Slashdot Mirror
Recent Apple Java Update Doesn't Fix Critical Java Flaw Claims Researcher
hypnosec writes "Just yesterday Apple released updates to fix Java vulnerabilities, but it seems the patch doesn't actually target the recently discovered high-profile Java bug that has been the talk of the web during the last two weeks. The two updates – Java for OS X 2012-005 for OS X Lion and Java for Mac OS X 10.6 Update 10 for Mountain Lion, are meant to tackle the vulnerability described in CVE-2012-0547. But according to KerbsOnSecurity, it seems Cupertino hasn't addressed the recent mega-vulnerabilities in Java as described in CVE-2012-4681."
Update: 09/07 12:00 GMT by S : As readers have pointed out, these updates address flaws in Java 6, which is the version Apple maintains. The recently-reported Java vulnerabilities primarily affect Java 7, the patching of which is handled solely by Oracle. Nothing to see here.
Except that Apple have never even installed Java 7 to be vulnerable.. this is update to their Java 6, so the story is bogus.
It's oracles job to handle Java 7 on mac, Apple are only dealing upto 6.
While the Apple update doesn't fix the v7 vulnerability, it shouldn't as the Apple Java is v6 which supposedly doesn't have it (or some part of it). So this seems to make sense. To get v7 on a Mac you have to go out of your way and download v7 from Oracle separately.
Apple doesn't ship Java installed by default... but if you do install it, it's Java 6. The "unpatched" vulnerability in the summary only affects new Java 7 functionality and does not affect Java 6.
Ummm, because it is the best cross-platform solution for rich clients out there. If there was something better I would use it, but there isn't (I'm writing a jet combat flight simulator and C++ and C# simply are too much effort to make truly cross-platform; eg. Mac, Linux, Window, Android). If you would please suggest a useful alternative to Java that was cross-platform and I didn't have to go through all the awful porting nonsense of C++ or C#/Mono (been there done that, don't want to do it again) for my flight sim then I'm all ears.
You can't take advantage of the vulnerability if you can't run any applets
Not true.
http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136112.html
How is it hyperbole? Look at Secunia. There are more than 1000 vulnerabilities between the combined versions of the JVM. They average around 200 per version which is actually worse than Flash player.
Hey Editors, you've been trolled. The "mega-vulerabilites" described in CVE-2012-4681 don't even apply to the version of Java Apple ships. Do some homework before jumping on the bandwagon next time.
...is that CVE-2012-4681 uses a vulnerability during Applet execution.
Not quite. Applets are the most likely infection vector, but the vulnerability exists in any Java code.
Basically, what CVE-2012-4681 does is let untrusted Java code turn off the Java sandbox. Applets are about the only Java code where the sandbox is likely to be enabled by default, but there are scenarios where the sandbox is used by non-applet code. (As an example, in a Java servlet environment (think Java CGI), the individual pages might be run in the Java sandbox.)
Which means that, for the most part, this only effects applets, since most Java code isn't run in the Java sandbox anyway. But it's conceptually possible that it opens security holes in other Java-based code, if that code happens to run within the Java sandbox.
You are in a maze of twisty little relative jumps, all alike.
What do you get for a similar search of "Windows"? (that is also another "platform", just as the JVM is). My point is not that Java is without vulnerabilities - clearly it has them - but that calling it "malware" is misleading since anything with a similar large amount of functionality also has a lot of attack surface. So the hyperbole ought to be cut. k?
Funny, I just attempted to play the battlestar galactica web MMO, and Unity3d is not supported on Linux..
Not sure what you mean by "kicked to the curb", but OS X Java is still maintained by Apple.
Not completely. Apple maintains Java for Mac OS X through version 6. Oracle took over starting with version 7. It's not clear how long Apple will continue to provide updates for version 6, though.
Apple stopped including it as a default install with Lion (Mac OS X 10.7), I believe.
CVE-2012-4681 is a vulnerability that affects Java 7. Apple has only ever provided Java 6 with OS X, and with recent OS X versions, it's not even included by default. So it's pretty silly to make a sensational story that calls out Apple for not addressing CVE-2012-4681 in their update to Java, since they're not even affected by it.
For more details, see: http://www.kb.cert.org/vuls/id/636312
http://www.cloudpath.net/solutions/solutions.php
A lot of their solutions work on Java.
Example: New kids to campus want to get their laptop on the university wireless system. All they have to do is have java and know their e-mail user name and password and this 3rd party solution takes the machines MAC address - registers it on the network and logs it in a back end database and automatically switches the student from the setupwireless to the WPA2 university wireless network. This saves a ton on help-desk logged hours/tickets and student lines.
Beware of those who profit off the docile and persecute the unbelievers.
I'm writing a jet combat flight simulator and C++ and C# simply are too much effort to make truly cross-platform; eg. Mac, Linux, Window, Android
Care to elaborate on the specifics? Because it sounds a bit ... exaggerated. The difference between the platforms is in the UI and I do not think any sensible developer would subject its users to the horrors of AWT or Swing (none of which IIRC is available on Android). If you take the platform-specific UI out of the question, then the rest of the code would be pretty portable - regardless of the programming language. Except of course for the Android where IIRC you need different paradigm for an application, what would be a much bigger - yet programming-language-neutral - hurdle to overcome.
All hope abandon ye who enter here.
If you would please suggest a useful alternative to Java that was cross-platform and I didn't have to go through all the awful porting nonsense of C++ or C#/Mono (been there done that, don't want to do it again) for my flight sim then I'm all ears.
