Apple Finally Patches Java Vulnerability

← Back to Stories (view on slashdot.org)

Apple Finally Patches Java Vulnerability

Posted by kdawson on Monday June 15, 2009 @12:23PM from the gentlemen-restart-your-sandboxes dept.

macs4all writes "Apple has finally addressed the Java vulnerability that nearly everyone else patched months ago. Available now for OS X 10.4 and 10.5, and through Apple's Software Update service, this update patches a flaw in the Java Virtual Machine that could potentially allow a malicious Java applet to execute arbitrary code on the machine. Apple had previously advised users to turn off Java temporarily in their Web browsers."

125 of 177 comments (clear)

SAD :( by Anonymous Coward · 2009-06-15 12:27 · Score: 4, Insightful

It is truly sad that Apple still just don't "Get" security. Makes me a sad panda to think it is going to take some sort of devastating worm or virus for them to finally wake up and smell the shit they are pumping out.
1. Re:SAD :( by QuantumG · 2009-06-15 12:40 · Score: 3, Funny
  
  Yes, they believe their own press.
  
  --
  How we know is more important than what we know.
2. Re:SAD :( by QuantumG · 2009-06-15 13:32 · Score: 3, Funny
  
  Joke 1: That, and some non-Apple/Adobe applications eh?
  Joke 2: Yeah, so are the Amiga users.
  
  --
  How we know is more important than what we know.
3. Re:SAD :( by TinBromide · 2009-06-15 13:41 · Score: 3, Insightful
  
  I get the funniest looks when I say that Apple has had the benefit of security via obscurity and when it comes to security measures, Apple is now at the point where Microsoft was in 1998. Yes, mod me troll, but as you do so, you know that Apple hasn't had the same trial by fire that Microsoft has. If you look at the yearly exploit conferences, OS X doesn't fare much better than Windows, and that's only because apple has the benefit of running a bsd based kernel. Picking a more secure solution from the get-go doesn't mean that they can maintain and do the required preventative patching measures.
  
  --
  Is it sad that I am more likely to recognize you and your posts by your sig than your name or UID?
4. Re:SAD :( by phantomfive · 2009-06-15 13:49 · Score: 1
  
  Except the Amiga users already got it. It was just too easy/tempting to write viruses for the Amiga, and there were tons of them.
  
  --
  Qxe4
5. Re:SAD :( by interactive_civilian · 2009-06-15 14:20 · Score: 4, Informative
  
  Apple is now at the point where Microsoft was in 1998.
  
  In 1998, there were tens of thousands of Windows viruses (I remember reading a number like over 40,000, but I can't find a source), while at the same time, MacOS 8 had 7 or so, all of which were protected from freely by the anti-virus program Disinfectant. While I can't find a direct source for my Windows numbers, here's an article that makes it look like 1998 was not a very good year for Windows viruses. Even if my memories are off by an order of magnitude or two, it still wasn't a good time for Windows and viruses.
  Are you honestly saying that Apple is at that point right now? We have yet to see an actual MacOS X virus in the wild, and there have been how many Trojans in the wild so far? 4?
  
  --
  "Empathise with stupidity, and you're halfway to thinking like an idiot." - Iain M. Banks
6. Re:SAD :( by zonky · 2009-06-15 14:23 · Score: 1
  
  You just can't 'protect' against "viruses" (malware is probably a better definition) with a signature based anti-malware app that is post-updated when viruses are discovered.
  That is no protection at all.
7. Re:SAD :( by Ash-Fox · 2009-06-15 14:30 · Score: 1
  
  Except the Amiga users already got it. It was just too easy/tempting to write viruses for the Amiga, and there were tons of them.
  As did Apples back then.
  I haven't seen any viruses for AmigaOS3.9 or 4.0 yet.
  
  --
  Change is certain; progress is not obligatory.
8. Re:SAD :( by pauljlucas · 2009-06-15 14:35 · Score: 3, Informative
  
  ... [A]pple has the benefit of running a bsd based kernel.
  
  It's a Mach-based kernel in a BSD-like environment.
  
  --
  If you reply, do so only to what I explicitly wrote. If I didn't write it, don't assume or infer it.
9. Re:SAD :( by AHuxley · 2009-06-15 14:36 · Score: 1
  
  Still working on it, as a 'enter password for codec, plug, application installer" under OS X.
  Click a web link to own or download and own seems a while away in the wild?
  I would think the feds and smart hackers have all the Mac OS X tools needed.
  Mess with them and its like Windows, point and click.
  The low end of the script kid, hacker spectrum are only warming up it seems.
  
  --
  Domestic spying is now "Benign Information Gathering"
10. Re:SAD :( by interactive_civilian · 2009-06-15 14:45 · Score: 1
  
  That is no protection at all.
  Well, that explains every Mac virus, trojan, adware, and any other malware you can think of I have ever been infected by in the 20 years I have been using Macintosh computer. All ZERO of them. And the last anti-virus or any other anti-malware software I used was Disinfectant, which was discontinued in May 1998. I've never even had to clean infected files off of a disk (versus the Windows side where my system has been infected once, disks and external drives have had to be cleaned many times from coming in contact with other people's machines, and I've earned a lot of free beer and dinners for cleaning up other people's infected computers).
  Aside from that, how does your response relate at all to reply to the GGPP who was saying that Apple now is like Microsoft in 1998? Where are the thousands of pieces of malware for MacOS X now to rival the thousands that were around for Windows in 1998?
  
  --
  "Empathise with stupidity, and you're halfway to thinking like an idiot." - Iain M. Banks
11. Re:SAD :( by zonky · 2009-06-15 15:03 · Score: 2, Informative
  
  OS X, like windows, or linux, is not immune to someone choosing to install malware, whether it is on grounds of greed, social engineering, or otherwise. So don't pretend that it isn't. i.e : http://www.chotocheeta.com/2009/01/23/apple-os-x-gets-a-virus-attack-p2p-distributed-iwork-09-comes-with-osxtrojaniservicesa-trojan-horse/
12. Re:SAD :( by Anonymous Coward · 2009-06-15 15:11 · Score: 1, Interesting
  
  Simply being the target for virus writers doesn't mean what you think it does. If you're going to write a virus that will hit 94% (microsoft marketshare back then) of systems, or 4% of systems (mac market share), which will you pick?
  
  Microsoft has a similar numbers game and is used more often for high value uses. Who wants to write a virus that will steal video clips or artwork? Who wants to write a virus that will steal ssn's en masse?
  
  How many macs handle SSN's en masse? Its a return on investment. Until businesses start doing heavy lifting with macs, they won't be a target. That being said, let me quote myself:
  
  If you look at the yearly exploit conferences, OS X doesn't fare much better than Windows
  Number of viruses is not caused primarily by insecurity. Its a correlation relationship, not a causation one. There are quite a few linux malware programs, but you don't hear people arguing that mac os x is more or less secure than linux. Its because linux presents a juicier target (always on servers that handle database heavy lifting.)
13. Re:SAD :( by TinBromide · 2009-06-15 15:12 · Score: 1
  
  For the record, I have no clue why that was posted as AC.
  
