Slashdot Mirror
Apple Finally Patches Java Vulnerability
macs4all writes "Apple has finally addressed the Java vulnerability that nearly everyone else patched months ago. Available now for OS X 10.4 and 10.5, and through Apple's Software Update service, this update patches a flaw in the Java Virtual Machine that could potentially allow a malicious Java applet to execute arbitrary code on the machine. Apple had previously advised users to turn off Java temporarily in their Web browsers."
...and this means that we can expect Vic20_love to come along any moment now and complain that his OS X 10.1 machine from 19-dickity-6 doesn't have a patch out yet, so Apple sucks.
Apple sucks for different reasons:
Apple PREVENTS Sun (by contract) from releasing java patches. Mac users get their java patches whenever Apple feels like it and gets a round to it.
Well, maybe.
First off, pretty much every time we get one of these "OMG!" stories on slashdot about a security flaw going unfixed, we find out that it's not nearly as bad as suggested by the slashdot summary. In this case, the description linked to from the slashdot article says: "The Java plug-in does not block applets from launching file:// URLs. Visiting a website containing a maliciously crafted Java applet may allow a remote attacker to launch local files, which may lead to arbitrary code execution." So that's quite a bit less scary than the slashdot summary makes it sound. If I'm understanding correctly, it apparently doesn't let the attacker launch any code the attacker choses. It only lets the attacker launch code that's already present on the user's filesystem. And doesn't the java sandbox model prevent java applets from writing to the filesystem? So the attacker really may have very little opportunity to execute arbitrary code of the attacker's choosing.
Second: the slashdot summary says, "Apple had previously advised users to turn off Java temporarily in their Web browsers." Wow, that sounds really awful. It makes it sound like a really serious problem. But wait, the apple page doesn't say this. According to the tidbits.com article, Rich Mogull is the one who says the fix is to disable applets. The link to Rich Mogull's advice is a link within tidbits.com.
Find free books.
I'm not trying to grief, and it is certainly consistent with reality, but is this documented anywhere?
Sure. Only Apple can release java for mac. Something about look & feel and/or quality assurance.
http://blog.cr0.org/2009/05/write-once-own-everyone.html
http://java.dzone.com/news/critical-mac-osx-java
Look at the "java downloads for all operating systems" webpage:
http://www.java.com/en/download/manual.jsp
Notice that you can't download java for mac from Sun?
They've been apple's problem since they took over porting java to the mac, and prevent sun from writing their own java for mac.
The update fails to install on some machines, mine included.
Use your favourite search engine (Bing me no Bings) to find references to:
Rich And Stupid is not so bad as Working For Rich And Stupid.
Apple is now at the point where Microsoft was in 1998.
In 1998, there were tens of thousands of Windows viruses (I remember reading a number like over 40,000, but I can't find a source), while at the same time, MacOS 8 had 7 or so, all of which were protected from freely by the anti-virus program Disinfectant. While I can't find a direct source for my Windows numbers, here's an article that makes it look like 1998 was not a very good year for Windows viruses. Even if my memories are off by an order of magnitude or two, it still wasn't a good time for Windows and viruses.
Are you honestly saying that Apple is at that point right now? We have yet to see an actual MacOS X virus in the wild, and there have been how many Trojans in the wild so far? 4?
"Empathise with stupidity, and you're halfway to thinking like an idiot." - Iain M. Banks
It's a Mach-based kernel in a BSD-like environment.
If you reply, do so only to what I explicitly wrote. If I didn't write it, don't assume or infer it.
OS X, like windows, or linux, is not immune to someone choosing to install malware, whether it is on grounds of greed, social engineering, or otherwise. So don't pretend that it isn't. i.e : http://www.chotocheeta.com/2009/01/23/apple-os-x-gets-a-virus-attack-p2p-distributed-iwork-09-comes-with-osxtrojaniservicesa-trojan-horse/
...Its not like Sun needs Apple in order to produce Java for the Mac.
Sun did a JVM for the Classic Mac OS, and by all accounts it sucked. As in, it was barely usable. This is why Apple (contractually) locked Sun out of delivering Java on OS X. At the time, Apple was bullish on Java, and invested some considerable resources making OS X's JVM integrated into the rest of the OS.
Unfortunately, Apple no longer gives a shit about Java, and it shows. But Sun is still locked out, as far as I know.
Or is this like the graphics drivers where only Apple has access to the "secret bits" necessary for a JVM to do all the things that the current Mac JVM does?
How hard would it be to just port OpenJDK/IceTea/whatever to Mac and be done with it?
There already is. It's the only way to get Java 6 on PowerPC and 32-bit Intel Macs, or on 10.4.x
Unfortunately, it relies on X11 for its GUI, which is generally a big non-starter on the Mac. Also, I don't believe it's possible to use it as the JVM for Java applets in a browser, probably for the same reason.
While WebObjects CAN use Java, it can also use Objective-C, and is several times faster when using Objective-C.
Needless to say, the iTunes Music Store uses Objective-C and NOT Java.
The easiest way to verify this is to note that Java support came to WebObjects well after the iTunes music store was implemented.
Java on Mac OS X has been deprecated in favor of Python and other more useful languages. Xcode still supports it (barely) but the writing's on the wall: move to Objective C or Python, Java is dead.
So don't pretend that it isn't.
Ummm... Don't put words in my mouth?
I am fully aware that no OS is immune to stupid users. If a user is dumb enough to type in his or her OS's equivalent to "sudo rm -rf /" then they deserve what they get. This is not the point I am trying to make.
You seem to be continuing to ignore my point. The point is, in 1998, Microsoft had numerous malware problems, especially with viruses and worms (which would infect and spread with little or no user interaction). There were literally thousands of viruses, worms, and trojans for Windows (and, for a point of comparison, that is opposed to Apple's 7 or so). The post I replied to said that Apple is *now* where Microsoft was in 1998.
So, please address the original point. If this statement is true, then where are the thousands of viruses, worms, and trojans for OS X? Because to date, there have been ZERO OS X viruses and worms in the wild (and only a couple of concept ones in the lab), and only a handful of trojans (the ones I can think of off the top of my head are the pirated iWork trojan and the fake video codec trojan).
Therefore, Apple right *now* is NOT like Microsoft in 1998. Q.E.D.
"Empathise with stupidity, and you're halfway to thinking like an idiot." - Iain M. Banks
What a load of bull.
Mac OS software takes special pride in its taste and aesthetics - something Java can never achieve.
And now as more users and developers focus on notebooks, resource hungry Java applications are again bad fit. Spinning cycles for nothing is forgivable on desktops and servers - not on notebooks.
The simple truth is that for Apple, Java was always and is a secondary/tertiary technology. What I heard from Linux's Java porters in past, Sun JDK/JRE is a total mess, demanding loads of time for any sort of trivial maintenance task. As Apple uses Sun's JDK/JRE, I guess they are in the same boat as Linux (in times of blackdown.org) was before.
All hope abandon ye who enter here.