out yet, so Apple sucks.

Not that Apple doesn't suck, but you don't really need to troll for reasons.

(Bye, karma, nice knowing you...)

--saint

Re:Old versions. (5, Informative)

Anonymous Coward | more than 5 years ago | (#28342845)

...and this means that we can expect Vic20_love to come along any moment now and complain that his OS X 10.1 machine from 19-dickity-6 doesn't have a patch out yet, so Apple sucks.

Apple sucks for different reasons:

Apple PREVENTS Sun (by contract) from releasing java patches. Mac users get their java patches whenever Apple feels like it and gets a round to it [ituit.com] .

Re:Old versions. (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#28342927)

This is the biggest load of bullshit since Barack Obama's last speech. Sun (you know, the people created the vulnerability in the first place) can't get their shit together and put out an OS X java that doesn't suck more dick than barney frank. Disabling Java is good advice.

Re:Old versions. (0)

Anonymous Coward | more than 5 years ago | (#28343033)

This is the biggest load of bullshit since Barack Obama's last speech.

Ok.

Sun (you know, the people created the vulnerability in the first place) can't get their shit together

Ok, probably true.

and put out an OS X java that doesn't suck more dick than barney frank.

Well, Sun fixed this vulnerability many, many months ago on every other java platform except the Mac, because Apple won't let Sun fix it for the Mac.

Disabling Java is good advice.

True, but sometimes you need it.

Re:Old versions. (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#28343457)

...that doesn't suck more dick than barney frank.

He may be soft and talk with a lisp, indicating a submissive personality and a penchant for peter puffing, but he is a senator, after all, so maybe he is a dom and gets his dick sucked. In fact, I bet he hasn't choked down a senate page salami since he was one. But he definitely wears lingerie. I think that's obvious.

Re:Old versions. (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#28343791)

He's a congressman, not a senator. He's also a well known bottom. A few years ago, he took one of his underage pages to thailand for gay sex. At the time, it was legal, though now it's not (although I don't think congress should be trying to legislate what an american citizen does in another country aside from treason and the like).

Re:Old versions. (2)

MrLint (519792) | more than 5 years ago | (#28342999)

I'm not trying to grief, and it is certainly consistent with reality, but is this documented anywhere?

Re:Old versions. (4, Informative)

Anonymous Coward | more than 5 years ago | (#28343099)

I'm not trying to grief, and it is certainly consistent with reality, but is this documented anywhere?

Sure. Only Apple can release java for mac. Something about look & feel and/or quality assurance.

http://blog.cr0.org/2009/05/write-once-own-everyone.html [cr0.org]
http://java.dzone.com/news/critical-mac-osx-java [dzone.com]

Look at the "java downloads for all operating systems" webpage:

http://www.java.com/en/download/manual.jsp [java.com]

Notice that you can't download java for mac from Sun?

Re:Old versions. (2, Interesting)

jonwil (467024) | more than 5 years ago | (#28343415)

Maybe its time for Sun (who DO control Java) to tell Apple to change its ways (and give control of Java on the Mac to Sun so that Sun can fix stuff without having to wait for Apple).
Its not like Sun needs Apple in order to produce Java for the Mac.

Or is this like the graphics drivers where only Apple has access to the "secret bits" necessary for a JVM to do all the things that the current Mac JVM does?
How hard would it be to just port OpenJDK/IceTea/whatever to Mac and be done with it?

Re:Old versions. (5, Informative)

ThrowAwaySociety (1351793) | more than 5 years ago | (#28344161)

...Its not like Sun needs Apple in order to produce Java for the Mac.

Sun did a JVM for the Classic Mac OS, and by all accounts it sucked. As in, it was barely usable. This is why Apple (contractually) locked Sun out of delivering Java on OS X. At the time, Apple was bullish on Java, and invested some considerable resources making OS X's JVM integrated into the rest of the OS.

Unfortunately, Apple no longer gives a shit about Java, and it shows. But Sun is still locked out, as far as I know.

Or is this like the graphics drivers where only Apple has access to the "secret bits" necessary for a JVM to do all the things that the current Mac JVM does?
How hard would it be to just port OpenJDK/IceTea/whatever to Mac and be done with it?

