Slashdot Mirror
Mac OS X Users Vulnerable To Major Java Flaw
FruitWorm writes in with word of a vulnerability in Java that has been patched by everyone but Apple. "Security researchers say that Mac OS X users are vulnerable to a critical, 6-month-old, remote vulnerability in Java, a component that is enabled by default in Web browsers on this platform. Julien Tinnes notes that this vulnerability differs from typical Java security flaws in that it is 'a pure Java vulnerability' and doesn't involve any native code. It affected not only Sun's Java but other implementations such as OpenJDK, on multiple platforms, including Linux and Windows. 'This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers,' Julien wrote. This bug was demonstrated during the Pwn2own security challenge this year at CanSecWest, but the details were not made public at that time. Tinnes recommends that Mac OS X users disable Java in their browsers until Apple releases a security update."
I've disabled Java in Safari and doubt I'll see any difference since so few sites use Java applets these days. This is of course unrelated to Javascript which is much more disruptive when disabled.
"I have the attention span of a strobe lit goldfish, please get to the point quickly!"
'This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers,'
And the Java critics said total platform independence was impossible!
Is it independent of the chipset as well, or does it only apply to x86?
My mac downloaded a new java patch just tonight.
Is it patched?
Yeah, Snow Leopard was really just an excuse for the programmers to sit around doing nothing all year. Slackers...
In case you don't have OS X but want to pass on the instructions to relatives, etc:
In Safari (version 4 beta):
Safari->Preferences->Security->Web Content: Enable Java (uncheck)
In Firefox (3.5 beta, probably the rest):
Firefox->Preferences->Content->Enable Java (uncheck)
I don't have any other browsers (opera, different versions, etc.) on hand, but it might be nice to add instructions in a reply...
To my knowledge every other major OS release has already patched its Java.
If you had read the very first paragraph of the summary, you'd know that it's "a vulnerability in Java that has been patched by everyone but Apple."
For all the other platforms, architectures and browsers the fix is "use a version of Java that's less than 6 months old". For OSX users, however, the only solution is to stop using it altogether.
No problem is insoluble in all conceivable circumstances.
Very well...
I choose this one...
FruitWorm writes in with word of a vulnerability in Java that has been patched by everyone but Apple.
So essentially... All Apple users who have left JAVA enabled, and all -other- users who have not yet patched their JAVA installations. Yes, that does include Microsoft Windows, flavor-of-the-month Linux, etc. users who decided to disable auto-updating - if any - of their JAVA installation.
I'd really like to know if this was/is a flaw in the structure/design of the JVM or just happened to be some kind of pitfall every major JVM-implementor fell into.
The articles and bug reports are light on detail, I could only find out it is related to "Deserializing Calendar Objects" and allows the applet to execute stuff with the users rights (or probably more correct, the rights of the webbrowser who started the applet)., which sounds like an implementation problem to me. Was there some reference implementation all JVM-developers used for this specific functionality?
You've kinda just proven the OP's point. Snow Leopard is just prettying up what already exists.
Snow Leopard is mainly a beneath-the-hood architectural upgrade. http://www.apple.com/macosx/snowleopard/ "Taking a break from adding new features..."
That having been said, there's nothing on there about added security. I can tell you there are some rumors that things like more complete code page protection and address randomization will be in Snow Leo, but Apple's priorities concerning security are rather low; they rely heavily on security-through-obscurity, and one day if they're not careful it's going to bite them.
Actually Java SE is not Java ME
The (untrue) assumption that many people seem to hold that Macs are just invulnerable to anything bad happening has finally spread to Apple itself, and they're the last to patch this exploit. Since a lot of Mac advertising used to be based on "Macs don't get Viruses" you'd think they'd have been the first to patch this to maintain their reputation.
Yes I know I'm probably going to get modded down immediately for saying this, but hell, it's the truth.
You can advertise in this sig from as little as £99.99 a month!
In addition to disabling Java support, Safari's 'Open "safe" files after downloading' must also be disabled to prevent websites from automatically loading a Java WebStart application via a JNLP file.
I've also posted a demonstration of the vulnerability at http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html
http://plausible.coop
For the record, those running Firefox as their default browser, with NoScript installed, won't be affected* unless they *choose* to execute an unknown, untrusted binary within the browser.
*At least the sample exploit at the top of the thread didn't execute for me, YMMV
Some days it's just not worth
chewing through my restraints.
