OSNews:

OSNews: http://www.osnews.com/story/21522/9_Month_Old_Critical_Java_Vuln_Still_Not_Patched_in_Mac_OS_X Exploring the Future of Computing en-us Copyright 2001-2013, David Adams adam+nospam@osnews.com Sat, 25 May 2013 07:09:10 GMT http://www.osnews.com/images/osnews.gif OSNews.com http://www.osnews.com Wow. A rare gem. http://www.osnews.com/thread?364438 http://www.osnews.com/thread?364438 Its very rare to find a java exploit that can do any real damage. This one is fairly amazing.

Does anyone know why apple cant just release a small patch? Java, on the OS X platform, has one of the rare privileges of being part of the OS auto-update facilities, so it cant be THAT hard... Tue, 19 May 2009 22:33:00 GMT donotreply@osnews.com (slashdev) Comments RE: Wow. A rare gem. http://www.osnews.com/thread?364451 http://www.osnews.com/thread?364451 Given the way Apple seems to be shunning Java lately I'm surprised it's still in the software update feature. The jvm that ships with os x is still a 1.5 rather than a 1.6 for example, and Apple has all but deprecated the Cocoa-Java bridge, at least that was their stance a few months ago. Java has been reduced to a second-class citizen on Mac, and Apple seems to like it that way. Given this, I'm disappointed--though not surprised--that their jvm is still unpatched. Tue, 19 May 2009 23:49:00 GMT donotreply@osnews.com (darknexus) Comments Why http://www.osnews.com/thread?364452 http://www.osnews.com/thread?364452 Why patch if you're that cool? Tue, 19 May 2009 23:51:00 GMT donotreply@osnews.com (h3rman) Comments Only 1 thing left to do... http://www.osnews.com/thread?364466 http://www.osnews.com/thread?364466 Since Java is now Open-Source Software, we could simply create a nice mac-os-like installer that would installer the openjdk with all the latest bells & whistle and be free from Apple's Implementation. Wed, 20 May 2009 00:55:00 GMT donotreply@osnews.com (shadow_x99) Comments RE[2]: Wow. A rare gem. http://www.osnews.com/thread?364467 http://www.osnews.com/thread?364467

Given the way Apple seems to be shunning Java lately I'm surprised it's still in the software update feature. The jvm that ships with os x is still a 1.5 rather than a 1.6 for example, and Apple has all but deprecated the Cocoa-Java bridge, at least that was their stance a few months ago. Java has been reduced to a second-class citizen on Mac, and Apple seems to like it that way. Given this, I'm disappointed--though not surprised--that their jvm is still unpatched.

Unless Apple restores WebObjects to it's roots with ObjC and Cocoa then a new release of WOF with a new JVM to cover this will occur.

I'm betting it'll arrive at WWDC or the day Snow Leopard arrives. Wed, 20 May 2009 00:56:00 GMT donotreply@osnews.com (tyrione) Comments Huge molehill or small mountain? http://www.osnews.com/thread?364472 http://www.osnews.com/thread?364472 I'm shaking my head again. Is anything but hardware of interest to Apple now?

I understand the need to make money to keep the company going, but how long will all but the most fanatical accept the company's complete disregard for reality and security?

I like most of what the company does, but this is no way to encourage new purchases. Sure Mac OS X is reasonably secure by default, but Apple, what have you done for me lately? Wed, 20 May 2009 01:24:00 GMT donotreply@osnews.com (bousozoku) Comments RE: Wow. A rare gem. http://www.osnews.com/thread?364474 http://www.osnews.com/thread?364474 Most likely Sun is demanding that Apple buy a support contract in order to get the code fix.

Java isn't "free" after all. Wed, 20 May 2009 01:39:00 GMT donotreply@osnews.com (Macrat) Comments RE: Only 1 thing left to do... http://www.osnews.com/thread?364475 http://www.osnews.com/thread?364475 The current Mac OS has Java 5 which is NOT open source. You have to be a paying licensee to get the code updates from Sun.

The current release of Java 6 is only partially open source.

Java 7 is 100% open source and hasn't been released yet. Wed, 20 May 2009 01:42:00 GMT donotreply@osnews.com (Macrat) Comments Waiting for Apple to get its act together http://www.osnews.com/thread?364479 http://www.osnews.com/thread?364479 I waited six months for Apple to patch an issue in the Safari RSS reader that allowed remote JS to run in the file:// zone. Meanwhile the engineer who was assigned the defect was actually working on Safari 4 features. They didn't fix it until I made noise publicly about it. So, their prioritization is all wrong.

