Must Read: First Windows XP now Exchange 2003: What happens when the clock stops on support?

Topic: Security

Apple finally patches musty old Java for Mac vulnerabilities

Summary: Apple has finally released a Java for Mac update to fix multiple security flaws that were patched upstream more than six months ago.The fix comes three weeks after developers released proof-of-concept code to demonstrate the severity of the flaw and to nudge embarrass Apple into shipping the patch.

Ryan Naraine

By for Zero Day |

Apple has finally released a Java for Mac update to fix multiple security flaws that were patched upstream more than six months ago.

The fix comes three weeks after developers released proof-of-concept code to demonstrate the severity of the flaw and to nudge embarrass Apple into shipping the patch.

Today's patch covers the following:

[ SEE: Mac OS X vulnerable to 6-month old Java flaw ]

  • Multiple vulnerabilities exist in Java 1.5.0_16, the most serious of which may allow an untrusted Java applet to obtain elevated privileges. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating Java 1.5 to version 1.5.0_19.
  • Multiple vulnerabilities exist in Java 1.4.2_18, the most serious of which may allow an untrusted Java applet to obtain elevated privileges. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating Java 1.4 to version 1.4.2_21. Further information is available via the Sun Java website.

Because of licensing and other hiccups, Apple will always be late with its Java for Mac updates.   Perhaps it's time for Sun to merge the Mac Runtime for Java with the standard Java codebase and ship Java for Mac themselves.

Thoughts?

Topics: Security, Apple, Hardware, Open Source, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

36 comments
Log in or register to join the discussion

  • Disgusting behaviour by Apple

    By not updating Java, they have not only left millions of users exposed, but they have left users dependent on Java unable to access certain web pages. They should, absolutely, let Sun maintain the Java updates.

    I say this as a supporter of Mac OS X and in full conciousness that nobody has been harmed by the vulnerabilities. But, I have been inconvenienced by the lack of an updated Java, and forced to use Windows to access a specific website.
    jorjitop
    Reply Vote

  • Unacceptable response time!



    They had over 7 months to deal with the issues the response
    time was totally unacceptable.

    You can do much better than that Apple!
    Telix
    Reply Vote

  • Unacceptable response time!


    They had over 7 months to deal with the issues the response
    time was totally unacceptable.

    You can do much better than that Apple!
    Telix
    Reply Vote

  • OpenJDK

    "Perhaps it?s time for Sun to merge the Mac Runtime for Java
    with the standard Java codebase and ship Java for Mac
    themselves."

    Time for Apple to switch to the OpenJDK base. Apple's
    updates (not just security) to Java have been a problem for
    years.
    Richard Flude
    Reply Vote

    • Correct.

      Ryan is correct with the line:
      "Perhaps it?s time for Sun to merge the Mac Runtime for Java with the standard Java codebase and ship Java for Mac themselves."
      But I think there are some licensing issues that we are not seeing that is cause of these delays to Java on the Mac and just migrating to OpenJDK is not that easy with the current license they now have.
      These nested license agreements are not helping us because we cannot independently update our versions of software when we need it rather in the bundle of nested software.
      phatkat
      Reply Vote

  • More Scare Tactics

    9 months to infect any mac - actually occur outside of labs? Anyone? Any one of 70 million mac users? Guess not that critical or scary to NORMAL EVERYDAY AVERAGE users ... if I worked in a java lab, maybe ... yawn ... still no downtime and as usual Apple provides a patch JUST IN TIME. Smug, arrogant? Sure ... I also don't have scurvy or the malnutrition rickets - smug? sure. So, all good here - Apple will fix it.
    jbelkin
    Reply Vote

    • Just in time for what?

      [i]still no downtime and as usual Apple provides a patch JUST IN TIME.[/i]

      What is the specific event that makes this JIT?
      ye
      Reply Vote

    • Exactly

      That 7-month "vulnerability" led to how many exploits in the wild? Anyone? *chirrrrrp-chirrrrrp*

      Yeah, thought so. No need for angry overreactions.
      vikingnyc@...
      Reply Vote

      • Apple is perfect!!