There already is. It's the only way to get Java 6 on PowerPC and 32-bit Intel Macs, or on 10.4.x

Unfortunately, it relies on X11 for its GUI, which is generally a big non-starter on the Mac. Also, I don't believe it's possible to use it as the JVM for Java applets in a browser, probably for the same reason.

Re:Old versions. (0, Interesting)

Anonymous Coward | more than 5 years ago | (#28342867)

complain that his OS X 10.1 machine from 19-dickity-6 doesn't have a patch out yet, so Apple sucks.

Whatever fanboi. How about 10.3 machines that were being sold in many retailers towards the end of 2005.

Four years support for security fixes is pathetic. Apple haven't learnt any lessons.

Re:Old versions. (5, Funny)

saintlupus (227599) | more than 5 years ago | (#28342877)

Really? You couldn't read the next line in my post? The one where I say that Apple sucks? You sat there, in the basement, veins straining in your forehead, lips moving dumbly, willing your way to the end of that first sentence and just ran out of steam?

Well, good work on writing a reply, anyway.

--saint

Re:Old versions. (0)

Anonymous Coward | more than 5 years ago | (#28344493)

"Really? You couldn't read the next line in my post? The one where I say that Apple sucks? You sat there, in the basement, veins straining in your forehead, lips moving dumbly, willing your way to the end of that first sentence and just ran out of steam?"

1. Your planted camera is busted now.
2. I'm so gonna kick yo ass. You dead now.

Re:Old versions. (2, Insightful)

shentino (1139071) | more than 5 years ago | (#28344521)

Interesting that people who willingly "kiss their karma goodbye" and make statements to that effect are the ones who wind up with the upmods?

Re:Old versions. (1)

Draek (916851) | more than 5 years ago | (#28344789)

Well, when the fanboys start praising Apple for the "long lifetime" of their products and "vibrant second-hand market", they always neglect to mention you're still stuck in the upgrade treadmill if you want your computer secure.

So yes, the fact that they don't have a patch for his OSX 10.1 machine *is* a problem and a big reason why I recommend Debian PPC for old Macs instead of crusty versions of OSX. Updates are faster to come, its still supported, and OS upgrades are free.

What about PPC Java? (2, Interesting)

BikeHelmet (1437881) | more than 5 years ago | (#28342835)

Just wondering. PPC Java for OSX is even more out of date than x86 Java.

The latest java on PPC is 1.5, and I'm sure it's out of date too...

Re:What about PPC Java? (1)

acidblue (716452) | more than 5 years ago | (#28343089)

Depends on what you mean by "Out of date". The 5.0 release of the JDK is fully implemented in Apple's runtime. Java 5 has not been end-of-life'd by Sun yet (I believe that is in October). There have been no API additions to 5.0 from Sun. So, there is nothing lacking.

Now Java 6 on the other hand has had a few additions to the Runtime. Such as the Nimbus look and feel, the micro-kernel addition and the ability to drag applets to the desktop. Apple was way behind on this one. This was known as the Update 10 release of java which was released for Windows/*nix back in October. We just got this update for OS X.

Re:What about PPC Java? (1)

BikeHelmet (1437881) | more than 5 years ago | (#28344859)

I was referring to security updates more than anything else. I realize that different vulnerabilities on different platforms equate to different version numbers - but no updates for a long time usually means there are exploits ITW.

Slashdot Bias (0, Insightful)

Anonymous Coward | more than 5 years ago | (#28342851)

Had this been a post about Microsoft instead of Apple, I'd imagine there'd be a lot of "ha ha micro$0ft sucks" posts now.

Re:Slashdot Bias (3, Funny)

Anonymous Coward | more than 5 years ago | (#28342859)

That's because it does!

Re:Slashdot Bias (0)

Anonymous Coward | more than 5 years ago | (#28342913)

Nice try. There is only one post not beating on Apple, and it's the other post below you. The one modded 'Funny'.

Bucketfuls of bias, eh?

Re:Slashdot Bias (5, Funny)

node 3 (115640) | more than 5 years ago | (#28343079)

Had this been a post about Microsoft instead of Apple, I'd imagine there'd be a lot of "ha ha micro$0ft sucks" posts now.

Instead, there's a lot of "ha ha Apple sucks" posts, as one would expect since the story's about Apple and not MS.

