Six months ago, a certain security flaw in Java was fixed by Sun. This flaw was present in OpenJDK, GIJ, icedtea and Sun's JRE, but it got fixed in those. There's one important shipping Java implementation that still has not been fixed to remove this security flaw: Apple's Java.
Post a Comment
Member since:
2006-05-14
Its very rare to find a java exploit that can do any real damage. This one is fairly amazing.
Does anyone know why apple cant just release a small patch? Java, on the OS X platform, has one of the rare privileges of being part of the OS auto-update facilities, so it cant be THAT hard...
Member since:2008-07-15
Given the way Apple seems to be shunning Java lately I'm surprised it's still in the software update feature. The jvm that ships with os x is still a 1.5 rather than a 1.6 for example, and Apple has all but deprecated the Cocoa-Java bridge, at least that was their stance a few months ago. Java has been reduced to a second-class citizen on Mac, and Apple seems to like it that way. Given this, I'm disappointed--though not surprised--that their jvm is still unpatched.
Member since:2005-11-21
Unless Apple restores WebObjects to it's roots with ObjC and Cocoa then a new release of WOF with a new JVM to cover this will occur.
I'm betting it'll arrive at WWDC or the day Snow Leopard arrives.
Member since:2005-07-13
Java isn't "free" after all.
Nice try. You missed the part about OpenJDK, GIJ and icedtea already being patched. All of which are "free".
Apple rolls their own Java, as many others do. Apple is being lazy. Quit making excuses.
Member since:2006-03-27
Member since:2008-01-09
Member since:
2006-08-09
Member since:
2006-05-12
Member since:2006-03-27
Member since:2009-05-19
The current release of Java 6 is only partially open source.
Java 7 is 100% open source and hasn't been released yet.
Java 6(OpenJDK) is currently open source 100%, but lacks some patented and copyrighted parts(as in graphics or something).
And Apple does support the Java 5 on OSX 100%, and does not need to ask Sun to create patches. Let alone, they asked Sun to support Java on OSX by themselves. Add to that, the fact that Stevie said that he wanted OSX and Macs to be the platform of choice for Java development. So much for trusting that guy.
Member since:
2006-01-23
I'm shaking my head again. Is anything but hardware of interest to Apple now?
I understand the need to make money to keep the company going, but how long will all but the most fanatical accept the company's complete disregard for reality and security?
I like most of what the company does, but this is no way to encourage new purchases. Sure Mac OS X is reasonably secure by default, but Apple, what have you done for me lately?
Member since:2007-09-06
I'm sure they'll fix it after the first Apple machine falls in next year's Pwn2Own. 
Seriously though, they probably stuffed the patches in with the next OS release as they've done with proper sandboxing around safari and those other niceties that make breaking osX easy.
(It's a bit of irony to learn that Windows actually has better security mechanisms in place than osX. The security researcher's disagree with the marketing.)
Member since:2006-01-23
Seriously though, they probably stuffed the patches in with the next OS release as they've done with proper sandboxing around safari and those other niceties that make breaking osX easy.
(It's a bit of irony to learn that Windows actually has better security mechanisms in place than osX. The security researcher's disagree with the marketing.)
I don't like to wait for them. Since Avie Tevanian left the company, they've become far too reckless in their software, as if they're doing it purposely to sell new hardware.
All the security bits in Windows would mean something if Microsoft removed ActiveX, but it's still a security leak by design and no matter how many UAC dialogues appear, you can't change people. You can lead a horse to water, but you can't make him think, as I say.
Member since:2007-09-22
Member since:2006-12-15
It would be nice if Apple rolled open source patches into their OS updates at a greater clip and I wonder sometimes how many resources they pour into this.
I think there are signs of the company quietly getting more serious about it's security issues. For instance, they just hired Ivan Krstic who was the director security architecture for OLPC. I guess that one just slipped by...
Member since:
2006-08-29
I waited six months for Apple to patch an issue in the Safari RSS reader that allowed remote JS to run in the file:// zone. Meanwhile the engineer who was assigned the defect was actually working on Safari 4 features. They didn't fix it until I made noise publicly about it. So, their prioritization is all wrong.
Safari users with default settings have been vulnerable to arbitrary code execution vulnerabilities since the browser was first released in 2003 and remain vulnerable today. It'd be trivial to turn any of these into a virus (see http://brian.mastenbrook.net/display/32 ). When will they start taking these issues seriously? Probably after a virus happens.