  --
  Is it sad that I am more likely to recognize you and your posts by your sig than your name or UID?
14. Re:SAD :( by MtViewGuy · 2009-06-15 15:28 · Score: 1
  
  With the increasing use of Macs (Mac Minis, iMacs, Mac Pros and the MacBook series of notebooks) to connect to the Internet, the ignorance of Mac users to a potential major malware attack is something that Apple needs to address soon, because many Mac users think that they don't need malware protection. One major malware attack directed specifically against Macs will finally convince Mac users to address this issue very quickly, that's to be sure.
  Windows since Windows XP Service Pack 2 forces you to practice safe computing because the OS gives you warning about at least installing an antivirus program and firewall programs. As such, today's machines running Windows XP and Windows Vista mandates you have Windows Update at least in Notify mode and users have a full Internet security suite (or its free equivalents) installed. My current home computer (an HP Pavilion a6400f running Windows Vista Home Premium Edition)--because of these security mandates from the operating system itself--has Windows Update already patched to the latest security level (including Service Pack 2) and runs Norton Internet Security 2008; as a result, I don't see any issues with malware affecting my system. :-)
15. Re:SAD :( by Anonymous Coward · 2009-06-15 17:10 · Score: 2, Insightful
  Apple has a special interest in being slow about Java. If Java "works beautifully and unproblematically" on the Mac, then that eats into the Cocoa market by a slippery slope of argument:
  
  "Why develop in Cocoa when Java works beautifully on Macs but can also run on other platforms too?"
  "Hey now we've got this wonderful Java thing that runs on Windows and Mac"
  "Hang on, there are 5 to 10 times as many Windows users so we should target the bigger market"
  "Hmm, looks like we're now treating Mac as a second-tier platform; oh well"
  The easiest way to stop developers from sliding down slippery argument is to ensure step 1 does not hold.
16. Re:SAD :( by interactive_civilian · 2009-06-15 17:14 · Score: 2, Informative
  
  So don't pretend that it isn't.
  Ummm... Don't put words in my mouth?
  I am fully aware that no OS is immune to stupid users. If a user is dumb enough to type in his or her OS's equivalent to "sudo rm -rf /" then they deserve what they get. This is not the point I am trying to make.
  You seem to be continuing to ignore my point. The point is, in 1998, Microsoft had numerous malware problems, especially with viruses and worms (which would infect and spread with little or no user interaction). There were literally thousands of viruses, worms, and trojans for Windows (and, for a point of comparison, that is opposed to Apple's 7 or so). The post I replied to said that Apple is *now* where Microsoft was in 1998.
  So, please address the original point. If this statement is true, then where are the thousands of viruses, worms, and trojans for OS X? Because to date, there have been ZERO OS X viruses and worms in the wild (and only a couple of concept ones in the lab), and only a handful of trojans (the ones I can think of off the top of my head are the pirated iWork trojan and the fake video codec trojan).
  Therefore, Apple right *now* is NOT like Microsoft in 1998. Q.E.D.
  
  --
  "Empathise with stupidity, and you're halfway to thinking like an idiot." - Iain M. Banks
17. Re:SAD :( by MidnightBrewer · 2009-06-15 18:09 · Score: 1
  
  So the only reason that they're managing to stay secure is because they picked an inherently more secure operating system? Not to mention that they're actively patching a system which has to date never had a virus? Yeah, Apple really is dropping the ball on this one.
  I will, however, agree that it would be nice if Apple would be more timely; it's not like they don't have enough money to hire new programmers if the current bunch is spread around too thin. Telling people to just turn Java off for a few months is a bit lame.
  
  --
  "Give a man fire, and he'll be warm for a day; set a man on fire, and he'll be warm for the rest of his life
18. Re:SAD :( by Lars+T. · 2009-06-15 19:04 · Score: 1
  
  Fuck, you are crazy. In 1998, no wait, make that 2003, Windows was like swiss cheese, and Blaster made the Internet almost unbearable not only for Windows users. And you say "Apple is now at the point where Microsoft was in 1998"? I proclaim you Fanboi Numero Uno.
  
  --
  Lars T.
  To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
19. Re:SAD :( by Lars+T. · 2009-06-15 19:11 · Score: 1
  
  So why did people write viruses for Windows 64 (and exclusive to Windows 64) when it was still in Beta? For both variants each, IA64 and x86-64, mind you. At a time when the machines able to run those betas counted a few thousands? Marketshare my ass.
  
  --
  Lars T.
  To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
20. Re:SAD :( by Anonymous Coward · 2009-06-15 19:30 · Score: 1, Interesting
  
  Dear Steve,
  Let Sun handle the porting.
  Let Sun handle the porting.
  Let Sun handle the porting.
  Let Sun handle the porting.
  Let Sun handle the porting.
  Love,
  Disgruntled Mac Java Users/Devs
21. Re:SAD :( by hvm2hvm · 2009-06-15 19:33 · Score: 1
  
  And wait for the Macs to have the major market share or what? :P If you make a successful trojan, you'll probably try to get something out of it and at some point people will find out about it.
  
  --
  ics
22. Re:SAD :( by pjt33 · 2009-06-15 22:26 · Score: 3, Insightful
  
  The post I replied to said that Apple is *now* where Microsoft was in 1998.
  In fairness, the post you replied to said that
  
  when it comes to security measures, Apple is now at the point where Microsoft was in 1998
  not, "when it comes to number of worms, viruses and trojans, ...".
23. Re:SAD :( by ThePhilips · 2009-06-15 22:40 · Score: 2, Informative
  
  What a load of bull.
  Mac OS software takes special pride in its taste and aesthetics - something Java can never achieve.
  And now as more users and developers focus on notebooks, resource hungry Java applications are again bad fit. Spinning cycles for nothing is forgivable on desktops and servers - not on notebooks.
  The simple truth is that for Apple, Java was always and is a secondary/tertiary technology. What I heard from Linux's Java porters in past, Sun JDK/JRE is a total mess, demanding loads of time for any sort of trivial maintenance task. As Apple uses Sun's JDK/JRE, I guess they are in the same boat as Linux (in times of blackdown.org) was before.
  
  --
  All hope abandon ye who enter here.
24. Re:SAD :( by gcerullo · 2009-06-16 00:20 · Score: 1
  
  ...when it comes to security measures, Apple is now at the point where Microsoft was in 1998.
  You guys modded this insightful. I think he was going for funny. Microsoft didn't catch up to the security of the Mac OS until Vista. Up to that point, all you had to do was turn on a Windows box and connect it to the Internet and wait to get owned. Some point out that the turning point for Microsoft was SP2 for XP but all that did was turn the firewall on by default. It did not address the inherent insecurity of the operating system. So no, Apple was never and never will be as bad as Microsoft was when it comes to security.
25. Re:SAD :( by dave420 · 2009-06-16 00:30 · Score: 1
  
  It isn't the number of viruses/trojans that defines how bad the situation is, but how potent each is, and how easy it is to disinfect. Getting caught up in numbers only serves to miss the actual issue entirely - safety. One virus that gives instant root access, which a manufacturer makes difficult to fix, is far more devastating than (say) 40,000 viruses that show pop-ups, especially if the manufacturer isn't getting in the way to fix.
26. Re:SAD :( by mtremsal · 2009-06-16 00:40 · Score: 1
  
  "Mode me troll" or "bye, karma" seem to be the ultimate way to have mods react in the opposite manner ("poor guy thinks I'm too stupid to see how Insightful his post is"). ... Corallary being that this very post would be modded troll ... if I hadn't pointed it out ?
  *head explodes*
27. Re:SAD :( by ThePhilips · 2009-06-16 00:40 · Score: 1
  
  My understanding that Sun actually themselves refused to do porting to any platform except Solaris (mainly deployment) and Windows (mainly development).
  I see more Linux servers running Java, yet Sun also refused to port Java to Linux themselves. Worse: it didn't even allow *BSD people to do their own port.
  As Java porting goes, Sun many times had proven themselves to be a bunch of a**h*les.
  
  --
  All hope abandon ye who enter here.
28. Re:SAD :( by dfghjk · 2009-06-16 01:06 · Score: 2, Insightful
  
  "Mac OS software takes special pride in its taste and aesthetics - something Java can never achieve."
  Nonsense, it just hasn't achieved it to date.
  "And now as more users and developers focus on notebooks, resource hungry Java applications are again bad fit."
  Tell that to Android.
  "Spinning cycles for nothing is forgivable on desktops and servers - not on notebooks."
  I think you got that backwards, fanboy.
29. Re:SAD :( by elrous0 · 2009-06-16 01:11 · Score: 1
  
  On Apple's, malware just works.
  
  --
  SJW: Someone who has run out of real oppression, and has to fake it.
30. Re:SAD :( by ThePhilips · 2009-06-16 02:09 · Score: 1
  
  "Mac OS software takes special pride in its taste and aesthetics - something Java can never achieve."
  Nonsense, it just hasn't achieved it to date.
  "To date"??? I was working with Java 1.0.x - and there were lots of promises made by Sun. None of which came to fruition. AWT was awful. Swing was a major fluke, only to be forgotten few point releases later. Yeah, they have very cool internal API, but no, they do not allow to develop nice looking and fast UI.
  Apple had in fact made Java libraries to allow to access Cocoa, but very few applications are using them. (None known to me actually.) Several applications use Java libraries in background, but for that purpose start Java in background: native UI is nice and snappy, but most of the actual work is done by background process.
  