Time to chide Apple (1, Insightful)

MillionthMonkey (240664) | more than 5 years ago | (#28342903)

Rich also chided Apple for leaving such a major hole unpatched for so long.

Yeah, Apple, a meager market share (not accounting for cost per unit of course) isn't an excuse to leave stuff like this busted. I hereby CHIDE you!

158MB and the Update will not install! (2, Informative)

Dystopian Rebel (714995) | more than 5 years ago | (#28343259)

The update fails to install on some machines, mine included.

Use your favourite search engine (Bing me no Bings) to find references to:

The update "Java for Mac OS X 10.5 Update 4" can't be installed.

Re:158MB and the Update will not install! (2, Informative)

Dystopian Rebel (714995) | more than 5 years ago | (#28343417)

I hope this helps other OS X users... After downloading with Software Update, I had to reboot to install the Java update successfully.

This also means that the whole update (158MB) had to be downloaded again. Download it separately before rebooting and install from the downloaded file, just in case.

Re:158MB and the Update will not install! (1)

zonky (1153039) | more than 5 years ago | (#28343495)

This happened to me on a brand new macbook i was configuring earlier. After a reboot it installed (after downloading it again).

Re:158MB and the Update will not install! (2, Informative)

MillionthMonkey (240664) | more than 5 years ago | (#28343509)

Toss the one you downloaded and get a new one by rerunning Software Update.

They bungled some file permission thing inside the update package... [insert Mac vs PC joke here]

Re:158MB and the Update will not install! (2, Informative)

gyrogeerloose (849181) | more than 5 years ago | (#28344187)

No problem on my first-generation MacBook using Software Update.

Huge file, though--158MB.

Re:158MB and the Update will not install! (3, Informative)

bennomatic (691188) | more than 5 years ago | (#28344457)

It worked for me after I quit my running browsers.

maybe (2, Informative)

bcrowell (177657) | more than 5 years ago | (#28342951)

Well, maybe.

First off, pretty much every time we get one of these "OMG!" stories on slashdot about a security flaw going unfixed, we find out that it's not nearly as bad as suggested by the slashdot summary. In this case, the description linked to from the slashdot article says: "The Java plug-in does not block applets from launching file:// URLs. Visiting a website containing a maliciously crafted Java applet may allow a remote attacker to launch local files, which may lead to arbitrary code execution." So that's quite a bit less scary than the slashdot summary makes it sound. If I'm understanding correctly, it apparently doesn't let the attacker launch any code the attacker choses. It only lets the attacker launch code that's already present on the user's filesystem. And doesn't the java sandbox model prevent java applets from writing to the filesystem? So the attacker really may have very little opportunity to execute arbitrary code of the attacker's choosing.

Second: the slashdot summary says, "Apple had previously advised users to turn off Java temporarily in their Web browsers." Wow, that sounds really awful. It makes it sound like a really serious problem. But wait, the apple page doesn't say this. According to the tidbits.com article, Rich Mogull is the one who says the fix is to disable applets. The link to Rich Mogull's advice is a link within tidbits.com.

Re:maybe (4, Informative)

QuantumG (50515) | more than 5 years ago | (#28343009)

Do you work for Apple? Cause if your attitude is in any way related to theirs, I'll skip using their software thanks. "I can run anything on your harddrive" is trivial to leverage to "I can execute anything I want". Even the dumbest hacker can figure it out. Clearly you're dumber.

Re:maybe (0)

Anonymous Coward | more than 5 years ago | (#28343017)

Was thinking the same thing when I read though all this.

Re:maybe (2, Interesting)

acidblue (716452) | more than 5 years ago | (#28343039)

Actually, the vulnerability allowed the applet run any arbitrary process (using the user's privileges). It was/is a scary issue. I am an Apple apologist and a highly paid developer who specializes in Java. So, this vulnerability was a real "salt on the wound" issue for me. I am glad it's fixed. But, I am still very unhappy with Apple's low-rent support for the Java platform.

Re:maybe (0)

Anonymous Coward | more than 5 years ago | (#28343103)

I believe the keyword here is "arbitrary".

The updates go on to also say....

"Description: Multiple vulnerabilities exist in Java 1.4.2_16, the most serious of which may allow untrusted Java applets to obtain elevated privileges."

I'm no java expert but if I saw that as an update I'd update.

