Mac users waiting months for 'critical' Java runtime update

Mac users waiting months for 'critical' Java runtime update

Summary: Ten months ago (October 2006), a member of Google's security team discovered and reported two code execution vulnerabilities in Sun's Java ICC (image) profile parsing code.Seven months later (May 2007), Sun issued an update (JDK 1.


WhereÂ’s that Mac OS X Java update?

Ten months ago (October 2006), a member of Google's security team discovered and reported two code execution vulnerabilities in Sun's Java ICC (image) profile parsing code.

Seven months later (May 2007), Sun issued an update (JDK 1.5.0_11-b03) that was available for Window, Solaris, and Linux.

One big problem. It's August 2007 and Apple's Java runtime has not yet been updated, meaning that millions of Mac OS X users are at risk of remote code execution attacks.

An alert from IBM's ISS X-Force spells out the danger:

Integer overflow in the embedded ICC profile image parser in Sun Java Development Kit (JDK) before 1.5.0_11-b03, and 1.6.x before 1.6.0_01-b06, allows remote attackers to execute arbitrary code or cause a denial of service (JVM crash) via a crafted JPEG or BMP file.

Chris Evans, the Google engineer credited with finding/reporting this issue, told me he only dealt with Sun's security response team during the disclosure process.

"I reported the issue just to Sun. My personal understanding is that Sun itself coordinates the heads-up with all affected consumers. You might want to contact Sun directly to see if they included Apple," Evans said in an e-mail exhange.

Apple's security team does not answer questions on specific patches (my queries routinely get a non-response about taking security seriously) so it's anyone's guess when a Mac OS X update will ship.

[ SEE: Mac Developer mulling OS X equivalent of ZERT ]

Tired of waiting for Apple, developer Landon Fuller has taken matters into his own hands, creating a third-party patch with full source code.

Fuller, a former engineer in Apple's BSD Technology Group and one of the primary faces behind the "Month of Apple Fixes" project earlier this year, released a proof-of-concept exploit alongside the patch to show how a rigged image file can be used to crash a fully patched browser.

"It may be difficult to exploit, but it's a fairly long time to be sitting on a public issue," Fuller said in an instant messaging exchange. "Admittedly it's time consuming to push out a new Java release, especially if you need to merge in local JRE/JDK changes and run the full TCK validation suite, but it shouldn't take this long," he added.

Fuller's patch requires the use of Unsanity's Application Enhancer. Alternatively, Mac OS X users can disable Java in your browser to close the most likely vector.

Topics: Oracle, Apple, Hardware, Open Source, Operating Systems, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Not a problem at all

    We keep hearing constantly from all sorts of people (yourself included) that Macs are such a miniscule portion of the computing ecosphere that no one bothers to write malware for them, so who cares if the patch hasn't been applied for three months? No one will write an exploit for it anyway.
    • Really?

      >>> yourself included...

      Really? On this blog?

      Ryan Naraine
      • May have you confused

        with Ou. He used to write your column.
        • Not so.

          George has always written his own blog.
    • Even so...

      Java is cross-platform. So vulnerabilities affecting Java will effect Macs as well as other platforms. It doesn't matter the size of the Mac market.

      Personally, I don't like Apple's implementation of Java. They use a single installation of Java for which all applications use. Apple proudly boasts this strategy as an easy way to manage Java unlike other operating systems. I studied this issue during the DST fiasco earlier this year.

      Under the DST fiasco, this was actually a plus, since I only had to go to one place to issue patches for my users, unlike Windows and Linux users.

      However, the downside is that developers using Java as their platform were limited to how much they could develop. They were constrained by the "Only Java from Apple" debacle. Waiting for my vendors to implement an improved product that matched the rich features of their Windows or Linux versions proved to be longer than expected.

      Worse yet, when troubleshooting some applications on the Macs that were crashing, we were able to pinpoint the occurrence was caused by one Java application running at the same time as another Java application. Since every java-based application accesses the same shared java library on a Mac, applications were thus vulnerable to whatever flaws another application had.

      Apple does many things smartly, and I commend them for it. But their approach to Java stinks and causes too many problems. And the fact that they keep delaying the release of newer JVM's from Sun hurts not only the developers of the world willing to create apps for Macintosh, but also the end users who want the full rich experience of Macintosh.

      I may be wrong here, since I don't know every single operating system, but of the three major systems (Windows, Linux and OSX), OSX is the only one that you cannot download the latest and greatest from Sun. You have to be totally dependent on Apple.
    • agreed

      I'm not even sure why anyone bothers to apply security patches to OS X. [/sarcasm]
      • Makes me wonder why people trust MS and Bill Gates.

        OSX is the superior platform...period. Take your opinion and shove it up someone who cares.
  • Makes me glad I don't use OSX!

    Patched months ago on Linux and Windows... still waiting... and waiting... and waiting for a patch on OSX. OUCH!!!
    • the exploits are only for windoze

      you are safe on OSX, or as the last resort you can can disable Java in your browser to close the most likely vector.
      Linux Geek
      • Linux Geek this exploit is for mac not windows (NT)

        SO.CAL Guy
        • still osx is safe, see...

          Linux Geek
      • Windows must be safe too if exploits are only for Windoze.

        Though I've never heard of this operating system of which you speak it certainly does attract a fair share of malware authors. It makes me question the marketshare argument I've been putting forth for some time.
        • Just like Bill Gates is also known as William Gates...

          Windows is known as Windoze. Sorry if you are too inadequate to know that. Better get out of the Windoze world and join the real world for some real communication. Then you will know these things.
          • Only by immature people.

            "Windows is known as Windoze."
      • Do me a favor?

        I'm speaking as a huge Linux fan myself. Though, I don't represent everyone, unlike you who thinks you represent everyone in the Linux community.

        Do me a favor? Change your name to something else? You're an embarrassment to us, even when you're not talking about Linux.
        • In case you are unaware...

          Linux Geek is a Microsoft employee trying to taint the name of Linux. Of course, now that 'Get the Facts' has been abandoned by MS I expect Linux Geek to drop off the face of the .net (unless he is really enjoying himself and writes these crazy rants for free!).
          • you can't call yourself a zdnet talkback reader...

            ... unless at least one person has accused you of being paid.

            Who pays for your posts?
    • Makes me glad you don't use OSX!

      Losers can stay on Windows.
    • Still waiting for a patch for ActiveX for 10 years

      When Microsoft finally fixes the ActiveX hole in Internet Explorer, one that's
      routinely exploited without any fixes or even antivirus updates by spyware, then it
      will have been a minimum of 10 years since they created it. The corresponding
      holes in Safari are not nearly so wide and the most obvious one can be disabled...
      and we've only been waiting 2 years. In many ways I'm more worried about Firefox
      than Safari, since vulnerabilities in the XPI installer could be exploited cross-

      Unless you're using a KDE-based Linux distribution that defaults to closed services
      (AND you know it), and you're using Konqueror rather than Firefox, don't be so
      proud of not using OS X.

      This is not to minimize Apple's liability here. They are not really that much (if any)
      more security conscious than Red Hat or Microsoft. Their advantage here is they got
      to start with a clean and largely secure design more recently than the competition.
      This is a major black eye for them and they need to respond pronto... but honestly
      I'm more concerned about LaunchServices and Safari's "Open 'Safe' Files" option
      than this issue.
      • Specifically which vulnerability are you referring to?

        "Still waiting for a patch for ActiveX for 10 years"