  "And now as more users and developers focus on notebooks, resource hungry Java applications are again bad fit."
  Tell that to Android.
  Android doesn't do Java per se. Those are special Google libraries for development of "managed code". IOW, Android is hardly Java compatible, what was actually already criticized by Sun and its followers.
  
  "Spinning cycles for nothing is forgivable on desktops and servers - not on notebooks."
  I think you got that backwards, fanboy.
  I might well be a fanboi, but it seems that you read too much news (green servers, etc) but have too little of real life: anybody who uses regularly notebooks would always avoid anything that eats into battery life. I know I do.
  
  --
  All hope abandon ye who enter here.
31. Re:SAD :( by intheshelter · 2009-06-16 02:53 · Score: 1
  
  You might want to check your numbers. The OS market share percentages are off the mark.
32. Re:SAD :( by intheshelter · 2009-06-16 03:03 · Score: 1
  
  "Number of viruses is not caused primarily by insecurity. Its a correlation relationship, not a causation one. "
  Not to rock your boat too much today, but do you have any evidence to back this up or is this just a wishful thinking exercise to justify your position? It seems like all I hear are high minded philosophies, but the Mac users appear to be the only ones with real numbers backing them up. Zero viruses in the wild.
33. Re:SAD :( by interactive_civilian · 2009-06-16 07:17 · Score: 1
  
  In fairness, the post you replied to said that
  Fair enough. However, to that point, I can only ask this: If Apple is in the same level of security and security vulnerabilities now as Microsoft was in 1998, then where are the exploits in the wild? So far, we have only seen a few trojans in the wild which dupe the users into typing in their own passwords (something that was notably absent in Win98 and Me...i.e. the need to dupe the user into typing in a password to exploit the system) to install the Trojan. What we did see in Windows in 1998 (and beyond) were viruses that would self-propagate through weaknesses in the email clients, worms that would exploit open services, and trojans that would dupe the users.
  If Apple is now where Microsoft was, then where are all of those? They simply aren't there. You can count the exploited weaknesses of MacOS X on one hand, while you would need the hands of the entire population of a reasonably sized town to count the exploited weaknesses of Windows in 1998.
  So, again I say that Apple is not now like Windows was in 1998 from a security standpoint.
  Now, is this because of low marketshare? Or lack of available exploits? Or more difficulty in getting users to fall for those exploits? Or something else? I can't say. However, no matter how you paint it, Apple is certainly not in the same position as Microsoft was in 1998, even at least in the level of desire to exploit the system.
  
  --
  "Empathise with stupidity, and you're halfway to thinking like an idiot." - Iain M. Banks
34. Re:SAD :( by ThePhilips · 2009-06-16 08:24 · Score: 1
  
  Mac OS software takes special pride in its taste and aesthetics - something Java can never achieve.
  Wrong. JVM's are implemented by the OS manufacturer. Any problem with the "look and feel" of a standard Java component rests squarely at the feet of the JVM implementor. Any problem with the "look and feel" of extra components that do not use the standard library are the fault of the programmer.
  Do not want to even respond to that. What you say is load of stinking bull by incompetent and it simply tells that you never ever actually tried to make some good looking and smooth running UI application.
  Remember, even famous Eclipse doesn't use Java UI - regardless of platform it runs on. One can replace the Java's AWT and Swing with something tapping into native UI of platform it runs on ... not really. Because it will not work. Mac OS X, KDE and Gnome are mostly asynchronous while X Window system and Windows UI are mostly synchronous. That means that it is impossible to make a decent portable Java UI toolkit: different native UIs work completely differently internally, essentially requiring different top-level design of whole application.
  
  The simple truth is that for Apple, Java was always and is a secondary/tertiary technology.
  This is true, and is the root of the problem. Apple has failed to recognize that if they include Java, then (just like any other 3rd party app) they need to address any security issues as well. If they want to keep touting the Mac OS as "virus free" and "secure" then they had better change that attitude, and fast.
  So you accept the fact that there would be more gained by simply removing Java from Mac OS X?
  It'd definitely would save some space on my SSD ;)
  
  And now as more users and developers focus on notebooks, resource hungry Java applications are again bad fit. Spinning cycles for nothing is forgivable on desktops and servers - not on notebooks.
  That is true for any application. Most of the problem is the fault of the programmer, in any language. True, some tend to be more wasteful, but you shouldn't be running intensive tasks in a Java application in the first place, that's not what it was meant for.
  OMG. I "shouldn't be running intensive tasks in a Java applications"?? What should I be using cool-all-around Java then for?... Oh sorry, I for the moment mistook you for Java-fanboi. What makes your murky point even harder to get across.
  
  --
  All hope abandon ye who enter here.
35. Re:SAD :( by Linuxmonger · 2009-06-17 07:33 · Score: 1
  
  You didn't even mention Word97 and it's wonderful macro and vb stuff, nor the CD of tech docs that Micro$oft themselves mailed to their hapless users. It had something like 10,000 documents, almost all of which were trojans.
  Micro$oft has made me a lot of money, their users don't seem to have a problem shelling out bundles of money every few months for a cleanup party.
  Where it has hurt is when you offer to build a mail server for a company for the cost of hardware and setting it up. They know it can't be as simple as a web page for administration, and up-time measured in years. How can a complex thing like a server run more than a month when they get a blue-screen and need to reboot their desktops at least twice a week.
36. Re:SAD :( by rakslice · 2009-06-17 21:13 · Score: 1
  
  Remember, even famous Eclipse doesn't use Java UI - regardless of platform it runs on. One can replace the Java's AWT and Swing with something tapping into native UI of platform it runs on ... not really. Because it will not work. Mac OS X, KDE and Gnome are mostly asynchronous while X Window system and Windows UI are mostly synchronous. That means that it is impossible to make a decent portable Java UI toolkit: different native UIs work completely differently internally, essentially requiring different top-level design of whole application.
  Er... I'm not sure what you mean... It looks like you went on for a paragraph about how it would be impossible to create a Java UI toolkit with native platform hooks, except that you gave an example of an app that uses one in the first sentence.
37. Re:SAD :( by ThePhilips · 2009-06-17 21:43 · Score: 1
  
  Hum?... You must have problems with your eyes if you consider Eclipse's "look and feel" even close to the native UI toolkits. On ANY platform. I have used it both on Linux and Windows, it everywhere it looks differently and (worse) it behaves differently compared to how native UI toolkits behave.
  Eclipse's SWT is precisely example that it is impossible to make portable Java UI toolkit which would integrate 100% with platform it runs on. In essence, SWT is a emulation of Windows GUI for the Java and looks as "native" only on Windows.
  P.S. Needless to mention that native UI toolkits also differ in provided functionality. What is another reason (actually first: but since it is obvious I always forget about it) why portable native UI toolkit is impossible.
  