Re:maybe (3, Funny)

ctmurray (1475885) | more than 5 years ago | (#28343107)

I agree with this post. As a Mac owner I am glad, for whatever reason, viruses are of no concern to me. On my work computer my employer can spend whatever they want to support XP (and it is a great deal of money). But at home I get to relax, and ignore the issue completely.

Re:maybe (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28343205)

Please tell me your being sarcastic? The price of a Mac alone plus maintance?

Hell at home I can smoke crack and hang myself from a celling fan while masterbating but I wouldn't.

Re:maybe (1)

ctmurray (1475885) | more than 5 years ago | (#28343863)

No sarcasm intended. The computer is worth the price in my opinion, so it has the value to me. I don't try to convert people, it is a personal decision. I have never had an issue with maintenance costs. At work my employer uses PC's bought at a lower price, but has the added cost of keeping the entire company virus free. We get weekly updates on some software with bug fixes, but my company has to push this onto our computers. We also have virus updates very often (separate from the software updates). Last month they were searching a campus of 10K units looking for one computer, not issued by IT that someone was bringing into our network randomly, but infecting the network each time they connected. My work computer takes 15 minutes to boot up and about 5 minutes to shut down - I understand from others this is not the XP standard times, but due to all the stuff to prevent virus infiltration. I don't have the time, skills nor desire to do this type of work at home so I use a Mac. I suspect there are some on slashdot using Linux for similar reasons.

Re:maybe (5, Interesting)

jackspenn (682188) | more than 5 years ago | (#28343855)

As a Mac owner I am glad, for whatever reason, viruses are of no concern to me.

...

But at home I get to relax, and ignore the issue completely.

Until the day you can't. I am sorry, but you make me want to troll the net for the next security issue that is resolved in Linux and/or Windows, but Apple drags their feet on (again). Then I can use it to F with people like you. Your confidence comes from your ignorance.

Here is the sad truth, Both the Linux/BSD communities and Microsoft take security more seriously than Apple.

Apply repeatedly leaves a lot of holes open longer then they should be. I am thinking iTunes may present a nice target vector, but there have been so many in the past and I am sure there will be more in the future.

I can see the HP/MS commercial now during the Superbowl next year:

PC - "Hi, I'm a PC"
MAC - "and I'm .... full of crap."
PC - "Oh, MAC. While your designers were working to change your outsides from white to aluminum they didn't have time to patch the latest security threats to your OS."
MAC - "All my music, all my pictures and all my home movies, gone, the worm even reformated my Time Machine drive and replaced restore points with pointers to an image of a piece of shit and a burning NEXT cube."
PC - "Well, MAC, you like to talk a big game, but you are not good at playing the big game. So let everyone go back to those who can; first with the guys in Superbowl 44 and then with Windows 7 on their next laptop."

Re:maybe (0)

Anonymous Coward | more than 5 years ago | (#28343239)

And doesn't the java sandbox model prevent java applets from writing to the filesystem?

IIRC, this vulnerability was specifically caused by improperly letting applet code out of the sandbox. The problem was when deserializing a Calendar object, there are com.sun classes involved which require the deserialization code to run at a higher permission level since com.sun classes are outside the sandbox that applets typically live in. So Sun created a loophole for deserializing Calendars. What they didn't count on was that the attacker could supply a serialized class that was not of the correct type but had static initialization code. So by the time the JVM deserialized the class and threw a ClassCastException, the static initialization code had already been run at the escalated privilege.

So yes, this vulnerability was every bit as dangerous as it was hyped to be. The attacker could load an applet that phoned home for the code that it needed to run and then ran it, all within that static initialization block. The code did not need to be present on the victims computer ahead of time and the sandboxing did not protect the user.

It's not all on Apple though, since Sun is partially to blame for the crap state of Date/Calendar APIs in Java. Better libraries like JodaTime have been around for a while and there was even a JSR [jcp.org] for adding something similar to Java, but Sun didn't prioritize it. Still, Sun released a fix a long time ago and it took Apple months to apply the fix to a new Java release.