You articulated what I was trying to say a whole lot better than I originally did!
after meeting some Mac newbies I am think I can already see the iceberg. Two are friends, one of which called me out of the blue to tell me that he just bought his first Mac (an iMac actually). Well needless to say I get calls from both since I am the "mac expert" (Read: I had one longer than them).
The simplest way to say it, they are more than happy to key in their password for anything that asks, even if they don't know what they are doing. After all, they are on a Mac, they don't have virus protection because it doesn't need it, so how is something bad going to get on the system. These are not normally dense people, well maybe they are proving me wrong.
So I figure that someone out there will rely on this type of stupidity to get key loggers, bots, and the like, on Macs. The number of people out there who buy one because they think it makes them cool or smart cannot be underestimated.
I do know one of these two did ditch firefox because they didn't like clicking the ad-block button to allow some sites. So it is just a matter of time.
(and no, I do not run a AV or worry about it on either of my Macs)
* Winners compare their achievements to their goals, losers compare theirs to that of others.
Sometimes it blows my mind when i try to understand oxymorons.
Pure Java = pure platform independent.
OS Specific Java = Not Pure Java
non-cross-platform java code = propreitary Java code.
Before i get angry at you, let me try to explain something here. I have been using Java since 1.0.2 JDK in 1996 and failed to install JDK on Win 16-bit with 32-bit extensions...
OS-specific exploits can be written in Java using JNI. JNI alone canm interact with C language (although technically C++ and that code can invoke Assembly, blah blah).
Pure Java does not and should not contain any JNI calls.
This exploit involves the user downloading a native library and then visiting the website which will invoke this downloaded library (which has to be in CLASSPATH) and the OS in correct version/make for it to work. Under Vista's brutal UAC, this exploit will fail. Under XP it may succeed.
Under Mac OS X, well, hell the the OS cannot understand the library in first place so it will not load it. Secondly, the CLASSPATH is different in a Mac, so EVEN if the user downloaded the same onto ~\Libraries it will not work.
Its more like blasting the Guns of Navarone or Sinking the Titanic. Yes, it can happen, and it happens only once under extraordinary circumstances and executed by extraordinarily talented people.
A Mac user hell-bent on infecting his Mac can get the source code to this JNI library, recompile it under XCode, put it in his \Libraries (if he types the root user password) then visit the page to ghet himself infected.
Its much like cutting off your own foot with a rusty chainsaw without anesthetic, place it on a table, hammer a bullet into the foot, rejoin the foot again to the leg with Super Glue and claim you shot yourself in foot.
I wonder how people can be so dumb and yet be on slashdot.
"Doing what i can, with what i have." ~ Burt Gummer
So it can arbitrarily execute java code in a browser. Well hold on, arn't browser VMs rather crippled anyway in their functionality? And thats after you take into account it'll only have the priviledges of whichever user launched the browser in the first place. So what exactly could you do with this exploit? Steal some cookies, bring up some annoying windows? Or is this about it being able to escape the sandbox? I don't really get it.
Yes, but Snow Leo doesn't really "pretty up" anything much, it's all under the hood. Now, if they start updating all of the open and closed-source software that comes with OS X enough to keep it secure too, I'll be more impressed; but I doubt Apple will do that unless they're forced to. (Sound familiar?)
Steve Jobs, JavaOne Keynote 2000:
WWDC 2006
Steve Jobs, January 2007 (iPhone related):
2008/05/01
The problem with Apple is not that they don't take security seriously. Far from it. Lots of stuff does get fixed - witness the multi-hundred megabyte download the other week. But the corporate culture at Apple is secrecy. They must figure that documenting every patch serves only to draw a roadmap for hackers. This "security through obscurity" approach is in dramatic contrast to Microsoft's. Every Windows fix gets a Knowledge Base article which the user can consult before applying the patch. In the case of this Java vulnerability, I'm stunned that Apple didn't fix it in that recent update.
As for "prettying up the OS" I'd argue that current versions of the open source Gnome and KDE desktops, with compositing enabled, are probably prettier than Mac OS in most respects. Apple's strength has always been an unwavering focus on functionality and great industrial design, and on keeping the user experience uncluttered.
This latest story only reinforces the generalization that Scripting Is Dangerous. Mac OS users can be safer by using Firefox with the NoScript extension enabled. So can everyone else, for that matter.