  --
  All hope abandon ye who enter here.
Old versions. by saintlupus · 2009-06-15 12:32 · Score: 4, Insightful

...and this means that we can expect Vic20_love to come along any moment now and complain that his OS X 10.1 machine from 19-dickity-6 doesn't have a patch out yet, so Apple sucks.
Not that Apple doesn't suck, but you don't really need to troll for reasons.
(Bye, karma, nice knowing you...)
--saint
1. Re:Old versions. by Anonymous Coward · 2009-06-15 12:43 · Score: 5, Informative
  
  ...and this means that we can expect Vic20_love to come along any moment now and complain that his OS X 10.1 machine from 19-dickity-6 doesn't have a patch out yet, so Apple sucks.
  Apple sucks for different reasons:
  Apple PREVENTS Sun (by contract) from releasing java patches. Mac users get their java patches whenever Apple feels like it and gets a round to it.
2. Re:Old versions. by saintlupus · 2009-06-15 12:48 · Score: 5, Funny
  
  Really? You couldn't read the next line in my post? The one where I say that Apple sucks? You sat there, in the basement, veins straining in your forehead, lips moving dumbly, willing your way to the end of that first sentence and just ran out of steam?
  Well, good work on writing a reply, anyway.
  --saint
3. Re:Old versions. by MrLint · 2009-06-15 13:06 · Score: 2
  
  I'm not trying to grief, and it is certainly consistent with reality, but is this documented anywhere?
4. Re:Old versions. by Anonymous Coward · 2009-06-15 13:21 · Score: 4, Informative
  
  I'm not trying to grief, and it is certainly consistent with reality, but is this documented anywhere?
  Sure. Only Apple can release java for mac. Something about look & feel and/or quality assurance.
  http://blog.cr0.org/2009/05/write-once-own-everyone.html
  http://java.dzone.com/news/critical-mac-osx-java
  Look at the "java downloads for all operating systems" webpage:
  http://www.java.com/en/download/manual.jsp
  Notice that you can't download java for mac from Sun?
5. Re:Old versions. by jonwil · 2009-06-15 14:06 · Score: 2, Interesting
  
  Maybe its time for Sun (who DO control Java) to tell Apple to change its ways (and give control of Java on the Mac to Sun so that Sun can fix stuff without having to wait for Apple).
  Its not like Sun needs Apple in order to produce Java for the Mac.
  Or is this like the graphics drivers where only Apple has access to the "secret bits" necessary for a JVM to do all the things that the current Mac JVM does?
  How hard would it be to just port OpenJDK/IceTea/whatever to Mac and be done with it?
6. Re:Old versions. by ThrowAwaySociety · 2009-06-15 16:02 · Score: 5, Informative
  
  ...Its not like Sun needs Apple in order to produce Java for the Mac.
  Sun did a JVM for the Classic Mac OS, and by all accounts it sucked. As in, it was barely usable. This is why Apple (contractually) locked Sun out of delivering Java on OS X. At the time, Apple was bullish on Java, and invested some considerable resources making OS X's JVM integrated into the rest of the OS.
  Unfortunately, Apple no longer gives a shit about Java, and it shows. But Sun is still locked out, as far as I know.
  
  Or is this like the graphics drivers where only Apple has access to the "secret bits" necessary for a JVM to do all the things that the current Mac JVM does?
  How hard would it be to just port OpenJDK/IceTea/whatever to Mac and be done with it?
  There already is. It's the only way to get Java 6 on PowerPC and 32-bit Intel Macs, or on 10.4.x
  Unfortunately, it relies on X11 for its GUI, which is generally a big non-starter on the Mac. Also, I don't believe it's possible to use it as the JVM for Java applets in a browser, probably for the same reason.
7. Re:Old versions. by shentino · 2009-06-15 17:12 · Score: 2, Insightful
  
  Interesting that people who willingly "kiss their karma goodbye" and make statements to that effect are the ones who wind up with the upmods?
8. Re:Old versions. by Draek · 2009-06-15 18:01 · Score: 1
  
  Well, when the fanboys start praising Apple for the "long lifetime" of their products and "vibrant second-hand market", they always neglect to mention you're still stuck in the upgrade treadmill if you want your computer secure.
  So yes, the fact that they don't have a patch for his OSX 10.1 machine *is* a problem and a big reason why I recommend Debian PPC for old Macs instead of crusty versions of OSX. Updates are faster to come, its still supported, and OS upgrades are free.
  
  --
  No problem is insoluble in all conceivable circumstances.
9. Re:Old versions. by jonwil · 2009-06-15 18:42 · Score: 2, Insightful
  
  Ok, so is there any reason why a proper native OpenJDK port (that works in all the browsers and doesn't use X11) wouldnt be possible? Is it just a case of "patches wanted" or are there undocumented/hidden/internal parts of OSX that only Apple can use that are needed for a full JVM?
10. Re:Old versions. by Lars+T. · 2009-06-15 19:21 · Score: 1
  
  So does Apple also prevent Sun from releasing BSD versions for Java? Let alone BeOS, VMX, Amiga...
  
  --
  Lars T.
  To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
11. Re:Old versions. by hvm2hvm · 2009-06-15 19:41 · Score: 1
  
  The "kiss my karma goodbye" line transforms the post in an anti-troll. Everyone who tries to mod it down gets his/hers karma burned and gives a +inf insightful/informative/funny/totally kickass mod to the OP.
  
  --
  ics
12. Re:Old versions. by ThePhilips · 2009-06-16 01:01 · Score: 1
  
  and put out an OS X java that doesn't suck more dick than barney frank.
  Well, Sun fixed this vulnerability many, many months ago on every other java platform except the Mac, because Apple won't let Sun fix it for the Mac.
  IIRC, Sun doesn't do any porting except few platforms they support themselves: Solaris and Windows. (Now I also see Linux.)
  IOW, depending how f***ed up Java interfaces are and how intrusive the fix is, it might well take some long time for 3rd party (Apple) to implement and release it in their port of JDK/JRE.
  I'd say Apple does its users a great service by even bothering to support Java.
  If you want to piss on somebody - better piss on Sun, who historically refused to port/allow porting of Java to platforms Sun itself wasn't interested in.
  Even more: there are piles of 3rd party software on Mac OS and I do not see why Apple themselves should support the particular 3rd party software.
  
  --
  All hope abandon ye who enter here.
13. Re:Old versions. by ThrowAwaySociety · 2009-06-16 01:01 · Score: 1
  
  Ok, so is there any reason why a proper native OpenJDK port (that works in all the browsers and doesn't use X11) wouldnt be possible? Is it just a case of "patches wanted" or are there undocumented/hidden/internal parts of OSX that only Apple can use that are needed for a full JVM?
  I don't see why there would be any special legal or technical impediments over and above porting any other major codebase to the Mac. But, given the difficulty Apple has had doing the exact same thing with its official releases, it would not be a trivial set of patches. My understanding is that Apple creates an extensive mapping between Java GUI toolkits and its own, and also exposes a subset of OS X native APIs through custom com.apple packages. You could probably skip the latter without too much complaint, but the former would be an undertaking.
  Getting a browser plugin working probably be much easier, since there wouldn't be as much widget toolkit mapping to write.
  This is just my armchair analysis, so I may be wildly off base.
14. Re:Old versions. by Ant+P. · 2009-06-16 06:40 · Score: 1
  
  At the time, Apple was bullish on Java, and invested some considerable resources making OS X's JVM integrated into the rest of the OS.
  Unfortunately, Apple no longer gives a shit about Java, and it shows.
  Now I understand what that "OS X now is where windows was in 1998" comment from earlier meant...
What about PPC Java? by BikeHelmet · 2009-06-15 12:42 · Score: 2, Interesting

Just wondering. PPC Java for OSX is even more out of date than x86 Java.
The latest java on PPC is 1.5, and I'm sure it's out of date too...
1. Re:What about PPC Java? by BikeHelmet · 2009-06-15 18:20 · Score: 1
  
  I was referring to security updates more than anything else. I realize that different vulnerabilities on different platforms equate to different version numbers - but no updates for a long time usually means there are exploits ITW.
2. Re:What about PPC Java? by Cymurgh · 2009-06-15 21:12 · Score: 1
  
  Speaking of which, the update just failed to work on my PPC (G4 Powerbook, running Leopard, so far updated to Java 1.5.0_16). Anyone else have trouble? Any clues?
3. Re:What about PPC Java? by Binkleyz · 2009-06-16 02:02 · Score: 1
  
  Yep.. I tried installing it last night on my (Intel based) Mac Book Pro, along with about 6 other things (an airport update, a new version of Safari, a camera update and a few other, less memorable ones..), and all but the Java update worked fine.. The Java update abended.
Re:Slashdot Bias by Anonymous Coward · 2009-06-15 12:44 · Score: 3, Funny

That's because it does!
Time to chide Apple by MillionthMonkey · 2009-06-15 12:53 · Score: 1, Insightful

Rich also chided Apple for leaving such a major hole unpatched for so long.
Yeah, Apple, a meager market share (not accounting for cost per unit of course) isn't an excuse to leave stuff like this busted. I hereby CHIDE you!
maybe by bcrowell · 2009-06-15 12:59 · Score: 2, Informative

Well, maybe.
First off, pretty much every time we get one of these "OMG!" stories on slashdot about a security flaw going unfixed, we find out that it's not nearly as bad as suggested by the slashdot summary. In this case, the description linked to from the slashdot article says: "The Java plug-in does not block applets from launching file:// URLs. Visiting a website containing a maliciously crafted Java applet may allow a remote attacker to launch local files, which may lead to arbitrary code execution." So that's quite a bit less scary than the slashdot summary makes it sound. If I'm understanding correctly, it apparently doesn't let the attacker launch any code the attacker choses. It only lets the attacker launch code that's already present on the user's filesystem. And doesn't the java sandbox model prevent java applets from writing to the filesystem? So the attacker really may have very little opportunity to execute arbitrary code of the attacker's choosing.
Second: the slashdot summary says, "Apple had previously advised users to turn off Java temporarily in their Web browsers." Wow, that sounds really awful. It makes it sound like a really serious problem. But wait, the apple page doesn't say this. According to the tidbits.com article, Rich Mogull is the one who says the fix is to disable applets. The link to Rich Mogull's advice is a link within tidbits.com.