What 'awful porting nonsense' did you have with c++ code?
I stand corrected, About 18 months ago, I was writing the installation docs for a Java application that had to run on Mac, and I went to rather a lot of trouble to find out how to configure Java on the Mac. (The main reason I got the job: they'd had bad experiences with users on various platforms who didn't understand Java runtime idiosyncrasies.) I was actually quite impressed by the way OS X support for Java worked — very elegant and carefully thought out,
Now I suppose my work will have to be thrown out and replaced by the cruder procedures Oracle uses. Oh well.
FlightGear is a multi-platform (Windows, OS/X, Linux) written in C++ and QT. Seems to work well enough for them.
The bug described in CVE-2012-4681 affects Java SE 7. OS X uses Java SE 6. It would be a little weird if they patched Java SE 6 for a bug that doesn't exist in Java SE 6.
What would you like to know, specifically? Note that the 2D UI is a minor part of the application, and a "Filthy Rich Client" (Google if you don't understand this term) Swing startup is perfectly fine to start the JoGL/OpenGL main UI.
> Because it sounds a bit ... exaggerated.
This is why I am taking to point out that Java is more than adequate for 3D gaming (since all the important stuff runs on the GPU anyway). I find it lamentable that Slashdotters are so anti-Java (and have out of date perspectives) they simply cannot comprehend that modern JVMs are not only as good as C++ for gaming, they are superior in my experience as a indie game developer (for a hard-core simulation; eg. multi-threaded resource sharing in Java is so much easier than in C++ when you are targetting multiple-platforms). I understand that existing game devs with existing C++ pipelines and assets aren't interested in Java, but new games development should seriously consider it - expecially if you want to be as massively profitable as Java games like Minecraft are.
Sorry, QT is vile and unnatural, IMHO. Effective sure, but unnatural for those used to proper Object Oriented UI toolkits (eg. back in the day Borland's OWL, Swing etc).
The C++ code itself is nothing. What matters is that for each platform you target you need different libraries, and each library has its own idiom. Then you end up contorting your architecture for each set of libraries you are trying to integrate. This is not impossible (I've written lots of portable, complex C++ in the last two decades) but I can tell you it is *vastly* easier, more consistent, and I would argue more performant (since the time I save not fixing dumb C++ loopholes I instead spent optimizing my Java) to use Java.
Flightgear is an admirable bit of software. I looked at extending it but realized after two decades of C++ and a decade of Java I knew which language to base a new *reliable* multi-player, multi-core product on.
So I understand your advocacy for C++. You can certainly accomplish useful stuff in it (and I have). However, I would never start a new forward-looking project in it. Java becomes the better choice for new heavily multi-threaded stuff, IMHO. (and yes, that includes rich clients, which can me made to look amazing using the "Filthy Rich Client" Swing techniques and OpenGL/JoGL).
The parent posted this:
>"I do not think any sensible developer would subject its users to the horrors of AWT or Swing"
personally I disagree and find Swing to be one of the most powerful and productive rich client toolkits out there. If you know what you are doing you can do just about anything (although Swing has plenty of flaws still). It was based on that parent comment that I decided to "defensively" elaborate why I consider Java suitable - and IMHO, particularly suitable for massive multi-threading in a multi-platform application (yes, you can do the same in C++, but it is very much a hassle and the libraries change on each target platform; which was part of my point). Hence, I still see Java as the premier choice of platform for my project (which is what the parent of my original post disputed - he could see no use for client side Java; in fact I don't see any economic alternative; C/C++/C#/Python etc are not nearly as suitable for my purposes and intended development timescale).
You said you're doing a game. Most game engines or graphics engines contain UI classes as part of the SDK. Some even have UI designers to help build your UI.
I think Swing looks ugly, and doesn't blend in with the native OS (not exactly the spirit of cross-platform), and I suspect that is the common opinion too.
Still, feel free to use it. If it's your strongest toolkit (ie. the one you know best), then it's the best toolkit for you to use.
This seemed like a reasonable sig at the time.
Sorry, QT is vile and unnatural, IMHO.
If you don't like it that's fine, that's not really any kind of objective criticism though. If you don't like Qt there's always other options like wxWidgets, FLTK, etc...
Effective sure
Which is why so many people use it.
The C++ code itself is nothing.
Which is why your post was so baffling.
What matters is that for each platform you target you need different libraries, and each library has its own idiom.
But you don't, there are so many cross-platform libraries. You get the same when targeting Android with Java anyway, you can't just use Swing like on other platforms.
Then you end up contorting your architecture for each set of libraries you are trying to integrate.
Do you have a specific example of why you did this?
This is not impossible (I've written lots of portable, complex C++ in the last two decades) but I can tell you it is *vastly* easier, more consistent, and I would argue more performant (since the time I save not fixing dumb C++ loopholes I instead spent optimizing my Java) to use Java.
This all depends on your proficiency, not sure what these 'dumb C++ loopholes' you're referring to are, could you be specific?
Flightgear is an admirable bit of software. I looked at extending it but realized after two decades of C++ and a decade of Java I knew which language to base a new *reliable* multi-player, multi-core product on.
So what specifically makes Java more reliable?
So I understand your advocacy for C++.
What advocacy for C++?
Java becomes the better choice for new heavily multi-threaded stuff, IMHO.
Why is that?
That's not a fair comparison. Users don't realistically have a choice about whether to run an OS. They do have a choice whether to add additional vulnerabilities by tacking on an unnecessary abstraction layer like Flash or Java.
Check out my sci-fi/humor trilogy at PatriotsBooks.