As we know from that one Mac vs. PC commercial, Macs don't get viruses. And if something is invulnerable to viruses, it has no flaws of any kind. Implying that Macs have a Java flaw implies they can get infected, correct? Which means they can get viruses, which obviously cannot be true, if that Mac Genius, Megan commercial is correct.
CERT has been telling users to disable Java in your web browser for years. If you haven't done so already, give it a shot. You probably won't miss it.
http://www.cert.org/tech_tips/securing_browser
DNS is obsolete and everyone should be using Bonjour by now.
TQF!
Although this situation is clearly unacceptable, I would not have called your remark insightful. Apple has been pretty busy with the security updates:
http://support.apple.com/kb/HT1222
As a whole, I would say leopard is pretty secure (when compared to linux, compared to windows it's ironclad). If additional security is required, consider:
http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml#AppleMac
Snow Leopard is mainly a beneath-the-hood architectural upgrade. Then how are they planning to market it to the Great Unwashed? They're never going to pursuade the fan-base to shell out dollars and cents if they can't see something new and shiny.
All of those people with Macbook Airs (no pun intended) and any upcoming Apple netbook who's systems could use a more svelte OS would be in the market for it. Think Vista vs. Windows 7, except less of a difference in speed and interface. If you don't believe me, check out the site I linked earlier - Apple's own marketing copy says the new features are on "pause" and the feature of Snow Leo is performance and smaller footprint.
There are fixes for every other platform apart from OSX, so yeah, it's solely an OSX vulnerability at the moment.
If I understand it correctly, all Java implementations have this flaw, so why write that it is a "MacOS vulnerability" and not "Java vulnerability"?
Because by now, all others are fixed, and the vulnerability remains only in Apple's Mac-specific version of Java.
So Apple fixed some things back in February, but I can't tell if they fixed them all.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Its much like cutting off your own foot with a rusty chainsaw without anesthetic, place it on a table, hammer a bullet into the foot, rejoin the foot again to the leg with Super Glue and claim you shot yourself in foot.
I wonder how people can be so dumb and yet be on slashdot.
Nobody is going to understand that without a car analogy. You must be new here.
So MacOS X users, please disable Java in your web browser.
Others: make sure you have updated Java and still disable it in your web browser: it's a huge attack surface and it suffers from many other security vulnerabilities.
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
The problem with Apple is not that they don't take security seriously.
I think it's clear from the outdated state of Open Source components in OSX that Apple does not take security seriously.
But the corporate culture at Apple is secrecy. They must figure that documenting every patch serves only to draw a roadmap for hackers. This "security through obscurity" approach is in dramatic contrast to Microsoft's.
Security through obscurity doesn't work. Numerous hackers have said OSX is less secure than Windows or Linux. But don't let the facts get involved, eh?
As for "prettying up the OS" I'd argue that current versions of the open source Gnome and KDE desktops, with compositing enabled, are probably prettier than Mac OS in most respects.
The smoothness/speed of animation in Compiz is shit. I say this speaking as someone with a Quadro 2700M. Don't let me hear that bullshit about how a Quadro isn't meant for performance, because I can play HL2 at 1920x1080 with all the detail turned up and FSAA turned on and still peg the FPS at vblank. With my former Quadro 1500M and with Xgl (Xgl is dead, long live Xgl) the Magic Lamp animation (for example) was smooth. It is seriously chunky without Xgl. OSX and Vista both have smoother window animations than Compiz.
This latest story only reinforces the generalization that Scripting Is Dangerous.
Java, not Javascript. You have no idea what you are talking about whatsoever, and neither do the moderators who modded you up.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Speaking of liking only one version of the JVM, I worked for a CLEC (a small phone company) that had to interface with the RBOC (The Phone Company - SBC/AT&T) via a Java applicaton for provisioning phone numbers and the like. The application ran on a specific version of Java 1.4.2 (like j2re_1.4.2_01 or something), and the JVM had to patched by SBC software so that the application would run. The name escapes me... Oddly enough, I think LENS (Bell South's Java interface application) used the exact same version of the JVM. And this was before there was even talk of them merging.
That's not really busy in my opinion. 3-5 security updates a month is nothing to be impressed by and it doesn't tell me if they fix all their vulnerabilities, which as we all know, they haven't.
You know, I've managed an OS X server before, you can't fool me. Considering how they almost don't issue an security update for the entire duration of the server release is pretty scary.