Safari users with default settings have been vulnerable to arbitrary code execution vulnerabilities since the browser was first released in 2003 and remain vulnerable today. It'd be trivial to turn any of these into a virus (see http://brian.mastenbrook.net/display/32 ). When will they start taking these issues seriously? Probably after a virus happens.Browser: Mozilla/5.0 (iPod; U; CPU iPhone OS 2_2_1 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5H11a Safari/525.20 Wed, 20 May 2009 02:15:00 GMT donotreply@osnews.com (chandler) Comments Real TV MEDIA coverage http://www.osnews.com/thread?364484 http://www.osnews.com/thread?364484 To scare all the moms and pops of this world.

I wish to see this on the news, the same way Conficker was.

I mean they scared my parents and they don't even use computers.

Imagine what could happen to Apples growth if this was in the media.

Maybe that is why Apple is protected by these companies. Wed, 20 May 2009 03:35:00 GMT donotreply@osnews.com (John Blink) Comments RE[2]: Wow. A rare gem. http://www.osnews.com/thread?364489 http://www.osnews.com/thread?364489

Most likely Sun is demanding that Apple buy a support contract in order to get the code fix.

Java isn't "free" after all.

Nice try. You missed the part about OpenJDK, GIJ and icedtea already being patched. All of which are "free".

Apple rolls their own Java, as many others do. Apple is being lazy. Quit making excuses. Wed, 20 May 2009 04:43:00 GMT donotreply@osnews.com (elsewhere) Comments RE[3]: Wow. A rare gem. http://www.osnews.com/thread?364492 http://www.osnews.com/thread?364492

Nice try. You missed the part about OpenJDK, GIJ and icedtea already being patched. All of which are "free".

And they aren't Java 5 either. Wed, 20 May 2009 04:57:00 GMT donotreply@osnews.com (Macrat) Comments RE[4]: Wow. A rare gem. http://www.osnews.com/thread?364501 http://www.osnews.com/thread?364501 and... the part about upgrading to Java 6 being in total control of Apple?

Really, Apple should have had this bug fixed long ago and it is not a case of world vs Apple/Apple fans... bah... Wed, 20 May 2009 07:10:00 GMT donotreply@osnews.com (Panajev) Comments OpenJDK not good solution? http://www.osnews.com/thread?364509 http://www.osnews.com/thread?364509 I am just wondering if OpenJDK isn't better solution for Apple users then? Unless Apple's Java is tightly bound to MacOS X, or has special features, I can't see a reason why not to use up-to-date, secure solution that Linux users use.

Best,
H. Wed, 20 May 2009 08:09:00 GMT donotreply@osnews.com (kajaman) Comments Costs too much http://www.osnews.com/thread?364511 http://www.osnews.com/thread?364511 A few years ago, Apple was releasing a new version of their JRE every month to fix security problems... because of course Apple can't be trusted to do anything securely in the first place. I guess they got sick of constantly working on Java, and so they're ignoring the problems.

I'd like to see widespread coverage of this, it might make Apple pull its head in a bit. Wed, 20 May 2009 08:30:00 GMT donotreply@osnews.com (3rdalbum) Comments RE: OpenJDK not good solution? http://www.osnews.com/thread?364513 http://www.osnews.com/thread?364513

I am just wondering if OpenJDK isn't better solution for Apple users then? Unless Apple's Java is tightly bound to MacOS X, or has special features, I can't see a reason why not to use up-to-date, secure solution that Linux users use.

Soylatte is affected as well on Mac OS X - but OpenJDK6 for Mac indeed is not. Wed, 20 May 2009 08:41:00 GMT donotreply@osnews.com (Thom_Holwerda) Comments RE: Costs too much http://www.osnews.com/thread?364515 http://www.osnews.com/thread?364515

I'd like to see widespread coverage of this, it might make Apple pull its head in a bit.

Don't count on it. Apple websites will systematically ignore this, and take a guess where the truly major sites get their Mac news from...

Bingo. Wed, 20 May 2009 08:48:00 GMT donotreply@osnews.com (Thom_Holwerda) Comments bummer... http://www.osnews.com/thread?364518 http://www.osnews.com/thread?364518 Hate it that I can't even trust an OS's implementation of JRE, and have to resort to running a separate OS in a VM. Wed, 20 May 2009 09:09:00 GMT donotreply@osnews.com (Chatbox) Comments RE[2]: Costs too much http://www.osnews.com/thread?364520 http://www.osnews.com/thread?364520 MacGeneration which is a well known french Apple site has an article about it.

Don't assume too much when you don't know. Wed, 20 May 2009 09:12:00 GMT donotreply@osnews.com (majipoor) Comments RE[2]: Only 1 thing left to do... http://www.osnews.com/thread?364538 http://www.osnews.com/thread?364538

The current Mac OS has Java 5 which is NOT open source. You have to be a paying licensee to get the code updates from Sun.