Re:maybe (0)

Anonymous Coward | more than 5 years ago | (#28343335)

It wasn't clear to me that the write permissions thing was honoured - if it could run any program as me, then it has the privileges needed to write to my filesystem. Still, assuming it didn't have that and only had read permissions. Hello privacy violations. Ability to run something as me, outside of the browser, is unacceptable to me. I've had java turned off on all my mac browsers for a couple of months now, and I see it irresponsible on Apple's part that the advisory did not come from them, but externally. If the advisory were bogus, and there wasn't "anything to worry about", then I should still expect Apple to have clarified that officially, which they didn't. Either which way you paint it, this is irresponsibility on Apple's part with respect to security, which it should be taking seriously considering the amount of marketing effort they put into that being a unique selling point over Windows.

Re:maybe (1)

jeffasselin (566598) | more than 5 years ago | (#28343889)

Get the user to download an executable then pop up a window with your java applet that executes ~\Downloads\JustDownloadedMalware

But it's still a bit far-fetched. By default, newly downloaded executables from the internet have a flag (similar to Windows) that would ask for a confirmation before executing, thus requiring user input to work, I'm not sure if this vulnerability would bypass this.

Re:maybe (0)

Anonymous Coward | more than 5 years ago | (#28344619)

I assume OSX comes with wget. You could easily use that to fetch a payload.

Or, hell, try to run perl, python, ruby, (Applescript?) and what have you to deliver it. Or write it in that language. It's really not that hard once you can execute local files with user permissions.

Re:maybe (1)

Malc (1751) | more than 5 years ago | (#28344031)

Do you realise how dangerous it is being able to execute anything? If somebody deploying an exploit against this Java issue waits until there is a separate local root exploit, then it's game over. Or as somebody else pointed out, if they can get a user to download something else innocuous sounding, then again, it's all over. And yes, I've had a computer remotely exploited due to a weak password and an unpatched local root security hole.

Re:maybe (1)

shutdown -p now (807394) | more than 5 years ago | (#28344369)

I'm understanding correctly, it apparently doesn't let the attacker launch any code the attacker choses. It only lets the attacker launch code that's already present on the user's filesystem. And doesn't the java sandbox model prevent java applets from writing to the filesystem? So the attacker really may have very little opportunity to execute arbitrary code of the attacker's choosing.

If the attacker can launch Bash, what else could he possibly need? Oh, and isn't Python there as well? Perl? Ruby?

By the way, I wonder if wget is also present in default OS X install. That would be even more fun.

Re:maybe (0)

Anonymous Coward | more than 5 years ago | (#28344555)

wget is not, but curl is.

Just turn off Java (5, Insightful)

Anonymous Coward | more than 5 years ago | (#28342983)

Apple had previously advised users to turn off Java temporarily in their Web browsers

Even after updating, I've found that's advice I can live with.

Re:Just turn off Java (1)

gyrogeerloose (849181) | more than 5 years ago | (#28344237)

I know you were making a joke but it's not far off the truth. I've had Java turned off for months now and never even noticed a difference.

158MB update!!!! (1)

macbuzz01 (1074795) | more than 5 years ago | (#28342993)

Holy crap that's a huge update. How big is the original install? Sorry for the people on dial-up.

Re:158MB update!!!! (2, Funny)

prestomation (583502) | more than 5 years ago | (#28343357)

What's "dial-up"?

Java is now Apple's problem? (1)

bogaboga (793279) | more than 5 years ago | (#28343121)

I do not understand...but since when have problems in Java been Apple's problems?

Seriously, the title talks of problems with Java and then goes ahead to mention that these problems are Apple's problems - absurd!

May be the title should be changed to say something like: -

"...Java exploits a vulnerability on Apple's OSX..."

Re:Java is now Apple's problem? (1)

le_lotus_604 (752411) | more than 5 years ago | (#28343153)

since the beginning, since Apple decided to prevent Sun from releasing java Apple is is opposite of Sun .. Apple has bad engineers and good marketing FYI: I'm a mac user since 68000

Re:Java is now Apple's problem? (0)

Anonymous Coward | more than 5 years ago | (#28343319)

Apple has good engineers. But the iPhone and Snow Leopard are a higher priority than Java.

Re:Java is now Apple's problem? (0)

Anonymous Coward | more than 5 years ago | (#28343535)

Apple has good engineers. But the iPhone and Snow Leopard are a higher priority than Java.

So, how does that excuse the iPhone and Snow Leopard for sucking?