I've also had OS X on my desktop before and I've seen how Apple pretty much just ignores low profile security issues with the opensource software they use, from Samba to CUPS. Often including the updates in the next 'major' version of OS X. Meanwhile, Linux distributions get it patched practically next day.
No, I'm not impressed.
Change is certain; progress is not obligatory.
Apple took more than a year after Sun patched it to patch an exploited buffer overflow in the JVM. They'll take forever to fix this too.
Yeah, this page listing all of the security patches in every Apple update must surely not exist. You know, complete with links to knowledge base articles containing links to the CVE-IDs patched by that particular patch.
Posts like yours are the reason that Slashdot needs a "-1, Factually Incorrect" moderation.
I agree that Apple should have patched this a long time ago, but your argument that Apple does not care about security is just plan asinine.
- (c) 2018 Hank Zimmerman
As secretive as Apple is, it's hard to tell what (if anything) those patches even contain. For all we know, they could be just for show.
SJW: Someone who has run out of real oppression, and has to fake it.
You mean to tell me that little dude with the big nose and bowl haircut on the Mac commercial mislead me... and poor Megan chose the wrong guy? Oh no.
Apple is not in Microsoft's position. The majority of their customers trust them to put out a good product, want to experience the improvements, and so are willing to upgrade. Whether or not you think that trust is warranted is up to you. Certainly, not everyone upgrades right away, and depending on the software and hardware config, not everyone can. As with PCs, some people will go on using what shipped with their hardware and wait until they buy new hardware to use the newer OS revision.
Apple is not just the OS maker, they are the OEM. Maybe if the Dells of the world did a better job of providing Vista upgrade options and support, people would have had a reason to upgrade. But the increased hardware requirements made that less likely I think. Here again, OS X is different: the hardware requirements are not greatly increased from version to version, and the few snafus are minor, unlike the situation where Vista's most popular graphics card, Intel's GMA, was underpowered for at least a year.
A final reason why there is less fear about upgrading in that camp is that the point releases are spaced closer in time and they do not represent the large change that XP to Vista did. It's less of a gamble. (In fact, it's not a gamble at all if you keep good backups, especially before OS upgrades, but as always the PEBCAK.)
So, in short, what you call 'new and shiny' is always a given, and traditionally Mac users who want those new features are (a) willing to pay money for software (weird, right?) and (b) not afraid to do the point upgrade.
Honestly, the whole thing to me feels like OEM-done-right: they make a polished product and people are willing to buy it rather than be afraid of it. And I don't know about you, but performance and security improvements are definitely features in my book. Why so critical?
Yes, we all support building new Thermal Qualification Facilities. But now is hardly the time to bring it up.
SJW: Someone who has run out of real oppression, and has to fake it.
This "security through obscurity" approach is in dramatic contrast to Microsoft's.
It didn't used to be. But MS got their act together. Hopefully one day Apple will too.
Gnome and KDE desktops, with compositing enabled, are probably prettier than Mac OS in most respects
"LOL"
Apple does do that ridiculous cube effect when you switch users, so I guess there's some overlap. But most of the compiz-fusion effects are incredibly tacky and nothing I'd want to use day to day. They do wow people (like when you use only 2 virtual desktops and "flip" the screen) but things like the wobbly windows are very distracting. Overall, there's a lot to like but a lot of it is superfluous, and what I like about OS X is that it doesn't have a lot of crazy crap.
Yeah, this page listing all of the security patches in every Apple update must surely not exist. You know, complete with links to knowledge base articles containing links to the CVE-IDs patched by that particular patch.
I prefer proactive security rather than reactive.
He agrees that Apple does care about security - read again. But he argues that they are not open about the details of what they fix, which as you point out, is incorrect.
That, also, is Quite Funny
I think he was referring to the genie effect (for minimising), exposé, fading stalled apps, transparency, and so on. It is interesting that some of these features (such as genie and exposé) have exactly the same name in OSX as in Compiz (which AIUI had them first).
You don't have enough imagination. Rooting a box requires platform-specific functionality, but there are other ways of exploiting vulnerabilities for profit. E-mail out randomly selected documents from the user's home directory. Replace randomly selected documents in the user's home directory with encrypted versions thereof, and blackmail the user for the key.
try the 'say' invoking applet by Landon Fuller:
http://is.gd/BpBp. That scared the crap out of me... what if it had invoked 'rm -rf ~'?