Browser: Mozilla/5.0 (iPod; U; CPU iPhone OS 2_2_1 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5H11a Safari/525.20
Member since:2007-09-06
Member since:2005-08-27
Member since:
2005-10-11
To scare all the moms and pops of this world.
I wish to see this on the news, the same way Conficker was.
I mean they scared my parents and they don't even use computers.
Imagine what could happen to Apples growth if this was in the media.
Maybe that is why Apple is protected by these companies.
Member since:
2006-01-06
Member since:2005-06-29
Soylatte is affected as well on Mac OS X - but OpenJDK6 for Mac indeed is not.
Member since:2006-05-14
Unfortunately Apple cannot replace their VM investment with the OpenJDK. From what i understand, in the earily days of Mac OS X, Objective-C was not very popular, and seen by Apple as a hinderence. To entice more developers over to the platform, Apple commited to making Java a "first class citizen" on the Mac OS X platform. So there are a lot of Apple only features in the Apple JDK. They also intergrated swing and their aqua interface. As well as little things like spell checking and such. As Objective-C gained popularity, Apple's Java commitment waned.
I suspect because of the OS level intergration they wont be using any GPL'd code, as they dont want to show their source.
Member since:
2008-05-26
A few years ago, Apple was releasing a new version of their JRE every month to fix security problems... because of course Apple can't be trusted to do anything securely in the first place. I guess they got sick of constantly working on Java, and so they're ignoring the problems.
I'd like to see widespread coverage of this, it might make Apple pull its head in a bit.
Member since:2005-06-29
Member since:2009-01-22
Member since:2006-01-23
Member since:2006-12-15
You're totally full of it... Please point to the ones ignoring this?
http://daringfireball.net/linked/2009/05/20/fuller-java-mac-os-x
http://www.macworld.com/article/140704/2009/05/java_vulnerability.h...
http://www.macnn.com/articles/09/05/20/java.vulnerability.in.os.x/
And you got modded up for your troll...
Member since:2005-06-29
It wasn't a troll. This news was out and about for a long time already, and the sites that are SUPPOSED to carry it (Mac sites), did not. Explain to me how the latest fart from an Apple employee gets pushed across the Apple blogosphere at lightspeed, but something negative takes days to appear?
Member since:2006-12-15
It wasn't a troll. This news was out and about for a long time already, and the sites that are SUPPOSED to carry it (Mac sites), did not. Explain to me how the latest fart from an Apple employee gets pushed across the Apple blogosphere at lightspeed, but something negative takes days to appear? "
They are carrying it and they aren't glossing it over. Days to appear?
http://landonf.bikemonkey.org/2009/05/19#CVE-2008-5353.20090519 was posted on the 19th. The sites I linked to all had stories up today (the 20th). Days... you say.
I suppose you lump this site in with them as well, since it took OSnews a day to get to it as well.
Here is what you said:
Bingo.
So again where are the sites systematically ignoring this?
T-R-O-L-L
Member since:
2007-03-06
Member since:2007-09-06
Being able to pop open an easily restored VM for untrusted sites is just a good idea all around. Even with 64bit flashplayer now on my Mandriva or a near bulletproof Windows install (thanks to third party software), there isn't a site that can't wait five minutes while a Windows VM boots from a clean restore point.
Member since:
2008-11-18
Actually there are some things people forget when they discuss about Java in Mac OS X.
Mac OS X is the only major consumer-oriented operating system that still ships with Java installed by default. That decision was taken at the end of the nineties. At that era every one though Java would be the future.
However, most desktop applications do not use Java these days. It could be that Sun did not open source the thing before, or that they never focus on the desktop and only on the Enterprise. Or that Java suffered so much on the performance land that people decided to code in something else.
Anyway, these days, the major Apps Java made I can think of are NetBeans, JDeveloper, IntelliJ, Eclipse... There are very few customer apps made in Java these days if you not consider enterprise.
And since Apple is not focused on the enterprise, I believe they are focusing on other things more important, like Snow Leopard and ITouch.
The problem, however, is not Java per se, in my opinion. The problem is the way browsers work (Firefox, Safari, Explorer, etc.).
This time is Java, but we have seen the same security threats from Flash, Quicktime, Windows Media Player, Javascript and every single thing that can be made plugin and used on a web page. And somehow all Operating systems could get compromised. At this time, the flaw is patch, but non patched systems are all affected no matter the OS.
I do not understand how all browsers trust so much on everything they find on the web and give rights to execute whatever they like. I really hope Chrome fixes that. It is just so wrong.
Edited 2009-05-22 00:32 UTC