The current release of Java 6 is only partially open source.

Java 7 is 100% open source and hasn't been released yet.

Java 6(OpenJDK) is currently open source 100%, but lacks some patented and copyrighted parts(as in graphics or something).

And Apple does support the Java 5 on OSX 100%, and does not need to ask Sun to create patches. Let alone, they asked Sun to support Java on OSX by themselves. Add to that, the fact that Stevie said that he wanted OSX and Macs to be the platform of choice for Java development. So much for trusting that guy. Wed, 20 May 2009 12:23:00 GMT donotreply@osnews.com (JAlexoid) Comments RE: Huge molehill or small mountain? - give it time http://www.osnews.com/thread?364564 http://www.osnews.com/thread?364564 I'm sure they'll fix it after the first Apple machine falls in next year's Pwn2Own.

Seriously though, they probably stuffed the patches in with the next OS release as they've done with proper sandboxing around safari and those other niceties that make breaking osX easy.

(It's a bit of irony to learn that Windows actually has better security mechanisms in place than osX. The security researcher's disagree with the marketing.) Wed, 20 May 2009 14:20:00 GMT donotreply@osnews.com (jabbotts) Comments RE: Waiting for Apple to get its act together - was go http://www.osnews.com/thread?364565 http://www.osnews.com/thread?364565 I was going to say; "at least there is an osX native Firefox" but it's actually any browser run on osX that is vulnerable to much the platform has to offer. Wed, 20 May 2009 14:22:00 GMT donotreply@osnews.com (jabbotts) Comments RE: bummer... - that's a good practice http://www.osnews.com/thread?364567 http://www.osnews.com/thread?364567 Being able to pop open an easily restored VM for untrusted sites is just a good idea all around. Even with 64bit flashplayer now on my Mandriva or a near bulletproof Windows install (thanks to third party software), there isn't a site that can't wait five minutes while a Windows VM boots from a clean restore point. Wed, 20 May 2009 14:27:00 GMT donotreply@osnews.com (jabbotts) Comments RE: OpenJDK not good solution? http://www.osnews.com/thread?364577 http://www.osnews.com/thread?364577

Unfortunately Apple cannot replace their VM investment with the OpenJDK. From what i understand, in the earily days of Mac OS X, Objective-C was not very popular, and seen by Apple as a hinderence. To entice more developers over to the platform, Apple commited to making Java a "first class citizen" on the Mac OS X platform. So there are a lot of Apple only features in the Apple JDK. They also intergrated swing and their aqua interface. As well as little things like spell checking and such. As Objective-C gained popularity, Apple's Java commitment waned.

I suspect because of the OS level intergration they wont be using any GPL'd code, as they dont want to show their source. Wed, 20 May 2009 15:10:00 GMT donotreply@osnews.com (slashdev) Comments RE: Why http://www.osnews.com/thread?364596 http://www.osnews.com/thread?364596

Why patch if you're that cool?

Nice troll. Completely unnecessary. Would you like me to stereotype Linux and Windows while we're at it? Wed, 20 May 2009 16:28:00 GMT donotreply@osnews.com (polaris20) Comments RE: Waiting for Apple to get its act together http://www.osnews.com/thread?364623 http://www.osnews.com/thread?364623 Thanks for the link. I have java turned off now. This is really bad^H^H^Hsad!! Everyone should read that link you posted and it does work in any browser (I tried opera, safari, firefox) except Chromium which does not support java by default! Wed, 20 May 2009 19:18:00 GMT donotreply@osnews.com (libray) Comments RE[2]: Costs too much http://www.osnews.com/thread?364626 http://www.osnews.com/thread?364626

Don't count on it. Apple websites will systematically ignore this, and take a guess where the truly major sites get their Mac news from...

Bingo.

Well, it's on MacRumors and CNBC, the financial network watches MR closely so others will likely take notice. Wed, 20 May 2009 19:53:00 GMT donotreply@osnews.com (bousozoku) Comments RE[2]: Costs too much http://www.osnews.com/thread?364630 http://www.osnews.com/thread?364630 You're totally full of it... Please point to the ones ignoring this?

http://daringfireball.net/linked/2009/05/20/fuller-java-mac-os-x

http://www.macworld.com/article/140704/2009/05/java_vulnerability.h...

http://www.macnn.com/articles/09/05/20/java.vulnerability.in.os.x/

And you got modded up for your troll... Wed, 20 May 2009 20:02:00 GMT donotreply@osnews.com (macUser) Comments RE[3]: Costs too much http://www.osnews.com/thread?364632 http://www.osnews.com/thread?364632

And you got modded up for your troll...