--
Find free books.
1. Re:maybe by QuantumG · 2009-06-15 13:07 · Score: 4, Informative
  
  Do you work for Apple? Cause if your attitude is in any way related to theirs, I'll skip using their software thanks. "I can run anything on your harddrive" is trivial to leverage to "I can execute anything I want". Even the dumbest hacker can figure it out. Clearly you're dumber.
  
  --
  How we know is more important than what we know.
2. Re:maybe by acidblue · 2009-06-15 13:11 · Score: 1, Interesting
  
  Actually, the vulnerability allowed the applet run any arbitrary process (using the user's privileges). It was/is a scary issue. I am an Apple apologist and a highly paid developer who specializes in Java. So, this vulnerability was a real "salt on the wound" issue for me. I am glad it's fixed. But, I am still very unhappy with Apple's low-rent support for the Java platform.
3. Re:maybe by ctmurray · 2009-06-15 13:22 · Score: 3, Funny
  
  I agree with this post. As a Mac owner I am glad, for whatever reason, viruses are of no concern to me. On my work computer my employer can spend whatever they want to support XP (and it is a great deal of money). But at home I get to relax, and ignore the issue completely.
4. Re:maybe by SpazmodeusG · 2009-06-15 13:43 · Score: 4, Informative
  
  Normally I absolutely agree. Most vulnerabilities are overhyped. Not this one though. Read this article and click the link to a page that runs /usr/bin/say on your unpatched machine.
  http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html
5. Re:maybe by jackspenn · 2009-06-15 15:13 · Score: 5, Interesting
  
  As a Mac owner I am glad, for whatever reason, viruses are of no concern to me.
  
  ...
  
  But at home I get to relax, and ignore the issue completely.
  Until the day you can't. I am sorry, but you make me want to troll the net for the next security issue that is resolved in Linux and/or Windows, but Apple drags their feet on (again). Then I can use it to F with people like you. Your confidence comes from your ignorance.
  
  Here is the sad truth, Both the Linux/BSD communities and Microsoft take security more seriously than Apple.
  
  Apply repeatedly leaves a lot of holes open longer then they should be. I am thinking iTunes may present a nice target vector, but there have been so many in the past and I am sure there will be more in the future.
  
  I can see the HP/MS commercial now during the Superbowl next year:
  
  PC - "Hi, I'm a PC"
  MAC - "and I'm .... full of crap."
  PC - "Oh, MAC. While your designers were working to change your outsides from white to aluminum they didn't have time to patch the latest security threats to your OS."
  MAC - "All my music, all my pictures and all my home movies, gone, the worm even reformated my Time Machine drive and replaced restore points with pointers to an image of a piece of shit and a burning NEXT cube."
  PC - "Well, MAC, you like to talk a big game, but you are not good at playing the big game. So let everyone go back to those who can; first with the guys in Superbowl 44 and then with Windows 7 on their next laptop."
  
  --
  Respect the Constitution
6. Re:maybe by ctmurray · 2009-06-15 15:14 · Score: 1
  
  No sarcasm intended. The computer is worth the price in my opinion, so it has the value to me. I don't try to convert people, it is a personal decision. I have never had an issue with maintenance costs. At work my employer uses PC's bought at a lower price, but has the added cost of keeping the entire company virus free. We get weekly updates on some software with bug fixes, but my company has to push this onto our computers. We also have virus updates very often (separate from the software updates). Last month they were searching a campus of 10K units looking for one computer, not issued by IT that someone was bringing into our network randomly, but infecting the network each time they connected. My work computer takes 15 minutes to boot up and about 5 minutes to shut down - I understand from others this is not the XP standard times, but due to all the stuff to prevent virus infiltration. I don't have the time, skills nor desire to do this type of work at home so I use a Mac. I suspect there are some on slashdot using Linux for similar reasons.
7. Re:maybe by jeffasselin · 2009-06-15 15:18 · Score: 1
  
  Get the user to download an executable then pop up a window with your java applet that executes ~\Downloads\JustDownloadedMalware
  But it's still a bit far-fetched. By default, newly downloaded executables from the internet have a flag (similar to Windows) that would ask for a confirmation before executing, thus requiring user input to work, I'm not sure if this vulnerability would bypass this.
  
  --
  If he explores all forms and substances Straight homeward to their symbol-essences; He shall not die.
8. Re:maybe by Malc · 2009-06-15 15:40 · Score: 1
  
  Do you realise how dangerous it is being able to execute anything? If somebody deploying an exploit against this Java issue waits until there is a separate local root exploit, then it's game over. Or as somebody else pointed out, if they can get a user to download something else innocuous sounding, then again, it's all over. And yes, I've had a computer remotely exploited due to a weak password and an unpatched local root security hole.
9. Re:maybe by shutdown+-p+now · 2009-06-15 16:46 · Score: 1
  
  I'm understanding correctly, it apparently doesn't let the attacker launch any code the attacker choses. It only lets the attacker launch code that's already present on the user's filesystem. And doesn't the java sandbox model prevent java applets from writing to the filesystem? So the attacker really may have very little opportunity to execute arbitrary code of the attacker's choosing.
  If the attacker can launch Bash, what else could he possibly need? Oh, and isn't Python there as well? Perl? Ruby?
  By the way, I wonder if wget is also present in default OS X install. That would be even more fun.
10. Re:maybe by cibyr · 2009-06-15 22:54 · Score: 1
  
  By default, newly downloaded executables from the internet have a flag (similar to Windows) that would ask for a confirmation before executing, thus requiring user input to work, I'm not sure if this vulnerability would bypass this.
  You say "by default" - do you know how to turn this off? This is one "security" feature that really bugs me - on windows and on OS X. Yes, I really want to run that executable that I downloaded. That's why I downloaded it! I think I'm smart enough not to run some random executable that suddenly appeared on my desktop/in my downloads folder.
  
  --
  It's not exactly rocket surgery.
11. Re:maybe by Ash-Fox · 2009-06-15 23:32 · Score: 1
  
  We get weekly updates on some software with bug fixes, but my company has to push this onto our computers.
  I don't see the problem.
  
  We also have virus updates very often (separate from the software updates)
  I don't see a problem with that either.
  
  Last month they were searching a campus of 10K units looking for one computer, not issued by IT that someone was bringing into our network randomly, but infecting the network each time they connected.
  Sounds like they don't have a very nicely setup network. For the £5 difference in the cost to get a switch with hardware location identification verses a regular switch, that is kind of ridiculous.
  
  infecting the network each time they connected.
  Infecting? So the machines aren't up to date on the business network then? Doesn't that conflict with what you said earlier? o.O
  
  My work computer takes 15 minutes to boot up and about 5 minutes to shut down - I understand from others this is not the XP standard times, but due to all the stuff to prevent virus infiltration.
  And my 7 year old Windows XP machine takes less than a minute to start or shut down, and it's using roaming profiles with avast anti-virus for the anti-virus software (centrally managed from the domain server too). It's beginning to sound like your company doesn't have the right people to me.
  