        Remember, like the TV commercials imply, Apple NEVER has vulnerabilities and they're perfect!
        ktw.zd.net
        Reply Vote

        • No...

          @kurt.westerlund...

          Uh, no one here has ever said Apple was "perfect". And I don't recall any
          commercial claiming that Macs were perfect, just that users don't have to
          worry about viruses.
          dclhacker
          Reply Vote

        • On drugs.

          When you are on a meth trip it does feel like everything in the world is perfect.
          Now get off those drugs and live in the real world like the rest of us.
          phatkat
          Reply Vote

      • Oh sure, why worry until it's too late?

        If you reported to your landlord that your apartment's front door won't lock, would you be happy that it took him six months to get you a new lock? I mean hey, no one's burglarized you [i]yet[/i], so obviously your apartment is secure... right? What's the big deal? The fact that anyone could walk in and take your stuff? Oh please. We'll get to it in six, seven months. Nine months at the latest.
        mechBgon
        Reply Vote

        • So?

          Apple sucks and should have fixed this sooner, but then considering that a certain other company (See http://blogs.zdnet.com/security/?p=2894) seems unworried by its steadily growing crop of unpatched known (and in some cases exploited) vulnerabilities one does wonder why you are not also leaping up and down about them.

          Ah well, enjoy.
          zkiwi
          Reply Vote

        • If you lived in community where people didn't ...

          ... break into apartments, then - it wouldn't matter if it
          took a while to get the lock fixed, would it. And -
          there are communities where you can live your door
          unlocked. I live in one. It is common to see people
          leave their keys in the ignition downtown, and to leave
          their houses unlocked.

          Macs (at the moment - and of course subject to
          change) like a small town where you don't worry about
          these things. Mac owners know that there is another
          world out there, they just don't worry about it.
          snberk341
          Reply Vote

  • Can anyone post any evidence that it has been used /caused any havoc?

    Can anyone post any evidence that it has been used /caused any
    havoc/problems on OS X?

    This subject seems to be a tempest in a teapot
    gennx30
    Reply Vote

  • It's a non-issue, here's why

    Mac OSX WARNS you when a Java app wants to run in Safari.
    Try it.

    Wintards just want to make Mac look like it has security issues.
    Compared to Windows though, they are practically non existant,
    and this has nothing to do with any supposed 'obscurity'.

    Mac is no more obscure than Windows.
    comp_indiana
    Reply Vote

    • Warnings do not solve the problem

      Yes, it warns you. But an ordinary computer user does not even know what Java is. He or she interprets such warning messages as follows: "Blah, blah, blah, incomprehensible technical stuff, blah, blah, blah. Do you want to me to go ahead and do what you asked me to do, or do you want me to not do what you asked me to do?" Of course they say "yes, do what I wanted to do".
      dlweinreb
      Reply Vote

    • Fail

      This vuln was exploitable through Java applets. Browsers don't warn before executing Java applets - at least not by default.

      Applets are not like full blown Java applications.

      No, Apple left their entire user base hanging out there for 6+ months, vulnerability information in public, drive-by attack without warnings entirely possible.

      No mitigating factors.

      Apple suck at security. They are just lucky that no one bothered exploit this. It's that simple. A PoC has been in the public for months as well, clearly demonstrating that an attacker could execute code of his choice on any macs visiting his site.
      honeymonster
      Reply Vote

  • Well 6 months is certainly enough time for me

    to start getting problems. But I haven't.
    Laraine Anne Barker
    Reply Vote

  • RE: Apple finally patches musty old Java for Mac vulnerabilities

    Just another reason to never use Java.
    jfreedle2@...
    Reply Vote
CNET Join | Log In | Privacy | Cookies Close