You would restore from your Time Machine backup, or the off site clone that you created with Carbon Copy Cloner or SuperDuper! (or rsync).
Backing up OS X is dead simple (it's mostly POSIX-compliant underneath); there's no reason not to do it.
You gotta expect that when you hang out near a vol -- Oh, 'scuse me, it's Java flaw, not lava flow. My bad.
rj
Could it be that Apple does have security improvements in Snow Leopard, but isn't talking about them yet because they don't want people shouting "OMG Leopard is insecure"?
The shareholder is always right.
I'd like to disable Java but I work at a school district where...
- Our Internet filter keeps you authenticated with a popup that embeds a Java applet
- Our Internet filter admin interface is Java
- Our wireless network login uses a Java applet to authenticate your username and password
- Our student record database runs on Oracle with a Java interface
Basically if I disabled Java I could only access one or two superfluous file servers on the LAN, and only using an Ethernet cable. Not gonna happen, unfortunately.
Unfortunately, the only patches for user stupidity are illegal. If you get caught.
OS-X has a pretty good balance between honestly trying to protect the user from doing stupid things and implementing a Vista-esque approach (i.e. so draconian that users find a way to turn it off entirely). You get asked for a password whenever something needs root equivalence.
But that's not going to help people who will do anything to see the dancing squirrels...
We may not imagine how our lives could be more frustrating and complex—but Congress can. – Cullen Hightower
...but Apple's priorities concerning security are rather low; they rely heavily on security-through-obscurity...
Right, no one's trying to become the first person to develop and perpetrate a mass scale Mac attack.
You haven't been paying attention, there's already been a Mac botnet, from hacked illegal copies of Photoshop and iWork. That having been said, yes, they aren't trying to do it very much. Why? Because they can get 20 times as many PCs for the same amount of effort, it's a question of dollars and cents. Hacking is a multibillion dollar business, and like any business, profit margins are obsessivly chased after. Look at Conflicker, everyone was worried that 10 million PCs would have their hard drives wiped April 1st, but since that was not profitable, nothing happened visable, then later on the usual phony virus-scanner scam and spam relays that earn the hacker millions from organized crime.
Could it be that Apple does have security improvements in Snow Leopard, but isn't talking about them yet because they don't want people shouting "OMG Leopard is insecure"?
That's an interesting possibility, you should get modded up. :-) I was wondering myself why Snow Leo is slated to have significant security improvements yet Apple is mum about them, while they are willing to prominently display other non-security-oriented architectural improvements coming in 10.6
...unless you're needing to attach to a Citrix desktop, where you need Java, Active X, or a client installation. And given the love for Microsoft by most Mac users... it's either Java (dynamic), or the (somewhat plodding) installed Citrix client.
46. The Hobo smiles, his eyes glaze over, and he burps. "Beware the man who has lived longer than the Wasteland."
That having been said, there's nothing on there about added security. I can tell you there are some rumors that things like more complete code page protection and address randomization will be in Snow Leo, but Apple's priorities concerning security are rather low;
Actually, Apple does quite a bit with security in the core of their system, they just don't talk a lot about it. In leopard they introduced quite a few significant improvements:
Mac OS X Security
In doing so they leapfrogged Ubuntu Linux, for example in practical application of several technologies. Their sandboxing of their ZeroConf service, for example, was the only thing standing between OS X and a major vulnerability in a default service, but it did not get a lot of press outside of the security community. Apple just doesn't publicize security particulars, trying to keep the message simple and aimed at the general public.
That is not to say all is sunshine and roses for Apple on security. Their culture is very mixed with old school UNIX guys who live and breath security mingling with pre-OS X era application programmers where security is not even on their radar. (The java team is apparently in the latter category or at least is not actively keeping up with the security issues.) In my mind Apple does not do enough vulnerability testing and is hit and miss on their acceptance of feedback from outside Apple. Still I think they don't get a fair shake when it comes to security because most of their vocal critics aren't actually knowledgeable about what Apple has done. It is fairly undeniable that Apple has managed to implement security that is good enough to deal with the level of threat their average customer is experiencing.
Yeah, this page listing all of the security patches in every Apple update must surely not exist. You know, complete with links to knowledge base articles containing links to the CVE-IDs patched by that particular patch.
I prefer proactive security rather than reactive.
