Mac OS X Users Vulnerable To Major Java Flaw 306
FruitWorm writes in with word of a vulnerability in Java that has been patched by everyone but Apple. "Security researchers say that Mac OS X users are vulnerable to a critical, 6-month-old, remote vulnerability in Java, a component that is enabled by default in Web browsers on this platform. Julien Tinnes notes that this vulnerability differs from typical Java security flaws in that it is 'a pure Java vulnerability' and doesn't involve any native code. It affected not only Sun's Java but other implementations such as OpenJDK, on multiple platforms, including Linux and Windows. 'This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers,' Julien wrote. This bug was demonstrated during the Pwn2own security challenge this year at CanSecWest, but the details were not made public at that time. Tinnes recommends that Mac OS X users disable Java in their browsers until Apple releases a security update."
Re:Why am I not surprised? (Score:2, Insightful)
Yeah, Snow Leopard was really just an excuse for the programmers to sit around doing nothing all year. Slackers...
Re:Java and not javascript (Score:5, Insightful)
Anyway, Apple's "support" of Java is pretty pathetic. They're usually a year or more behind the curve and its not acceptable.
You're absolutely right about that. Apple decided that they'd be better than Sun at creating a JVM for their OS, so they did it themselves.
The result? PPC Macs are stuck on Java 1.5; Intel Macs have outdated, slow, and exploit vulnerable Java 1.6...
I'm more inclined to let the company that specializes in that stuff deal with it - but then again, maybe it gave them much needed experience for their Rosetta technology.
Re:Now patched? (Score:5, Insightful)
Re:Chipset independent? (Score:3, Insightful)
Re:Java and not javascript (Score:4, Insightful)
Very similar here.
At home, I had removed all traces of Java like eons ago. Never had a problem. Only OO.o occasionally complains that there is no Java installed, but no crucial functionality is affected.
In office, one of the corporate portals uses ActiveX and Java. Though Java applet is used apparently only during authentication, it still requires Java. (IOW, puny 20K applet wastes countless megabytes/gigabytes of disk space on hundred desktops.) Otherwise - no Java in sight.
Re:Oh I don't know... (Score:4, Insightful)
In "the oldun days", computers used to come with books, instruction manuals, telling you how to use them. Nower days, OS vendors will jump through hoops to try and ensure that their users Do Not Have To Learn A God Damn Thing(tm)... and in some instances, inconsistent user interfaces actually prohibit learning (although I wouldn't call this common case). And this is the result.
I'm not suggesting people should have to know all the nuts and bolts of the internals, but I'm sure there's a middle ground so this culture of "our users are stupid, we must protect their tiny brains" can be vanquished.
(this is not limited to Apple/OSX by any means, although they do appear to me to be worse for it, this gap is closing fast)
Re:Java and not javascript (Score:1, Insightful)
Though I'm not sure why this whole discussion is under the title "Mac OS X users vulnerable..." when as the submission says the issue affects everybody. Other than to start yet amother boring FUD/flamebait war, of course.
Re:Why am I not surprised? (Score:1, Insightful)
The problem with Apple is not that they don't take security seriously. Far from it. Lots of stuff does get fixed - witness the multi-hundred megabyte download the other week. But the corporate culture at Apple is secrecy. They must figure that documenting every patch serves only to draw a roadmap for hackers. This "security through obscurity" approach is in dramatic contrast to Microsoft's. Every Windows fix gets a Knowledge Base article which the user can consult before applying the patch. In the case of this Java vulnerability, I'm stunned that Apple didn't fix it in that recent update.
As for "prettying up the OS" I'd argue that current versions of the open source Gnome and KDE desktops, with compositing enabled, are probably prettier than Mac OS in most respects. Apple's strength has always been an unwavering focus on functionality and great industrial design, and on keeping the user experience uncluttered.
This latest story only reinforces the generalization that Scripting Is Dangerous. Mac OS users can be safer by using Firefox with the NoScript extension enabled. So can everyone else, for that matter.
Re:Java and not javascript (Score:5, Insightful)
Then you are very lucky, and likely don't work for a ginormous company whose only way to not make things in ActiveX is to make them in Java.
: ) Reason no 12939 not to work at a gigantic corporation. Having experienced working in large companies, I sympathise.
The funniest thing about large companies using web-apps for internal software is that most of them produce web-apps which depend on technology which is not truly cross-platform (Active-X, using a certain JVM, depending on a certain browser, etc), thus removing most of the business benefit of using a web application in the first place.
Re:To be expected (Score:2, Insightful)
Usually it's like this
Release 1.0 is shipped. Testing is very extensive and a huge list of bugs are found. The most critical ones are fixed, the rest are scheduled for Patch 1.0. The experienced part of the team moves onto their next project or takes a vacation. Now a load of new people are handed copies of Release 1.0 and assigned a bug. Most of them will manage, but a minority of them will make chages with severe side effects - e.g. their code will corrupt the stack or heap. They module test, missing the corruption and check the code in.
So now Patch 1.0 contains a lot of fixes, some very badly coded. Possibly they will cause problems on their own, or possibly when combined. There are bugs that were missed in the big release too. A lot of the new people will get assigned off the project. Usually the amount of system testing on pathces is not as much as Release 1.0
The other issue is that the commercial pressure on the company is dropping - bugs introduced by a patch when people have already paid are less serious commercially than bugs at release when they're still thinking about paying.
