Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mac OS X Users Vulnerable To Major Java Flaw

Posted by kdawson on from the write-once-own-everyone dept.

FruitWorm writes in with word of a vulnerability in Java that has been patched by everyone but Apple. "Security researchers say that Mac OS X users are vulnerable to a critical, 6-month-old, remote vulnerability in Java, a component that is enabled by default in Web browsers on this platform. Julien Tinnes notes that this vulnerability differs from typical Java security flaws in that it is 'a pure Java vulnerability' and doesn't involve any native code. It affected not only Sun's Java but other implementations such as OpenJDK, on multiple platforms, including Linux and Windows. 'This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers,' Julien wrote. This bug was demonstrated during the Pwn2own security challenge this year at CanSecWest, but the details were not made public at that time. Tinnes recommends that Mac OS X users disable Java in their browsers until Apple releases a security update."

4 of 306 comments (clear)

  1. Re:Java and not javascript by BikeHelmet · · Score: 5, Insightful

    Anyway, Apple's "support" of Java is pretty pathetic. They're usually a year or more behind the curve and its not acceptable.

    You're absolutely right about that. Apple decided that they'd be better than Sun at creating a JVM for their OS, so they did it themselves.

    The result? PPC Macs are stuck on Java 1.5; Intel Macs have outdated, slow, and exploit vulnerable Java 1.6...

    I'm more inclined to let the company that specializes in that stuff deal with it - but then again, maybe it gave them much needed experience for their Rosetta technology.

  2. Re:Now patched? by iwein · · Score: 4, Insightful

    try the 'say' invoking applet by Landon Fuller: http://is.gd/BpBp. That scared the crap out of me... what if it had invoked 'rm -rf ~'?

    --
    Show a man some news, distract him for an hour. Show a man some mod points, distract him for the rest of his life.
  3. Re:Java and not javascript by Serious+Callers+Only · · Score: 4, Insightful

    Then you are very lucky, and likely don't work for a ginormous company whose only way to not make things in ActiveX is to make them in Java.

    : ) Reason no 12939 not to work at a gigantic corporation. Having experienced working in large companies, I sympathise.

    The funniest thing about large companies using web-apps for internal software is that most of them produce web-apps which depend on technology which is not truly cross-platform (Active-X, using a certain JVM, depending on a certain browser, etc), thus removing most of the business benefit of using a web application in the first place.

  4. Re:Java and not javascript by Serious+Callers+Only · · Score: 4, Insightful

    But, because of this standardization, the internal development staff only needs to target one defined platform, they aren't really worried about cross-platform support.

    This works really well as a way to cut costs *for the IT department* in the short term. As to whether it cuts costs for the company as a whole (there's the lost productivity involved in enforcing a standard install that you alluded to, and the lack of choice of tools), is another matter, and I'm sure varies with the company/tech involved. Obviously some degree of standardisation is required when managing large numbers of computers, so I'd happily concede that point.

    But there is a bigger issue related to this strategy in the long term. In the long term, targeting one platform exclusively leads to the production of tools which are tied tighter and tighter to that platform. So it means you can never switch to a competitor; you can't even consider switching to a competitor unless you're willing to ditch all the internal software that you've built up which will only work on version X of system X. It becomes simply impossible for your business to even think about switching. You might even find that moving to a new version of an operating system has significant costs which you had not anticipated (an XP to Vista migration for example, or IE 6 to IE 8). These are not the normal costs of doing business, they are the costs of doing business if you choose to lock yourself too tightly to one platform.

    There is a reason that Microsoft pushed things like Active-X, .NET and IE for web apps, Sun pushes Java everywhere, Apple encourages web pages made for iPhones, etc. It is to tie developers/companies in to using just their products, and it is in the long-term interests of the tool provider, not the company using the tools to work with.

    Using web apps for internal software is a good way out of this conundrum, so long as you do not target a specific platform with them. Otherwise, you may as well be writing binary software tied to a specific version of one OS - the end result is the same - lock-in. I understand completely why, in the real world, these decisions are made, but if you look at the situation rationally they are not good investments of time/money over the long-term, and they undermine the very reasons for writing software as a web application in the first place.