Linked by Thom Holwerda on Tue 19th May 2009 22:20 UTC
Mac OS X Six months ago, a certain security flaw in Java was fixed by Sun. This flaw was present in OpenJDK, GIJ, icedtea and Sun's JRE, but it got fixed in those. There's one important shipping Java implementation that still has not been fixed to remove this security flaw: Apple's Java.
Order by: Score:
Wow. A rare gem.
by slashdev on Tue 19th May 2009 22:33 UTC
slashdev
Member since:
2006-05-14

Its very rare to find a java exploit that can do any real damage. This one is fairly amazing.

Does anyone know why apple cant just release a small patch? Java, on the OS X platform, has one of the rare privileges of being part of the OS auto-update facilities, so it cant be THAT hard...

Reply Score: 3

RE: Wow. A rare gem.
by darknexus on Tue 19th May 2009 23:49 UTC in reply to "Wow. A rare gem."
darknexus Member since:
2008-07-15

Given the way Apple seems to be shunning Java lately I'm surprised it's still in the software update feature. The jvm that ships with os x is still a 1.5 rather than a 1.6 for example, and Apple has all but deprecated the Cocoa-Java bridge, at least that was their stance a few months ago. Java has been reduced to a second-class citizen on Mac, and Apple seems to like it that way. Given this, I'm disappointed--though not surprised--that their jvm is still unpatched.

Reply Score: 2

RE[2]: Wow. A rare gem.
by tyrione on Wed 20th May 2009 00:56 UTC in reply to "RE: Wow. A rare gem."
tyrione Member since:
2005-11-21

Given the way Apple seems to be shunning Java lately I'm surprised it's still in the software update feature. The jvm that ships with os x is still a 1.5 rather than a 1.6 for example, and Apple has all but deprecated the Cocoa-Java bridge, at least that was their stance a few months ago. Java has been reduced to a second-class citizen on Mac, and Apple seems to like it that way. Given this, I'm disappointed--though not surprised--that their jvm is still unpatched.


Unless Apple restores WebObjects to it's roots with ObjC and Cocoa then a new release of WOF with a new JVM to cover this will occur.

I'm betting it'll arrive at WWDC or the day Snow Leopard arrives.

Reply Score: 3

v RE: Wow. A rare gem.
by Macrat on Wed 20th May 2009 01:39 UTC in reply to "Wow. A rare gem."
RE[2]: Wow. A rare gem.
by elsewhere on Wed 20th May 2009 04:43 UTC in reply to "RE: Wow. A rare gem."
elsewhere Member since:
2005-07-13

Most likely Sun is demanding that Apple buy a support contract in order to get the code fix.

Java isn't "free" after all.


Nice try. You missed the part about OpenJDK, GIJ and icedtea already being patched. All of which are "free".

Apple rolls their own Java, as many others do. Apple is being lazy. Quit making excuses.

Reply Score: 6

RE[3]: Wow. A rare gem.
by Macrat on Wed 20th May 2009 04:57 UTC in reply to "RE[2]: Wow. A rare gem."
Macrat Member since:
2006-03-27

Nice try. You missed the part about OpenJDK, GIJ and icedtea already being patched. All of which are "free".


And they aren't Java 5 either.

Reply Score: 1

RE[4]: Wow. A rare gem.
by Panajev on Wed 20th May 2009 07:10 UTC in reply to "RE[3]: Wow. A rare gem."
Panajev Member since:
2008-01-09

and... the part about upgrading to Java 6 being in total control of Apple?

Really, Apple should have had this bug fixed long ago and it is not a case of world vs Apple/Apple fans... bah...

Reply Score: 3

Why
by h3rman on Tue 19th May 2009 23:51 UTC
h3rman
Member since:
2006-08-09

Why patch if you're that cool?

Reply Score: 10

v RE: Why
by polaris20 on Wed 20th May 2009 16:28 UTC in reply to "Why"
Only 1 thing left to do...
by shadow_x99 on Wed 20th May 2009 00:55 UTC
shadow_x99
Member since:
2006-05-12

Since Java is now Open-Source Software, we could simply create a nice mac-os-like installer that would installer the openjdk with all the latest bells & whistle and be free from Apple's Implementation.

