Linked by Thom Holwerda on Tue 19th May 2009 22:20 UTC
Mac OS X Six months ago, a certain security flaw in Java was fixed by Sun. This flaw was present in OpenJDK, GIJ, icedtea and Sun's JRE, but it got fixed in those. There's one important shipping Java implementation that still has not been fixed to remove this security flaw: Apple's Java.
Permalink for comment 364479
To read all comments associated with this story, please click here.
Waiting for Apple to get its act together
by chandler on Wed 20th May 2009 02:15 UTC
chandler
Member since:
2006-08-29

I waited six months for Apple to patch an issue in the Safari RSS reader that allowed remote JS to run in the file:// zone. Meanwhile the engineer who was assigned the defect was actually working on Safari 4 features. They didn't fix it until I made noise publicly about it. So, their prioritization is all wrong.

Safari users with default settings have been vulnerable to arbitrary code execution vulnerabilities since the browser was first released in 2003 and remain vulnerable today. It'd be trivial to turn any of these into a virus (see http://brian.mastenbrook.net/display/32 ). When will they start taking these issues seriously? Probably after a virus happens.

Browser: Mozilla/5.0 (iPod; U; CPU iPhone OS 2_2_1 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5H11a Safari/525.20

Reply Score: 3