So you're happy with Apple having implemented MAC in Leopard and proactively sandboxed their most vulnerable default services adding an extra layer of protection. (Hopefully they extend their sandboxing to include both the JVM and some applications like Safari in Snow Leopard.) Of course you were presenting a false dichotomy, since you need to be both proactive and reactive to have a working security policy.
Here at Slashdot, we synergize a Total Quality Format paradigm of humor.
This latest story only reinforces the generalization that Scripting Is Dangerous.
Java, not Javascript. You have no idea what you are talking about whatsoever, and neither do the moderators who modded you up.
But NoScript will block a Java applet embedded in a web page, and thus protects an Apple user who would otherwise be vulnerable. I think that's what the poster was referring to.
If you don't believe me, check out the site I linked earlier
Oh, I have no trouble believing you, I was just asking a serious question. Whoever decided my post was a troll was obviously unaware that I am not anti-Apple, but then who cares?
What makes me laugh is that the Mac fanbois are so determined to never hear a bad word about their chosen God^H^H^HOperating System, that they immediately turn the whole discussion thread on it's head and say "well MS invented ActiveX, and it's the suckzorz".
Would you mind linking to that post I must have missed it maybe because it doesn't exist or has been modded down so far.
However, one of JAVA's great selling points was "it's secure because it runs in a sandbox". And over the years we've discovered the sandbox has not one, but several big fucking holes in the bottom.
JVMs have never been well implemented to actually provide the security features originally conceived. Security never became a priority largely because Java has never been a very big hole compared to all the others in modern OS's.
And now, because every other vendor has patched, and OSX is waiting presumably to fleece their users for another $150 with the next version before patching...
Please learn what you're talking about. Apple has a very good record of backporting security fixes for free. When they get around to fixing this hole I'm sure they will include it in a security update for the last three or four versions of OS X, like they always do, regardless of if you pay for Leopard.
And of course "we don't need antiviruses, because we run Macs".
If you've found in the wild propagating viruses for the Mac that would make antivirus software useful, please post it. It's a much bigger story than this one.
(Expecting to get modded into oblivion with this one, but what the hell, my karma can handle it).
Rightfully, you will be modded down for posting inflammatory nonsense like this. Seriously, there is plenty of space for valid criticism of Apple here. Why do ignorant twats like yourself have to go off with your uninformed rants and strawman attacks? It's just sad you have to make crap up instead of sticking to the facts and providing a rational and well deserved criticism of Apple's failure to fully patch and publish clear documentation on their lackluster Java support and lack of attention to security on the project.
That's an interesting possibility, you should get modded up. :-) I was wondering myself why Snow Leo is slated to have significant security improvements yet Apple is mum about them, while they are willing to prominently display other non-security-oriented architectural improvements coming in 10.6
I don't have a beta copy, but from the videos others have posted there are certainly security improvements. For example, the application level firewall now has the option to apply some level of restrictions, by default to applications that are not signed using their signing framework. Apple hasn't been talking much about most of their improvements in OS X, instead just going over major architecture upgrades. I don't expect a lot in snow leopard in the way of features we haven't already heard about, but security features are just the kind of stuff Apple doesn't publicize to the general public. Heck, Apple implemented and applied (in a limited fashion) a mandatory access control scheme in Leopard which is a huge deal, but basically no one outside the security community even knows it exists.
NoScript has nothing to do with Java. You're thinking Javascript.
The rest of your post has pretty much been dealt with, except I'd like to say that while compositing CAN be pretty, there are some effects that really seem to pander to the "12 year old boy (read: 40 year old gamer in mom's basement) that likes fire and explosions" crowd. Properly configured, compositing is nice, but it can be really glitchy and really hideous when done wrong.
That of course 1) assumes someone actually writes a virus targeting the Mac platform, 2) you are somehow redirected to a site that hosts the vulnerability, or launch an attachment that is a java applet itself that contains malicious code, 3) the virus doesn't violate other UNIX security rules that would stop it from running on the Mac platform, and 4) that there's actually data stored on your mac in unencrypted form in a directory the virus can get to to steal information from you, or some way the Java app can infect your machine with other code that can steal your input and passwords.
If all 4 are not true (and they're not yet), then apple users are currently safe. Apple engineers do not rush "emergency" patches out for vulnerabilityies when no ITW code has yet been discovered. They'll also assess what a virus could actually be capable of, and determine the complexity of code required to pull off a hack on their platform, and they'll assign a priority to the code work.