  I suspect there are some on slashdot using Linux for similar reasons.
  Nah, I just use Linux because I find it superior to most operating systems out there. Viruses have never been a real concern for me (I take enough safe guards), Windows or otherwise.
  
  --
  Change is certain; progress is not obligatory.
12. Re:maybe by ThePhilips · 2009-06-16 01:30 · Score: 1
  
  I do not know what precisely GP meant. I would answer from my personal experience.
  
  We get weekly updates on some software with bug fixes, but my company has to push this onto our computers.
  I don't see the problem.
  Some updates forced by IT also force PC to restart.
  
  We also have virus updates very often (separate from the software updates)
  I don't see a problem with that either.
  Windows updates have the nagging screen "Please restart" which normal user can't disable or tell it "F*** off" or "I will restart when I'm finished with my work".
  
  Last month they were searching a campus of 10K units looking for one computer, not issued by IT that someone was bringing into our network randomly, but infecting the network each time they connected.
  Sounds like they don't have a very nicely setup network. For the £5 difference in the cost to get a switch with hardware location identification verses a regular switch, that is kind of ridiculous.
  Sounds like you haven't worked in large companies.
  The problem is real: IT can't tell hundreds people (whole company or department) arbitrarily to stop working because some idiot attached private notebook with an infected OS.
  
  infecting the network each time they connected.
  Infecting? So the machines aren't up to date on the business network then? Doesn't that conflict with what you said earlier? o.O
  No. It doesn't. All updates, before pushed onto users, are vetted by IT to make sure that corporate crapware wouldn't break after the update installation. Dysfunctional corporate crapware is literally same thing as arbitrarily telling whole company to stop working.
  
  My work computer takes 15 minutes to boot up and about 5 minutes to shut down - I understand from others this is not the XP standard times, but due to all the stuff to prevent virus infiltration.
  And my 7 year old Windows XP machine takes less than a minute to start or shut down, and it's using roaming profiles with avast anti-virus for the anti-virus software (centrally managed from the domain server too). It's beginning to sound like your company doesn't have the right people to me.
  This is quite complicated topic. Be you anyway related to IT, you wouldn't be making such silly suggestions.
  Corporate PCs are slow because IT schedules piles of checks during start-up and piles of back-ups during shutdown. AV updates on my corporate PC always take at least 1.5 minute during start-up. Plus 2-5 minutes check for 3rd party software updates. YMMV.
  
  I suspect there are some on slashdot using Linux for similar reasons.
  Nah, I just use Linux because I find it superior to most operating systems out there. Viruses have never been a real concern for me (I take enough safe guards), Windows or otherwise.
  True. But on Windows side, where you have sloppy IT and even sloppier users (or worse: managers insisting to have admin rights) picture isn't that rosy.
  
  --
  All hope abandon ye who enter here.
13. Re:maybe by Dr.Merkwurdigeliebe · 2009-06-16 01:30 · Score: 1
  
  This has been my stance on it; I find them worth the money for the time and hassle I don't have to deal with maintaining them. I recommend them to people who ask for these reasons, but I don't campaign for Apple or anything.
  
  --
  I'm a student. I write iPhone apps.
14. Re:maybe by Culture20 · 2009-06-16 01:31 · Score: 1
  
  The Java plug-in does not block applets from launching file:// URLs. Visiting a website containing a maliciously crafted Java applet may allow a remote attacker to launch local files, which may lead to arbitrary code execution.
  Like any file from the malicious website in your browser cache. Oops.
15. Re:maybe by Dr.Merkwurdigeliebe · 2009-06-16 01:31 · Score: 1
  
  I don't see the problem.
  That is your issue - I do see a problem, as does the parent. Therefore, we choose to purchase Macs instead. When I ran linux, it was for the same reasons.
  
  --
  I'm a student. I write iPhone apps.
16. Re:maybe by intheshelter · 2009-06-16 03:09 · Score: 1
  
  "Here is the sad truth, Both the Linux/BSD communities and Microsoft take security more seriously than Apple. "
  - I think the sad truth is you just hate Apple and you don't have a clue about anything if you're trying to sell me on the idea that Microsoft takes security seriously at all. Sorry, but your entire credibility fell to pieces in that statement.
17. Re:maybe by hondo77 · 2009-06-16 07:26 · Score: 1
  
  Here is the sad truth, Both the Linux/BSD communities and Microsoft take security more seriously than Apple.
  You claim that, despite no Mac OS X viruses in the wild ever? I don't think "security" means what you think it means.
  
  --
  I live ze unknown. I love ze unknown. I am ze unknown.
18. Re:maybe by jackspenn · 2009-06-16 08:40 · Score: 1
  
  I lock my car doors and have had my car broken into once. All of my other friends (except one) lock their cars and two of them have been broken into as well.
  
  Sighting that fact, would it be reasonable for me to claim that unlocked cars are more secure and safe then locked cars?
  
  No. Same goes for Apple.
  
  First, viruses aren't the sole threat out there. It is not that Apples are more secure. It is mainly they have benefited from security through obscurity in the past and more recently security on the back of BSD
  
  Finally, might I slap you around a bit and point out the Apple iPhone has been hacked in a variety of ways. Your ignorance doesn't negate that key fact.
  
  I so hope somebody on /. writes an Apple worm, basically all it has to do is infect your systems and display a simple message "The Apple Reality Distortion Field has failed.". We could call it the "Apple Worm" or perhaps "Core", but my favorite name would be "BigCaseOf_STFU".
  
  Don't get me wrong, I loved my Apple II and IIGS, Woz is the man, but the Apple of today isn't the Apple of the late seventies and early eighties.
  
  --
  Respect the Constitution
19. Re:maybe by Ash-Fox · 2009-06-16 09:03 · Score: 1
  
  That is your issue - I do see a problem, as does the parent. Therefore, we choose to purchase Macs instead. When I ran linux, it was for the same reasons.
  Ah! I am enlightened now. Mac users don't like security updates, which is why Apple is so bad at doing them!
  
  --
  Change is certain; progress is not obligatory.
20. Re:maybe by Ash-Fox · 2009-06-16 09:19 · Score: 1
  
  Some updates forced by IT also force PC to restart.
  There are different ways of managing thi issue, many corporations block the user from doing anything to begin with on the system until the system is up to date to begin with. But my own setups I have done use installation cloning against the master image server on boot up.
  
  The problem is real: IT can't tell hundreds people (whole company or department) arbitrarily to stop working because some idiot attached private notebook with an infected OS.
  Don't need to. A decently managed large company should be able to use to block any device from using the network or at least be able to trace the exact hardware location the device was plugged in to within a few moments of knowing the IP address. Not this rubbish the company mentioned before is doing.
  
  Corporate PCs are slow because IT schedules piles of checks during start-up and piles of back-ups during shutdown. AV updates on my corporate PC always take at least 1.5 minute during start-up. Plus 2-5 minutes check for 3rd party software updates. YMMV.
  Don't push your bad IT management skills/experience as a reason for it. I don't run shit IT departments and even on limited router and switch hardware that didn't support this capability I would be using Kerberos which would ensure on authorized equipment (which would then be documented who has it etc) was accessing the network.
  And, even without Kerberos, I would at least be able to tell the DHCP server to give that specific machine a certain subnet split up from the other machines where I could intercept all requests to various protocols with a specific message to the user.
  
  --
  Change is certain; progress is not obligatory.
Just turn off Java by Anonymous Coward · 2009-06-15 13:03 · Score: 5, Insightful

Apple had previously advised users to turn off Java temporarily in their Web browsers
Even after updating, I've found that's advice I can live with.
1. Re:Just turn off Java by gyrogeerloose · 2009-06-15 16:15 · Score: 1
  
  I know you were making a joke but it's not far off the truth. I've had Java turned off for months now and never even noticed a difference.
  