Reply Score: 1

RE: Only 1 thing left to do...
by Macrat on Wed 20th May 2009 01:42 UTC in reply to "Only 1 thing left to do..."
Macrat Member since:
2006-03-27

The current Mac OS has Java 5 which is NOT open source. You have to be a paying licensee to get the code updates from Sun.

The current release of Java 6 is only partially open source.

Java 7 is 100% open source and hasn't been released yet.

Reply Score: 1

RE[2]: Only 1 thing left to do...
by JAlexoid on Wed 20th May 2009 12:23 UTC in reply to "RE: Only 1 thing left to do..."
JAlexoid Member since:
2009-05-19

The current Mac OS has Java 5 which is NOT open source. You have to be a paying licensee to get the code updates from Sun.

The current release of Java 6 is only partially open source.

Java 7 is 100% open source and hasn't been released yet.


Java 6(OpenJDK) is currently open source 100%, but lacks some patented and copyrighted parts(as in graphics or something).

And Apple does support the Java 5 on OSX 100%, and does not need to ask Sun to create patches. Let alone, they asked Sun to support Java on OSX by themselves. Add to that, the fact that Stevie said that he wanted OSX and Macs to be the platform of choice for Java development. So much for trusting that guy.

Reply Score: 2

Huge molehill or small mountain?
by bousozoku on Wed 20th May 2009 01:24 UTC
bousozoku
Member since:
2006-01-23

I'm shaking my head again. Is anything but hardware of interest to Apple now?

I understand the need to make money to keep the company going, but how long will all but the most fanatical accept the company's complete disregard for reality and security?

I like most of what the company does, but this is no way to encourage new purchases. Sure Mac OS X is reasonably secure by default, but Apple, what have you done for me lately?

Reply Score: 2

jabbotts Member since:
2007-09-06

I'm sure they'll fix it after the first Apple machine falls in next year's Pwn2Own. ;)

Seriously though, they probably stuffed the patches in with the next OS release as they've done with proper sandboxing around safari and those other niceties that make breaking osX easy.

(It's a bit of irony to learn that Windows actually has better security mechanisms in place than osX. The security researcher's disagree with the marketing.)

Reply Score: 2

bousozoku Member since:
2006-01-23

I'm sure they'll fix it after the first Apple machine falls in next year's Pwn2Own. ;)

Seriously though, they probably stuffed the patches in with the next OS release as they've done with proper sandboxing around safari and those other niceties that make breaking osX easy.

(It's a bit of irony to learn that Windows actually has better security mechanisms in place than osX. The security researcher's disagree with the marketing.)


I don't like to wait for them. Since Avie Tevanian left the company, they've become far too reckless in their software, as if they're doing it purposely to sell new hardware.

All the security bits in Windows would mean something if Microsoft removed ActiveX, but it's still a security leak by design and no matter how many UAC dialogues appear, you can't change people. You can lead a horse to water, but you can't make him think, as I say.

Reply Score: 2

Lennie Member since:
2007-09-22

What is bad, is Apple base their software partly on Open Source and when Open Source project X fixes something, Apple doesn't ship the fixes to the users.

Reply Score: 1

macUser Member since:
2006-12-15

What is bad, is Apple base their software partly on Open Source and when Open Source project X fixes something, Apple doesn't ship the fixes to the users.


It would be nice if Apple rolled open source patches into their OS updates at a greater clip and I wonder sometimes how many resources they pour into this.

I think there are signs of the company quietly getting more serious about it's security issues. For instance, they just hired Ivan Krstic who was the director security architecture for OLPC. I guess that one just slipped by...

Reply Score: 1

Waiting for Apple to get its act together
by chandler on Wed 20th May 2009 02:15 UTC
chandler
Member since:
2006-08-29

I waited six months for Apple to patch an issue in the Safari RSS reader that allowed remote JS to run in the file:// zone. Meanwhile the engineer who was assigned the defect was actually working on Safari 4 features. They didn't fix it until I made noise publicly about it. So, their prioritization is all wrong.