This, I'd gather, is a low priority risk for Mac as I've not actually heard, other than the proof of concept, of an ITW virus for ANY platform exploiting this viln, let alone a targeted mac virus. They'll release a patch, but 6 months in, and with everyone else already having it patched, Apple is likely just waiting to apply it with other patches. Kind of surprised it was not in the 10.5.7 patch recently... must be really low priority. This isn't exactly something they need to invent a fix for...
There is no contest in life for which the unprepared have the advantage.
But the Mac guy on the TV ads told me only PC's ever have security flaws!
Repair centers aren't for fixing viruses, and nobody from Apple ever claimed there was no such thing as hardware failure.
Whether it's because there aren't many macs out there or not, the fact of the matter is that 99% of mac users won't be infected by a virus, trojan, or spyware during normal use, and until that landscape changes (whether macs are actually more secure or not), the average user has to deal with a lot less of the "security" issues that plague windows users.
Good for you, that you don't have any issues. Hundreds of thousands of other users do, hundreds of thousands of users pay for antivirus, and hundreds of thousands of users have a PC that crawls on even the most basic tasks because it's so bogged down with viruses, trojans, and spyware. Whether Mac is technically more secure or not, mac users don't have this problem, and I think Apple is justified in touting that as a strength as long as it remains true.
The problem is that Java had security issues, but they were not ones that were focused on by malware writers until recently. There were other exploits that were easier to find and use to add more members to a botnet. However, this has changed with Vista and Windows 7. Vista has a lot of under the hood security features (ASLR is just one), and because the attack surface of an average Windows machine is getting smaller, the black hats are moving outwards from the OS to Web based plugins which can get their software running at least with user access, perhaps as Administrator or LocalSystem if someone has XP, or has UAC disabled.
Essentially what JVMs need is a second layer of protection, where anything that escapes doesn't get the access of the user its running under. This means (to use a random analogy) not just line the sandbox with thick metal plating so stuff doesn't escape, but have a camera watching watch what things are doing in the sandbox to catch exploits proactively. The best way to do this is to take a hypervisor like approach to JVMs. This means isolating the process that does the Java machine in a low privilege mode if on Windows like how IE is done on Vista and newer, or an OS created jail on BSD variants, so if the worst does happen and a process does escape the sandbox, the damage can do will be very limited. However, the more isolation, the less performance, and Java got a bad rep for poor performance initially, although this was mitigated by JIT environments and other improvements.
Of course, this won't help things if a signed java application (as opposed to an applet) is malicious, but installing a Java application that is intended not to be in a sandbox falls under the umbrella of watching where one gets executables from, and making sure signatures (either the Java signed files, or PGP/gpg sigs) are valid.
I guess some lobby at Apple OS division is partying because of people turning off java in browsers or trying to remove it from OS X (which I suggest to switchers: don't. Impossible to restore).
Isn't it the reason we don't have Java 6 for PPC (32bit doesn't matter on PPC_64) or Java developers use OS X as "If it works here, it will work anywhere" platform?. Apple's treatment to Java and especially PPC really tells me a lot about how to take them serious in Workstation scenarios.
BTW, if one can trick system that JAVA_HOME is some place else (which should be /dev/null ?) with some script, the entire Java (including) will be disabled/brokenn naturally. I mean, just a guess. I can't find it in BASH btw, when you type "set" and press enter, nothing resembling Java appears. Another .plist to hack with plutil ?
A company which makes it impossible (don't ask me, ask Sun) to code/ship a OS X replacement of it with full support to their GUI framework (quartz) declines to fix a public flaw in a framework.
Read the story as it, minus Java or replace Java with PERL. it will be easier to figure who is at fault and who to flame if you really want to.
I am almost sure that idiot or team of idiots declines to ship Java 6 to PPC or ignoring a major security flaw are really happy when you flame Java instead of them. About the impossibility of coding/packaging OS X native, multi CPU Java? Not so sure about it but it seems to be the case. Or... Sun is happy that their Framework and the users of their Framework is conspired by Apple and they enjoy putting up competitions to their born dead fantasies like Java FX instead? It seems the second is true since I don't think MS really shared Windows internals with them to code one of the best performing/compatible JRE on Windows.
Sun, clean up this mess. Or Oracle: Fire the geniuses relying to Apple to fix Java. Whatever...
