Slashdot Mirror
Recent Apple Java Update Doesn't Fix Critical Java Flaw Claims Researcher
hypnosec writes "Just yesterday Apple released updates to fix Java vulnerabilities, but it seems the patch doesn't actually target the recently discovered high-profile Java bug that has been the talk of the web during the last two weeks. The two updates – Java for OS X 2012-005 for OS X Lion and Java for Mac OS X 10.6 Update 10 for Mountain Lion, are meant to tackle the vulnerability described in CVE-2012-0547. But according to KerbsOnSecurity, it seems Cupertino hasn't addressed the recent mega-vulnerabilities in Java as described in CVE-2012-4681."
Update: 09/07 12:00 GMT by S : As readers have pointed out, these updates address flaws in Java 6, which is the version Apple maintains. The recently-reported Java vulnerabilities primarily affect Java 7, the patching of which is handled solely by Oracle. Nothing to see here.
Except that Apple have never even installed Java 7 to be vulnerable.. this is update to their Java 6, so the story is bogus.
It's oracles job to handle Java 7 on mac, Apple are only dealing upto 6.
While the Apple update doesn't fix the v7 vulnerability, it shouldn't as the Apple Java is v6 which supposedly doesn't have it (or some part of it). So this seems to make sense. To get v7 on a Mac you have to go out of your way and download v7 from Oracle separately.
Apple doesn't ship Java installed by default... but if you do install it, it's Java 6. The "unpatched" vulnerability in the summary only affects new Java 7 functionality and does not affect Java 6.
How is it hyperbole? Look at Secunia. There are more than 1000 vulnerabilities between the combined versions of the JVM. They average around 200 per version which is actually worse than Flash player.
Hey Editors, you've been trolled. The "mega-vulerabilites" described in CVE-2012-4681 don't even apply to the version of Java Apple ships. Do some homework before jumping on the bandwagon next time.
Funny, I just attempted to play the battlestar galactica web MMO, and Unity3d is not supported on Linux..
Not sure what you mean by "kicked to the curb", but OS X Java is still maintained by Apple.
Not completely. Apple maintains Java for Mac OS X through version 6. Oracle took over starting with version 7. It's not clear how long Apple will continue to provide updates for version 6, though.
Apple stopped including it as a default install with Lion (Mac OS X 10.7), I believe.
CVE-2012-4681 is a vulnerability that affects Java 7. Apple has only ever provided Java 6 with OS X, and with recent OS X versions, it's not even included by default. So it's pretty silly to make a sensational story that calls out Apple for not addressing CVE-2012-4681 in their update to Java, since they're not even affected by it.
For more details, see: http://www.kb.cert.org/vuls/id/636312
I stand corrected, About 18 months ago, I was writing the installation docs for a Java application that had to run on Mac, and I went to rather a lot of trouble to find out how to configure Java on the Mac. (The main reason I got the job: they'd had bad experiences with users on various platforms who didn't understand Java runtime idiosyncrasies.) I was actually quite impressed by the way OS X support for Java worked — very elegant and carefully thought out,
Now I suppose my work will have to be thrown out and replaced by the cruder procedures Oracle uses. Oh well.
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html It effects Java 6 u34 and below but the impact is not as severe. I believe malicious code can still change the value of private fields but the Java 6 version of the sandbox is implemented differently, so the list of permissions can't be replaced with "AllPermissions"
Sorry, QT is vile and unnatural, IMHO.
If you don't like it that's fine, that's not really any kind of objective criticism though. If you don't like Qt there's always other options like wxWidgets, FLTK, etc...
Effective sure
Which is why so many people use it.
The C++ code itself is nothing.
Which is why your post was so baffling.
What matters is that for each platform you target you need different libraries, and each library has its own idiom.
But you don't, there are so many cross-platform libraries. You get the same when targeting Android with Java anyway, you can't just use Swing like on other platforms.
Then you end up contorting your architecture for each set of libraries you are trying to integrate.
Do you have a specific example of why you did this?
This is not impossible (I've written lots of portable, complex C++ in the last two decades) but I can tell you it is *vastly* easier, more consistent, and I would argue more performant (since the time I save not fixing dumb C++ loopholes I instead spent optimizing my Java) to use Java.
This all depends on your proficiency, not sure what these 'dumb C++ loopholes' you're referring to are, could you be specific?
Flightgear is an admirable bit of software. I looked at extending it but realized after two decades of C++ and a decade of Java I knew which language to base a new *reliable* multi-player, multi-core product on.
So what specifically makes Java more reliable?
So I understand your advocacy for C++.
What advocacy for C++?
Java becomes the better choice for new heavily multi-threaded stuff, IMHO.
Why is that?
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html It effects Java 6 u34 and below but the impact is not as severe. I believe malicious code can still change the value of private fields but the Java 6 version of the sandbox is implemented differently, so the list of permissions can't be replaced with "AllPermissions"
According to the risk matrix at the bottom of the page, the problem of vulnerability under Java 6 u34 and below is identified as CVE-2012-0547 - which is exactly what Apple's fix fixes as said in TFS. IOW TFA is still uninformed at best.
Of course news about a fake are Fake News.