Re:Java is now Apple's problem? (5, Informative)

patman600 (669121) | more than 5 years ago | (#28343213)

They've been apple's problem since they took over porting java to the mac, and prevent sun from writing their own java for mac.

The Black Haxor (5, Funny)

EEPROMS (889169) | more than 5 years ago | (#28343223)

Apple Guy "Halt who goes there"
Black Haxor "It is I the black haxor, I seek the finest computer coders to join me in my quest"
Apple Guy " You shall not pass"
Black Haxor "What ?"
Apple Guy "Non shall pass"
Black Haxor "I have no quarrel with you, good sir, but I must move on"
Apple Guy "Then you shall first install photoshop and make an offering at the alter of Steve and promise to buy hardware at twice the price from the lords of apple".
Black Haxor "I command you to stand aside! for I am the Black Haxor"
Apple Guy "I move for no man for I am impervious to all your tricks for I run OSX"
Black Haxor "So be it"
[Black Haxor pulls out his laptop and starts to type]
[HAH]
Apple Guy "What have you done ?"
Black Haxor "I have exploited a java script bug on your system and signed you up as the local leader for the "Pedo's Rights" association and then passed the details on to the the local parents and teachers group"
Apple Guy "what is this trickery, for such is impossible, you lie"
[a rabble of middle aged parents turn up]
Crowd "THERE HE IS, GET HIM!!"
Apple Guy "BAH! Tis but a lie"
Black Haxor "run man, they weld clubs and carry petrol containers and mean harm upon you"
Apple Guy "They do not wish me harm as my laptop colour matches my shoes, thus they come to tell me how great my karma is"
[15 minutes later the Black Haxor is staring at a smoldering pile on the ground]
Black Haxor "Sigh"
[Crosses bridge]

Re:The Black Haxor (0)

Anonymous Coward | more than 5 years ago | (#28344569)

Death is too good for them.

Re:The Black Haxor (0)

Anonymous Coward | more than 5 years ago | (#28344631)

Except Java Script is not Java.

Apple is not a fan of Java (0, Redundant)

Danathar (267989) | more than 5 years ago | (#28343235)

Apple does not like Java. It's a competing development platform like Flash. If they did not have to ship it they wouldn't. You'll notice how long it takes them to update Java, that's why.

Re:Apple is not a fan of Java (0)

Anonymous Coward | more than 5 years ago | (#28343355)

You make it sound like Apple owns Flash, which they don't. And Java doesn't compete with Flash. QuickTime does in some areas, but not Java.

And Apple has one important reason to keep Java updated -- to avoid a highly publicized, platform wide infection because they fail to distribute a patch when a proven, practical exploit was published.

Re:Apple is not a fan of Java (5, Insightful)

konohitowa (220547) | more than 5 years ago | (#28343453)

Yeah. Those losers should stop running their iTunes store with Java. Lame Java haters!

http://en.wikipedia.org/wiki/WebObjects [wikipedia.org] No, I didn't just edit it, but I suppose it's ripe for vandalism now.

Not like your conjecture is without merit. I mean, what can explain their slowness in Java porting? I wish I knew. It's a real annoyance.

To be mildly fair, us mere mortals aren't getting WebObjects updates anymore, but they don't seem to be slowing down their usage of it at iTunes & the Apple store and dev sites. Perhaps they're going to migrate more things to SproutCore once BitBurger et al gets released. Although that doesn't provide them with a back-end, and I'm not utterly convinced that RoR is up to the demand, inclusion in OS X notwithstanding. If only more Erlang/Mnesia would roll out.

Re:Apple is not a fan of Java (1, Funny)

Anonymous Coward | more than 5 years ago | (#28343917)

Not having any idea what anything in that post means I presume it is all part of a delicious sandwich (Sproutcore, BitBurger...) ... sounds yummy...

Re:Apple is not a fan of Java (2, Funny)

konohitowa (220547) | more than 5 years ago | (#28344541)

Not having any idea what anything in that post means I presume it is all part of a delicious sandwich (Sproutcore, BitBurger...) ... sounds yummy...

Dooooddd... there's like this totally new thing called Bing! that lets you look stuff like that up! (I hear some pikers down in Cali called googol or something stupid like that are trying to horn in on the action though).

Re:Apple is not a fan of Java (1, Informative)

Anonymous Coward | more than 5 years ago | (#28344363)

While WebObjects CAN use Java, it can also use Objective-C, and is several times faster when using Objective-C.