It wasn't a troll. This news was out and about for a long time already, and the sites that are SUPPOSED to carry it (Mac sites), did not. Explain to me how the latest fart from an Apple employee gets pushed across the Apple blogosphere at lightspeed, but something negative takes days to appear? Wed, 20 May 2009 20:09:00 GMT donotreply@osnews.com (Thom_Holwerda) Comments RE[4]: Costs too much http://www.osnews.com/thread?364635 http://www.osnews.com/thread?364635

"And you got modded up for your troll...

It wasn't a troll. This news was out and about for a long time already, and the sites that are SUPPOSED to carry it (Mac sites), did not. Explain to me how the latest fart from an Apple employee gets pushed across the Apple blogosphere at lightspeed, but something negative takes days to appear? "

They are carrying it and they aren't glossing it over. Days to appear?

http://landonf.bikemonkey.org/2009/05/19#CVE-2008-5353.20090519 was posted on the 19th. The sites I linked to all had stories up today (the 20th). Days... you say.

I suppose you lump this site in with them as well, since it took OSnews a day to get to it as well.

Here is what you said:

Don't count on it. Apple websites will systematically ignore this, and take a guess where the truly major sites get their Mac news from...

Bingo.

So again where are the sites systematically ignoring this?

T-R-O-L-L Wed, 20 May 2009 20:50:00 GMT donotreply@osnews.com (macUser) Comments RE[2]: Huge molehill or small mountain? - give it time http://www.osnews.com/thread?364674 http://www.osnews.com/thread?364674

I'm sure they'll fix it after the first Apple machine falls in next year's Pwn2Own.

I don't like to wait for them. Since Avie Tevanian left the company, they've become far too reckless in their software, as if they're doing it purposely to sell new hardware.

All the security bits in Windows would mean something if Microsoft removed ActiveX, but it's still a security leak by design and no matter how many UAC dialogues appear, you can't change people. You can lead a horse to water, but you can't make him think, as I say. Thu, 21 May 2009 00:34:00 GMT donotreply@osnews.com (bousozoku) Comments RE[2]: Huge molehill or small mountain? - give it time http://www.osnews.com/thread?364758 http://www.osnews.com/thread?364758 What is bad, is Apple base their software partly on Open Source and when Open Source project X fixes something, Apple doesn't ship the fixes to the users. Thu, 21 May 2009 13:10:00 GMT donotreply@osnews.com (Lennie) Comments RE[3]: Huge molehill or small mountain? - give it time http://www.osnews.com/thread?364819 http://www.osnews.com/thread?364819

What is bad, is Apple base their software partly on Open Source and when Open Source project X fixes something, Apple doesn't ship the fixes to the users.

It would be nice if Apple rolled open source patches into their OS updates at a greater clip and I wonder sometimes how many resources they pour into this.

I think there are signs of the company quietly getting more serious about it's security issues. For instance, they just hired Ivan Krstic who was the director security architecture for OLPC. I guess that one just slipped by... Thu, 21 May 2009 18:10:00 GMT donotreply@osnews.com (macUser) Comments The problem is not Java and Apple, but browsers http://www.osnews.com/thread?364877 http://www.osnews.com/thread?364877 Actually there are some things people forget when they discuss about Java in Mac OS X.

Mac OS X is the only major consumer-oriented operating system that still ships with Java installed by default. That decision was taken at the end of the nineties. At that era every one though Java would be the future.

However, most desktop applications do not use Java these days. It could be that Sun did not open source the thing before, or that they never focus on the desktop and only on the Enterprise. Or that Java suffered so much on the performance land that people decided to code in something else.

Anyway, these days, the major Apps Java made I can think of are NetBeans, JDeveloper, IntelliJ, Eclipse... There are very few customer apps made in Java these days if you not consider enterprise.

And since Apple is not focused on the enterprise, I believe they are focusing on other things more important, like Snow Leopard and ITouch.

The problem, however, is not Java per se, in my opinion. The problem is the way browsers work (Firefox, Safari, Explorer, etc.).

This time is Java, but we have seen the same security threats from Flash, Quicktime, Windows Media Player, Javascript and every single thing that can be made plugin and used on a web page. And somehow all Operating systems could get compromised. At this time, the flaw is patch, but non patched systems are all affected no matter the OS.

I do not understand how all browsers trust so much on everything they find on the web and give rights to execute whatever they like. I really hope Chrome fixes that. It is just so wrong.Edited 2009-05-22 00:32 UTC Fri, 22 May 2009 00:30:00 GMT donotreply@osnews.com (DavidSan) Comments