  --
  This ain't rocket surgery.
2. Re:Just turn off Java by Lars+T. · 2009-06-15 19:44 · Score: 1
  From the last story on this: http://blog.cr0.org/2009/05/write-once-own-everyone.html
  
  So MacOS X users, please disable Java in your web browser. Others: make sure you have updated Java and still disable it in your web browser: it's a huge attack surface and it suffers from many other security vulnerabilities.
  Oh, and to all who pointed out that Sun had patched this months ago - have you updated Java since then?
  
  for various reasons, Java is usually poorly updated:
  
  The Sun Java update mechanism isn't tied to the operating system update system on the Windows platform. Personal users and companies don't update it often, some of them do have processes in place to deal with Microsoft's patch Tuesdays but don't for other software updates.
  Many companies are using web applications or Java software that rely on a specific Java version. It may be tedious to update Java because it would break many things. This may be the reason why Apple's Java updates are so infrequent.
  Some Linux distributions don't support Sun's JRE (proprietary software) despite making it available. When I asked Ubuntu to fix this vulnerability, they fixed OpenJDK quickly but told me the Sun JRE was not supported (despite being available by default on the latest LTS Ubuntu release).
  --
  Lars T.
  To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
3. Re:Just turn off Java by ukyoCE · 2009-06-16 08:12 · Score: 1
  
  People use Java in web browsers? And it's enabled by default? O.o
  WHY
4. Re:Just turn off Java by jawahar · 2009-06-16 16:26 · Score: 1
  
  Java and AJAX are Oxymoron on Desktops.
  
  --
  Slashdot = Sarcasm
5. Re:Just turn off Java by Lars+T. · 2009-06-16 17:24 · Score: 1
  
  Oh, and to all who pointed out that Sun had patched this months ago - have you updated Java since then?
  Do you understand the difference between choosing not to update, and being unable to update?
  Fuck you're a retard.
  So you choose to be vulnerable - yeah, you are obviously the smart one.
  
  --
  Lars T.
  To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
158MB update!!!! by macbuzz01 · 2009-06-15 13:05 · Score: 1

Holy crap that's a huge update. How big is the original install? Sorry for the people on dial-up.
1. Re:158MB update!!!! by prestomation · 2009-06-15 13:57 · Score: 2, Funny
  
  What's "dial-up"?
Re:Slashdot Bias by node+3 · 2009-06-15 13:15 · Score: 5, Funny

Had this been a post about Microsoft instead of Apple, I'd imagine there'd be a lot of "ha ha micro$0ft sucks" posts now.
Instead, there's a lot of "ha ha Apple sucks" posts, as one would expect since the story's about Apple and not MS.
Java is now Apple's problem? by bogaboga · 2009-06-15 13:24 · Score: 1

I do not understand...but since when have problems in Java been Apple's problems?
Seriously, the title talks of problems with Java and then goes ahead to mention that these problems are Apple's problems - absurd!
May be the title should be changed to say something like: -
"...Java exploits a vulnerability on Apple's OSX..."
1. Re:Java is now Apple's problem? by patman600 · 2009-06-15 13:36 · Score: 5, Informative
  
  They've been apple's problem since they took over porting java to the mac, and prevent sun from writing their own java for mac.
The Black Haxor by EEPROMS · 2009-06-15 13:37 · Score: 5, Funny

Apple Guy "Halt who goes there"
Black Haxor "It is I the black haxor, I seek the finest computer coders to join me in my quest"
Apple Guy " You shall not pass"
Black Haxor "What ?"
Apple Guy "Non shall pass"
Black Haxor "I have no quarrel with you, good sir, but I must move on"
Apple Guy "Then you shall first install photoshop and make an offering at the alter of Steve and promise to buy hardware at twice the price from the lords of apple".
Black Haxor "I command you to stand aside! for I am the Black Haxor"
Apple Guy "I move for no man for I am impervious to all your tricks for I run OSX"
Black Haxor "So be it"
[Black Haxor pulls out his laptop and starts to type]
[HAH]
Apple Guy "What have you done ?"
Black Haxor "I have exploited a java script bug on your system and signed you up as the local leader for the "Pedo's Rights" association and then passed the details on to the the local parents and teachers group"
Apple Guy "what is this trickery, for such is impossible, you lie"
[a rabble of middle aged parents turn up]
Crowd "THERE HE IS, GET HIM!!"
Apple Guy "BAH! Tis but a lie"
Black Haxor "run man, they weld clubs and carry petrol containers and mean harm upon you"
Apple Guy "They do not wish me harm as my laptop colour matches my shoes, thus they come to tell me how great my karma is"
[15 minutes later the Black Haxor is staring at a smoldering pile on the ground]
Black Haxor "Sigh"
[Crosses bridge]
158MB and the Update will not install! by Dystopian+Rebel · 2009-06-15 13:41 · Score: 2, Informative

The update fails to install on some machines, mine included.
Use your favourite search engine (Bing me no Bings) to find references to:

The update "Java for Mac OS X 10.5 Update 4" can't be installed.

--
Rich And Stupid is not so bad as Working For Rich And Stupid.
1. Re:158MB and the Update will not install! by Dystopian+Rebel · 2009-06-15 14:06 · Score: 2, Informative
  
  I hope this helps other OS X users... After downloading with Software Update, I had to reboot to install the Java update successfully.
  This also means that the whole update (158MB) had to be downloaded again. Download it separately before rebooting and install from the downloaded file, just in case.
  
  --
  Rich And Stupid is not so bad as Working For Rich And Stupid.
2. Re:158MB and the Update will not install! by zonky · 2009-06-15 14:18 · Score: 1
  
  This happened to me on a brand new macbook i was configuring earlier. After a reboot it installed (after downloading it again).
3. Re:158MB and the Update will not install! by MillionthMonkey · 2009-06-15 14:19 · Score: 2, Informative
  
  Toss the one you downloaded and get a new one by rerunning Software Update.
  
  They bungled some file permission thing inside the update package... [insert Mac vs PC joke here]
4. Re:158MB and the Update will not install! by gyrogeerloose · 2009-06-15 16:07 · Score: 2, Informative
  
  No problem on my first-generation MacBook using Software Update.
  Huge file, though--158MB.
  
  --
  This ain't rocket surgery.
5. Re:158MB and the Update will not install! by bennomatic · 2009-06-15 17:02 · Score: 3, Informative
  
  It worked for me after I quit my running browsers.
  
  --
  The CB App. What's your 20?
6. Re:158MB and the Update will not install! by dotgain · 2009-06-15 20:39 · Score: 1
  
  Oh great. This happened to me two hours ago on a G4 (before I even read this article), and I suspect it's about to happen to me in about 10 minutes on my MacBook.
Re:Apple: It Just Works (TM)* by Anonymous Coward · 2009-06-15 13:56 · Score: 1, Funny

I don't know about others but this Java vulnerability update makes my Mac feel a lot faster.
Yeah -FINALLY- by DebianDog · 2009-06-15 14:08 · Score: 1, Funny

I mean hell us Mac users can FINALLY get back on the internet. Shooo took long enough We just sat here living in fear. Mac powered off. Checking in with our Windows friends to see when it was safe again, while flashbacks to the "Code Red" nightmare from year ago filled our head. Oh wait, Code Red is when my company swore off ever using Windows for critical systems.... Scratch that.

But anyways us Mac fan bois are back! WOO HOO!!!! "finally"
1. Re:Yeah -FINALLY- by MtViewGuy · 2009-06-15 15:35 · Score: 1
  
  However, today's Windows XP (with Service Pack 3) and Windows Vista (with Service Pack 2) aren't as vulnerable as you think. This is because both operating systems gives you a LOT of security warnings about:
  1) Keeping Windows Update at least in Notify mode, which at least warns you about the availability of the latest security patches from Microsoft.
  2) Installing at least an antivirus and firewall security programs.
  As such, most XP and Vista users have at least Windows Update warning about installing the latest patches and usually run a full Internet security suite (or its free equivalents) from Symantec, McAfee, Trend Micro, Panda Software, etc.
Re:Apple is not a fan of Java by konohitowa · 2009-06-15 14:11 · Score: 5, Insightful

Yeah. Those losers should stop running their iTunes store with Java. Lame Java haters!
http://en.wikipedia.org/wiki/WebObjects No, I didn't just edit it, but I suppose it's ripe for vandalism now.
Not like your conjecture is without merit. I mean, what can explain their slowness in Java porting? I wish I knew. It's a real annoyance.
To be mildly fair, us mere mortals aren't getting WebObjects updates anymore, but they don't seem to be slowing down their usage of it at iTunes & the Apple store and dev sites. Perhaps they're going to migrate more things to SproutCore once BitBurger et al gets released. Although that doesn't provide them with a back-end, and I'm not utterly convinced that RoR is up to the demand, inclusion in OS X notwithstanding. If only more Erlang/Mnesia would roll out.
Your sig by Mad+Merlin · 2009-06-15 14:58 · Score: 1

curl -I slashdot.org

is so very much simpler.