Safari users with default settings have been vulnerable to arbitrary code execution vulnerabilities since the browser was first released in 2003 and remain vulnerable today. It'd be trivial to turn any of these into a virus (see http://brian.mastenbrook.net/display/32 ). When will they start taking these issues seriously? Probably after a virus happens.

Browser: Mozilla/5.0 (iPod; U; CPU iPhone OS 2_2_1 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5H11a Safari/525.20

Reply Score: 3

jabbotts Member since:
2007-09-06

I was going to say; "at least there is an osX native Firefox" but it's actually any browser run on osX that is vulnerable to much the platform has to offer.

Reply Score: 2

libray Member since:
2005-08-27

Thanks for the link. I have java turned off now. This is really bad^H^H^Hsad!! Everyone should read that link you posted and it does work in any browser (I tried opera, safari, firefox) except Chromium which does not support java by default!

Reply Score: 2

Real TV MEDIA coverage
by John Blink on Wed 20th May 2009 03:35 UTC
John Blink
Member since:
2005-10-11

To scare all the moms and pops of this world.

I wish to see this on the news, the same way Conficker was.

I mean they scared my parents and they don't even use computers.

Imagine what could happen to Apples growth if this was in the media.

Maybe that is why Apple is protected by these companies.

Reply Score: 4

OpenJDK not good solution?
by kajaman on Wed 20th May 2009 08:09 UTC
kajaman
Member since:
2006-01-06

I am just wondering if OpenJDK isn't better solution for Apple users then? Unless Apple's Java is tightly bound to MacOS X, or has special features, I can't see a reason why not to use up-to-date, secure solution that Linux users use.

Best,
H.

Reply Score: 1

RE: OpenJDK not good solution?
by Thom_Holwerda on Wed 20th May 2009 08:41 UTC in reply to "OpenJDK not good solution?"
Thom_Holwerda Member since:
2005-06-29

I am just wondering if OpenJDK isn't better solution for Apple users then? Unless Apple's Java is tightly bound to MacOS X, or has special features, I can't see a reason why not to use up-to-date, secure solution that Linux users use.


Soylatte is affected as well on Mac OS X - but OpenJDK6 for Mac indeed is not.

Reply Score: 1

RE: OpenJDK not good solution?
by slashdev on Wed 20th May 2009 15:10 UTC in reply to "OpenJDK not good solution?"
slashdev Member since:
2006-05-14

I am just wondering if OpenJDK isn't better solution for Apple users then? Unless Apple's Java is tightly bound to MacOS X, or has special features, I can't see a reason why not to use up-to-date, secure solution that Linux users use. Best, H.


Unfortunately Apple cannot replace their VM investment with the OpenJDK. From what i understand, in the earily days of Mac OS X, Objective-C was not very popular, and seen by Apple as a hinderence. To entice more developers over to the platform, Apple commited to making Java a "first class citizen" on the Mac OS X platform. So there are a lot of Apple only features in the Apple JDK. They also intergrated swing and their aqua interface. As well as little things like spell checking and such. As Objective-C gained popularity, Apple's Java commitment waned.


I suspect because of the OS level intergration they wont be using any GPL'd code, as they dont want to show their source.

Reply Score: 1

Costs too much
by 3rdalbum on Wed 20th May 2009 08:30 UTC
3rdalbum
Member since:
2008-05-26

A few years ago, Apple was releasing a new version of their JRE every month to fix security problems... because of course Apple can't be trusted to do anything securely in the first place. I guess they got sick of constantly working on Java, and so they're ignoring the problems.

I'd like to see widespread coverage of this, it might make Apple pull its head in a bit.

Reply Score: 2

RE: Costs too much
by Thom_Holwerda on Wed 20th May 2009 08:48 UTC in reply to "Costs too much"
Thom_Holwerda Member since:
2005-06-29

I'd like to see widespread coverage of this, it might make Apple pull its head in a bit.


Don't count on it. Apple websites will systematically ignore this, and take a guess where the truly major sites get their Mac news from...

Bingo.

Reply Score: 2

RE[2]: Costs too much
by majipoor on Wed 20th May 2009 09:12 UTC in reply to "RE: Costs too much"
majipoor Member since:
2009-01-22

MacGeneration which is a well known french Apple site has an article about it.

Don't assume too much when you don't know.