So it's quite possible that updates will actually make a product worse.
Re:So how much damage can this do? (Score:3, Insightful)
Re:Java and not javascript (Score:5, Insightful)
But, because of this standardization, the internal development staff only needs to target one defined platform, they aren't really worried about cross-platform support.
This works really well as a way to cut costs *for the IT department* in the short term. As to whether it cuts costs for the company as a whole (there's the lost productivity involved in enforcing a standard install that you alluded to, and the lack of choice of tools), is another matter, and I'm sure varies with the company/tech involved. Obviously some degree of standardisation is required when managing large numbers of computers, so I'd happily concede that point.
But there is a bigger issue related to this strategy in the long term. In the long term, targeting one platform exclusively leads to the production of tools which are tied tighter and tighter to that platform. So it means you can never switch to a competitor; you can't even consider switching to a competitor unless you're willing to ditch all the internal software that you've built up which will only work on version X of system X. It becomes simply impossible for your business to even think about switching. You might even find that moving to a new version of an operating system has significant costs which you had not anticipated (an XP to Vista migration for example, or IE 6 to IE 8). These are not the normal costs of doing business, they are the costs of doing business if you choose to lock yourself too tightly to one platform.
There is a reason that Microsoft pushed things like Active-X, .NET and IE for web apps, Sun pushes Java everywhere, Apple encourages web pages made for iPhones, etc. It is to tie developers/companies in to using just their products, and it is in the long-term interests of the tool provider, not the company using the tools to work with.
Using web apps for internal software is a good way out of this conundrum, so long as you do not target a specific platform with them. Otherwise, you may as well be writing binary software tied to a specific version of one OS - the end result is the same - lock-in. I understand completely why, in the real world, these decisions are made, but if you look at the situation rationally they are not good investments of time/money over the long-term, and they undermine the very reasons for writing software as a web application in the first place.
Comment removed (Score:3, Insightful)
Re:To be expected (Score:4, Insightful)
Frak, someone always has to make this post, don't they?
Of course OS X has security flaws: it's a modern, general purpose operating system.
The fact remains that by many metrics it is much more secure than Windows. For one, there are no where near the number of malware in the wild targeting OS X as there are for Windows. Most people who run OS X have never, ever had to worry about contracting a virus, trojan, or worm. That is not the same thing as saying they never will, but it is a remarkable track record.
I am concerned about Apple's slow response to newly identified flaws. Their lack of candor in discussing vulnerabilities, their potential impact on the platform, or details of its remediation in patches' release notes is also worrisome. They need to pick up their game if they want to keep that track record as the platform expands.
Re:apple letting down java users.. (Score:1, Insightful)
"Obviously Apple is doing this so app developers must use the Cocoa libraries and internal devs can focus on improving Cocoa."
Well yes but it is still dickless. More than 6 million developers use Java as their primary development language and OSX is a natural desktop choice for them. I looked at it pretty seriously a couple of years ago and decided to wait. I'm glad I did since had I switched I'd be stuck developing on Java 5 (which came out in 2004) now.
When you are a minority OS deliberately pissing off 6 million people is dumb particularly when you are a natural market for them. If Apple don't want to maintain their own JRE they should at least allow Sun to do it for them and include it in OSX.
Re:Instructions for turning off Java... (Score:3, Insightful)
I use noscript on firefox. But I would like this option in safari.
Really why should disabling javascript and java with a white list be a feature that requires a 3rd party addon.
Can't disable Java at work (Score:3, Insightful)
- Our Internet filter keeps you authenticated with a popup that embeds a Java applet
- Our Internet filter admin interface is Java
- Our wireless network login uses a Java applet to authenticate your username and password
- Our student record database runs on Oracle with a Java interface
Basically if I disabled Java I could only access one or two superfluous file servers on the LAN, and only using an Ethernet cable. Not gonna happen, unfortunately.
Re:Oh I don't know... (Score:3, Insightful)
In "the oldun days", computers used to come with books, instruction manuals, telling you how to use them.
Yup - and we ignored them for the most part. They did look nifty on the shelf. I've still got a few.
Having said that - I agree with the general premise of what you're saying. Back then, we respected the microcomputer for the complex little beastie it was. These days people are being told that their computer is as simple as a toaster. They're buying in to a whole case of snakeoil.
What makes it even more difficult is an almost willful ignorance from end users. I've talked to some very intelligent (in one case a literal rocket scientist) users who will disengage their entire critical thought process once they get behind a keyboard. I'm not entirely sure why.
Part of the problem is probably because people really do believe computers are still hard to work with. Quite a few years ago, I saw one of the more distinguished news casters interviewing someone and making the claim to be completely ignorant about using computers. It struck me as odd - could you imagine Dan Rather breaking in to his series of questions with a Federal economist to note that economics completely baffles him?
When people think computers are hard but are being told they're "just works" easy, and worse they have some personal experiences that exposes the lie, there's got to be a cognitive dissonance kicking in. No wonder they put hand to mouse and freeze.
Of course - that might be a somewhat dated outlook. These days you don't see newscasters talking about how "computers are hard." Now they're trying to get you to subscribe to a Twitter feed. Maybe we've made a leap over that freeze response and are now blindly clicking away; still lacking critical thought but giving in to the heady promises of the snakeoil.