Using JVM for corporate practices is so lame? Java is _really_ multiplatform if coded right. Even huge desktop apps like Vuze having dozens of functions can run unmodified on any platform/cpu which has nothing to do with each other.
If you hate the use of binary/virtual code in Web apps, your target should be one slow moving, infested by large corps and ideological fanatics organisation who doesn't give them the standards they need. Did they sit with a large corporation one day, e.g. IBM and asked them "Why do you use IE 6/ActiveX/JVM for this?" pointing to some Terminal? Did they listen to their answer and implement the functionality needed by such large corporations?
For example, we flame CmdrTaco and /. coders for not following their standards and having amazing count of w3c of errors but we never ask them or investigate why they have to break standards. Could it be because standards doesn't practically give functionality what they AND advertisers need?
Or... Their current work is finding a way to replace embedded Flash for videos which has (sadly) became de-facto, impossible to replace standard until they thought about it. They somehow gained support of a true mobile giant, Nokia but went into huge fight with them for some codec/political issue. Now there is another issue with Apple who is way too paranoid about their stuff being stolen by another company (MSFT) and without speaking to them, they wrote open letter or something. That is the one thing you shouldn't do to Apple. As result, what do people actually packaging/encoding videos do? Well, I got a h264 pro encoder and pro flash packager in my shopping list.
Does the tickbox next to "forbid Java (TM)" on the plugins tab in noscript not do anything then?
Mac OS X Users Vulnerable To Major Lava Flow
What the hell does operating system choice have to do with vulnerability to very high temperatures?
I tried apt-get remove volcano, but there was no such package. It appears I'm screwed too :(
Realized after posting noscript was a little more extensive than I had originally thought. I personally don't use it because it's a real hassle building up my whitelist when I have to wipe my firefox profile.
Reading between Apple's lines here: many of the new features are really developer-facing instead of end-user facing. Of particular note is the category of changes referred to on Apple's Snow Leopard page called "Grand Central" -- focused on driving hard on OS X's support for multi-core software, as well as developer support for multi-core apps. See also the blurb on OpenCL support.
It's an interesting and strategic move to spend resources enabling developers to rapidly produce high-performance applications. Snow Leopard is thus a long-term investment in Apple's OS platform.
Funny, I thought timely and accurate patches to the bits of software they want to control and distribute. It is nice that third-parties want to help, and distribute packages built for Java, but hey Apple - I thought I was paying you guys already to do this? How's about getting one of the twenty developers off the 'evil DRMs' project, and onto the seemingly understaffed 'basic patches' project?
*A*
Since you know so much about Apple security announcements can you tell us whether Apple have even acknowledged that this Java vulnerability even exists?
In the free world the media isn't government run; the government is media run.
I've gotten very comfortable with the total lack of malware affecting my Mac, but I am not under the illusion that this will last for ever (in fact, I recall cleaning out a WDEF infection out of System 6 many moons ago). For this reason, I run Firefox with Noscript and Adblock; and my user account is not admin enabled.
/Applications, but since 10.4 or thereabouts I am prompted to enter the admin user/pass.
Neither of these really cripples the system's usability; blocked content is only ever a few clicks away, and I find I don't miss wasting all the bandwidth. My account privileges chiefly mean that I don't have write access to
Secure computing and browsing is possible on a Mac, even given Apple's lackadaisical approach to updates, thanks to free software like NoScript. If anything, this is the message here.
The problem: Leopard already *has* some big improvements under the hood like address space randomization. Despite their "geeky" nature these features were promoted rather heavily. But for some strange reason we haven't seen any widespread adoption. IIRC even Safari doesn't use any of those advanced secority features. And we're at 10.5.7 now.
Perhaps Apple doesn't want to make that mistake again.
-- "As a human being I claim the right to be widely inconsistent", John Peel
Look, if I have to read another stupid article claiming that there's a security hole if I happen to be running a specific version of some software, while standing on my head, chewing gum, and reciting the ten commandments I'm just going to go insane. Like there's some black hat spy out there waiting for me to run a java app so he can break into my mac and take it over. Seriously, computer security is a waste of time, unless *you actually have data somebody wants and is willing to commit a federal crime to get*. My guess is that's about 2% of the slashdot community. Mac owners, don't panic. Your essays, pictures of your dog, and your cracked version of CS4 are all safe from the terrorists no matter how many security flaws there are in Java.