Reply Score: 2

RE[2]: Costs too much
by bousozoku on Wed 20th May 2009 19:53 UTC in reply to "RE: Costs too much"
bousozoku Member since:
2006-01-23


Don't count on it. Apple websites will systematically ignore this, and take a guess where the truly major sites get their Mac news from...

Bingo.


Well, it's on MacRumors and CNBC, the financial network watches MR closely so others will likely take notice.

Reply Score: 2

RE[2]: Costs too much
by macUser on Wed 20th May 2009 20:02 UTC in reply to "RE: Costs too much"
macUser Member since:
2006-12-15
RE[3]: Costs too much
by Thom_Holwerda on Wed 20th May 2009 20:09 UTC in reply to "RE[2]: Costs too much"
Thom_Holwerda Member since:
2005-06-29

And you got modded up for your troll...


It wasn't a troll. This news was out and about for a long time already, and the sites that are SUPPOSED to carry it (Mac sites), did not. Explain to me how the latest fart from an Apple employee gets pushed across the Apple blogosphere at lightspeed, but something negative takes days to appear?

Reply Score: 1

RE[4]: Costs too much
by macUser on Wed 20th May 2009 20:50 UTC in reply to "RE[3]: Costs too much"
macUser Member since:
2006-12-15

"And you got modded up for your troll...


It wasn't a troll. This news was out and about for a long time already, and the sites that are SUPPOSED to carry it (Mac sites), did not. Explain to me how the latest fart from an Apple employee gets pushed across the Apple blogosphere at lightspeed, but something negative takes days to appear?
"

They are carrying it and they aren't glossing it over. Days to appear?

http://landonf.bikemonkey.org/2009/05/19#CVE-2008-5353.20090519 was posted on the 19th. The sites I linked to all had stories up today (the 20th). Days... you say.

I suppose you lump this site in with them as well, since it took OSnews a day to get to it as well.

Here is what you said:

Don't count on it. Apple websites will systematically ignore this, and take a guess where the truly major sites get their Mac news from...

Bingo.


So again where are the sites systematically ignoring this?

T-R-O-L-L

Reply Score: 0

bummer...
by Chatbox on Wed 20th May 2009 09:09 UTC
Chatbox
Member since:
2007-03-06

Hate it that I can't even trust an OS's implementation of JRE, and have to resort to running a separate OS in a VM.

Reply Score: 1

RE: bummer... - that's a good practice
by jabbotts on Wed 20th May 2009 14:27 UTC in reply to "bummer..."
jabbotts Member since:
2007-09-06

Being able to pop open an easily restored VM for untrusted sites is just a good idea all around. Even with 64bit flashplayer now on my Mandriva or a near bulletproof Windows install (thanks to third party software), there isn't a site that can't wait five minutes while a Windows VM boots from a clean restore point.

Reply Score: 2

DavidSan
Member since:
2008-11-18

Actually there are some things people forget when they discuss about Java in Mac OS X.

Mac OS X is the only major consumer-oriented operating system that still ships with Java installed by default. That decision was taken at the end of the nineties. At that era every one though Java would be the future.

However, most desktop applications do not use Java these days. It could be that Sun did not open source the thing before, or that they never focus on the desktop and only on the Enterprise. Or that Java suffered so much on the performance land that people decided to code in something else.

Anyway, these days, the major Apps Java made I can think of are NetBeans, JDeveloper, IntelliJ, Eclipse... There are very few customer apps made in Java these days if you not consider enterprise.

And since Apple is not focused on the enterprise, I believe they are focusing on other things more important, like Snow Leopard and ITouch.

The problem, however, is not Java per se, in my opinion. The problem is the way browsers work (Firefox, Safari, Explorer, etc.).

This time is Java, but we have seen the same security threats from Flash, Quicktime, Windows Media Player, Javascript and every single thing that can be made plugin and used on a web page. And somehow all Operating systems could get compromised. At this time, the flaw is patch, but non patched systems are all affected no matter the OS.

I do not understand how all browsers trust so much on everything they find on the web and give rights to execute whatever they like. I really hope Chrome fixes that. It is just so wrong.

Edited 2009-05-22 00:32 UTC

Reply Score: 1