Needless to say, the iTunes Music Store uses Objective-C and NOT Java.

The easiest way to verify this is to note that Java support came to WebObjects well after the iTunes music store was implemented.

Java on Mac OS X has been deprecated in favor of Python and other more useful languages. Xcode still supports it (barely) but the writing's on the wall: move to Objective C or Python, Java is dead.

Re:Apple is not a fan of Java (1)

konohitowa (220547) | more than 5 years ago | (#28344617)

I'll have to drag out my OS X Server 1.x and give it a whirl. I haven't played with it in ages and don't really recall the full dev cycle on that. My current XCode doesn't have WO installed (but I've got Ada, go figure), so I can't even create a simple project. I don't recall having the ability to create anything non-Java on the server side for a quite a while though. However, until I have something concrete in front of me, I'm forced to agree with you. :)

As to "Java is dead", well - I've been of that opinion in the overall scheme of things for a while. I don't know if you meant that only regarding Apple's attitude toward it, but I think it extends beyond just them. But then I also think the "open source the world!" movement has accomplished so many of its goals at this point that it's becoming a solution desperately searching for more problems. Needless to say (and yet I do), that doesn't make me terribly popular 'round these here parts.

Re:Apple is not a fan of Java (0)

Anonymous Coward | more than 5 years ago | (#28344937)

> I mean, what can explain their slowness in Java porting? I wish I knew. It's a real annoyance.

I speculate that Apple is currently overstretched. They are trying to:
* launch Snow Leopard and all of the new toys (e.g., Grand Central),
* launch iPhone OS 3.0,
* launch Safari 4,
* launch QuickTime X,
* maintain Tiger and Leopard.

There have been some issues recently that I would not expect from a "premium brand".

With Sun discontinuing support for Java 5 in October, Apple must be working on a 32-bit version of Java 6 (64-bit Java is available but Safari is only 32-bit right now). I'm guessing they were hoping to push it out soon but ran into delays.

Yeah -FINALLY- (1, Funny)

DebianDog (472284) | more than 5 years ago | (#28343429)

I mean hell us Mac users can FINALLY get back on the internet. Shooo took long enough <shakes fist at Steve Jobs> We just sat here living in fear. Mac powered off. Checking in with our Windows friends to see when it was safe again, while flashbacks to the "Code Red" nightmare from year ago filled our head. Oh wait, Code Red is when my company swore off ever using Windows for critical systems.... Scratch that.

But anyways us Mac fan bois are back! WOO HOO!!!! "finally"

Re:Yeah -FINALLY- (1)

MtViewGuy (197597) | more than 5 years ago | (#28344003)

However, today's Windows XP (with Service Pack 3) and Windows Vista (with Service Pack 2) aren't as vulnerable as you think. This is because both operating systems gives you a LOT of security warnings about:

1) Keeping Windows Update at least in Notify mode, which at least warns you about the availability of the latest security patches from Microsoft.

2) Installing at least an antivirus and firewall security programs.

As such, most XP and Vista users have at least Windows Update warning about installing the latest patches and usually run a full Internet security suite (or its free equivalents) from Symantec, McAfee, Trend Micro, Panda Software, etc.

And so my message spreads..... (0)

Anonymous Coward | more than 5 years ago | (#28343585)

Get a PC. :D

Apple vs Security (1)

rajats (891347) | more than 5 years ago | (#28344257)

I think apple should launch another ad campaign with the "Cool" mac guy on one side and a security guy on the other! The "Cool" guy could put his head in the sand and shout "Don't make me do stuff!".

10.4 and Java 1.6? (0)

Anonymous Coward | more than 5 years ago | (#28344367)

Is it really too much to ask for Java 1.6 for all the poor bastards still stuck with PowerPC machines that need Classic, so can't migrate to 10.5?

Re:10.4 and Java 1.6? (1)

Cochonou (576531) | more than 5 years ago | (#28344759)

Do not worry: you would not get Java 1.6 (or 6.0, or whatever) with 10.5 on PPC either. This is only for x86-64 machines.

Not working here.. (0)

Anonymous Coward | more than 5 years ago | (#28344873)

We have three Macbooks in my office room, the java update did not install on any of them. The error messages are not very discriptive either...

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>