--
Game! - Where the stick is mightier than the sword!
1. Re:Your sig by Ash-Fox · 2009-06-15 22:37 · Score: 1
  
  is so very much simpler.
  
  $ curl -I slashdot.org -bash: curl: command not found
  
  I don't feel like including install commands.
  
  --
  Change is certain; progress is not obligatory.
2. Re:Your sig by Thinboy00 · 2009-06-16 03:01 · Score: 1
  
  You forgot one:
  
  $ curl -I slashdot.org [snip] X-Leela: This wangs chung. [snip some more]
  
  --
  $ make available
3. Re:Your sig by Mad+Merlin · 2009-06-16 12:57 · Score: 1
  
  Well then...
  
  $ echo -e "HEAD / HTTP/1.1\nHost: slashdot.org\n\n" | netcat slashdot.org 80 bash: netcat: command not found bash: echo: write error: Broken pipe
  
  --
  Game! - Where the stick is mightier than the sword!
Re:Apple is not a fan of Java by Anonymous Coward · 2009-06-15 15:23 · Score: 1, Funny

Not having any idea what anything in that post means I presume it is all part of a delicious sandwich (Sproutcore, BitBurger...) ... sounds yummy...
Apple vs Security by rajats · 2009-06-15 16:19 · Score: 1

I think apple should launch another ad campaign with the "Cool" mac guy on one side and a security guy on the other! The "Cool" guy could put his head in the sand and shout "Don't make me do stuff!".
Re:Apple is not a fan of Java by Anonymous Coward · 2009-06-15 16:44 · Score: 1, Informative

While WebObjects CAN use Java, it can also use Objective-C, and is several times faster when using Objective-C.
Needless to say, the iTunes Music Store uses Objective-C and NOT Java.
The easiest way to verify this is to note that Java support came to WebObjects well after the iTunes music store was implemented.
Java on Mac OS X has been deprecated in favor of Python and other more useful languages. Xcode still supports it (barely) but the writing's on the wall: move to Objective C or Python, Java is dead.
Re:Apple is not a fan of Java by konohitowa · 2009-06-15 17:14 · Score: 2, Funny

Not having any idea what anything in that post means I presume it is all part of a delicious sandwich (Sproutcore, BitBurger...) ... sounds yummy...
Dooooddd... there's like this totally new thing called Bing! that lets you look stuff like that up! (I hear some pikers down in Cali called googol or something stupid like that are trying to horn in on the action though).
Re:Apple is not a fan of Java by konohitowa · 2009-06-15 17:29 · Score: 1

I'll have to drag out my OS X Server 1.x and give it a whirl. I haven't played with it in ages and don't really recall the full dev cycle on that. My current XCode doesn't have WO installed (but I've got Ada, go figure), so I can't even create a simple project. I don't recall having the ability to create anything non-Java on the server side for a quite a while though. However, until I have something concrete in front of me, I'm forced to agree with you. :)
As to "Java is dead", well - I've been of that opinion in the overall scheme of things for a while. I don't know if you meant that only regarding Apple's attitude toward it, but I think it extends beyond just them. But then I also think the "open source the world!" movement has accomplished so many of its goals at this point that it's becoming a solution desperately searching for more problems. Needless to say (and yet I do), that doesn't make me terribly popular 'round these here parts.
Re:10.4 and Java 1.6? by Cochonou · 2009-06-15 17:56 · Score: 1

Do not worry: you would not get Java 1.6 (or 6.0, or whatever) with 10.5 on PPC either. This is only for x86-64 machines.
Yeeeeah... by randomblast · 2009-06-15 21:55 · Score: 1

This makes even happier that my mac greeted me with "The Java update for 10.5 could not be installed" this morning.

--
...these aren't my real teeth.
I did a demo on this just recently... by js_sebastian · 2009-06-15 22:15 · Score: 1

...but I didn't have a mac, so I had to use a vm with an unpatched linux (ubuntu 8.10 actually). I tried to convince a guy with a mac in the audience to go to my exploit url, but he was not willing... One cool thing of this exploit is that it is pure java, so the same exploit can work on linux, mac and windows.

Here is a writeup on the vulnerability: http://blog.cr0.org/2009/05/write-once-own-everyone.html

And here is a proof-of-concept exploit: http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html

You can decompile it to see what's going on exactly.

Enjoy.
auto Update by eples · 2009-06-16 01:37 · Score: 1

I would also add that in 1998 the automatic patching and updates concept was brand new, and even the windows update site wasn't pushing patches, but rather desktop themes and other nonsense "add ons".

Apple has a really good updating service built into OSX, so good that I barely notice that it has done anything when it is finished. There aren't as many patches as I get bombarded with on Windows, but I still don't think that means "they are in 1998".

--
I'm a 2000 man.
Re:Apple is not a fan of Java by foo+fighter · 2009-06-16 03:56 · Score: 1

I mean, what can explain their slowness in Java porting? I wish I knew. It's a real annoyance.
Apple wants external developers to use Cocoa. They want to focus internal efforts on making Cocoa better.
From Apple's strategic perspective, why support an alternative platform (and Java is an alternative platform) that doesn't lead to great Mac software, especially great Mac-only software?

--
obviously no deficiencies vs. no obvious deficiencies
Re:Apple is not a fan of Java by konohitowa · 2009-06-16 06:40 · Score: 1

I don't disagree with any of your speculations. The thing is, as I understand things, Sun would do the work for Apple if Apple would let them. Not being privy to internal details, it's easy to imagine that it's a control issue or even something nefarious. It could be something as simple as not being able to get Sun to support their Aqua look. Ultimately, I really don't know, but it doesn't make it any less annoying.
Re:Apple is not a fan of Java by konohitowa · 2009-06-16 06:56 · Score: 1

While I realize their objectives (vs realizing their objectives - giggle) are going to be Cocoa centered, and while I'm mildly fanboyish toward Cocoa, I'd still like to be able to roll Java apps in XCode on occasion. It's not as if their lagging support of Java is going to keep from rolling Java apps for other platforms. It just makes it more of a hassle for me.
I'd prefer Apple worked a bit harder to keep me happily working within their platform, rather than pushing me out of the platform in order to accomplish tasks that aren't Apple-centric. Not that Java is a deal killer for me at the moment, but if they let that type of thinking take root too deeply, I think they're setting themselves up to be another Microsoft culture.
arduino ide is broken by this update by jcgf · 2009-06-16 13:21 · Score: 1

problems with librxtxSerial.jnilib arrrgh!
Great, now if only by onemorechip · 2009-06-16 16:58 · Score: 1

they can do something about this "The update "Java for Mac OS X 10.5 Update 4" can't be installed error message I get when I try to install the thing.

--
But, I wanted socialized health insurance!
1. Re:Great, now if only by profplump · 2009-06-16 18:18 · Score: 1
  
  I got that too, on two different machines.
  But it worked fine when I fired off the updater manually -- if you select "Download Only" it will reveal the package in the Finder.
Re:Apple is not a fan of Java by laffer1 · 2009-06-16 17:49 · Score: 1

I was under the impression that WebObjects was Java only since 5.0 came out. http://developer.apple.com/tools/webobjects/ As you can see, it mentions only java in the description.

--
MidnightBSD: The BSD for Everyone
Spinning Kaleidescope of Death by JustJenFelice · 2009-06-17 07:23 · Score: 1

Anybody else notice the rabid, hostile tendencies of the typical Mac Fanboy's postings? A little disturbing...

--
[Insert pithy line of moxie here.]
mod parent up by Kyusaku+Natsume · 2009-06-17 18:47 · Score: 1

I had the same issue with one of my macs and had to do the same :)
Strange bug.

--
Mexico: 100% conservative's America now!