PDA

View Full Version : Apple Releases New Java 6 Updates with Security Enhancements




MacRumors
Jun 18, 2013, 02:38 PM
http://images.macrumors.com/im/macrumorsthreadlogo.gif (http://www.macrumors.com/2013/06/18/apple-releases-new-java-6-updates-with-security-enhancements/)


http://images.macrumors.com/article-new/2013/01/java_logo_new-150x275.jpgApple today released updated versions of Java 6 for OS X, bringing additional improvements to security, reliability, and compatibility. This is a standard update to Java 6, which is distributed by Apple. Java 7 is available through Oracle (http://www.java.com/en/download/index.jsp).Java for OS X 2013-004 delivers improved security, reliability, and compatibility by updating Java SE 6 to 1.6.0_51.

On systems that have not already installed Java for OS X 2012-006, this update disables the Java SE 6 applet plug-in. To use applets on a web page, click on the region labeled "Missing plug-in" to download the latest version of the Java applet plug-in from Oracle.

Please quit any web browsers and Java applications before installing this update.

See http://support.apple.com/kb/HT5717 for more details about this update.

See http://support.apple.com/kb/HT1222 for information about the security content of this update.There are separate updates available for both OS X Snow Leopard (http://support.apple.com/kb/DL1573) and OS X Lion/Mountain Lion (http://support.apple.com/kb/DL1572) which can be downloaded through the Mac App Store or from Apple's software download site.

Article Link: Apple Releases New Java 6 Updates with Security Enhancements (http://www.macrumors.com/2013/06/18/apple-releases-new-java-6-updates-with-security-enhancements/)



donutbagel
Jun 18, 2013, 02:44 PM
Just give us Java 7 for (Snow) Leopard. For something that's supposed to make one compile run on every device, Java has annoying compatibility issues.

anzio
Jun 18, 2013, 02:45 PM
Just give us Java 7.

Go get it yourself. http://oracle.com

50548
Jun 18, 2013, 02:47 PM
Java? Who cares?

vmachiel
Jun 18, 2013, 02:51 PM
Java? Who cares?

I do I want to play minecraft

donutbagel
Jun 18, 2013, 02:55 PM
Go get it yourself. http://oracle.com

I can't. It's for Lion and up.

----------

I do I want to play minecraft

Tell Notch/Jeb to learn a real language. I also play Minecraft, and it's frustrating how inefficient it is.

skinned66
Jun 18, 2013, 02:56 PM
Wasn't Oracle supposed to take over Java support for OS X?

Oh they dropped the ball on that? Surprise, surprise. I lament their acquisition of Sun; and not because of Java.

EDIT: I suppose I could just download Java 7 instead. But with the track record Oracle Java has had in the last year I feel like that would just be asking for trouble. I'm glad I've had the honour of never building a dependency on it.

arkmannj
Jun 18, 2013, 02:58 PM
Glad to see Apple keeps working on it. I personally need Java for Work still.

Now all I need is for Google to make Chrome 64bit (and accept 64bit extensions/plugins) then things will be a lot better, Not having Jave in Chrome is a pain for me sometimes.

Skika
Jun 18, 2013, 03:01 PM
Just give us Java 7 for (Snow) Leopard.

Or you could stop living in the past.

Inb4 "i have essential apps that dont work in Lion+"

I dont care.

SirithX
Jun 18, 2013, 03:03 PM
If I already downloaded and installed the latest Java 7 from Oracle (a while ago, too), do I really need to install this? I did through the App store anyway but I'm confused since these "updates" keep popping up in my App Store.

Morod
Jun 18, 2013, 03:09 PM
Thanks for keeping Snow Leopard updates available, Apple!

thederby
Jun 18, 2013, 03:10 PM
If I already downloaded and installed the latest Java 7 from Oracle (a while ago, too), do I really need to install this? I did through the App store anyway but I'm confused since these "updates" keep popping up in my App Store.

likely not unless you have a java app that specifically doesn't run on 1.7 and will only run on 1.6.

(i hate it when developers do that)

canadianpj
Jun 18, 2013, 03:17 PM
Java? Who cares?

Other people that use it besides you? What kind of an answer is that? If you do not want to use it, fine.

donutbagel
Jun 18, 2013, 03:20 PM
Or you could stop living in the past.

Inb4 "i have essential apps that dont work in Lion+"

I dont care.

That's a pretty mean response. No, the problem is that despite my computer being totally Mountain Lion and Mavericks compatible, my GPU fan runs fast, and the graphics are kinda slow in anything beyond Snow Leopard. My GPU is not slow, either. Lack of Rosetta is also a nuisance, but I can go around it.

Rocketman
Jun 18, 2013, 03:23 PM
I would like to see them release Java for OSX 10.4 and 10.5 as well so security exists for hardware that cannot run recent OS's.

Rocketman

rossip
Jun 18, 2013, 03:28 PM
so I have java 7 installed on my mac, but i still get these updates, is that normal? do both versions coexist?

CReimer
Jun 18, 2013, 03:49 PM
Or you could stop living in the past.

My vintage black MacBook (2006) is still running strong with Snow Leopard, especially after the local Apple Store replaced the keyboard top and CPU fan with brand new units for modest cost. Woo-hoo! :cool:

OTOH, Mavericks looks good enough to buy new hardware for the next seven years.

dakwar
Jun 18, 2013, 04:02 PM
Or you could stop living in the past.

Inb4 "i have essential apps that dont work in Lion+"

I dont care.

Some of us aren't made out of money to buy new Apple hardware every few years, to keep up with Apple's planned obsolescence schedule.

50548
Jun 18, 2013, 04:15 PM
Other people that use it besides you? What kind of an answer is that? If you do not want to use it, fine.

It wasn't an answer; it was a question ;)

Michael Goff
Jun 18, 2013, 04:21 PM
Some of us aren't made out of money to buy new Apple hardware every few years, to keep up with Apple's planned obsolescence schedule.

"every few years"

....

*looks at the requirements of ML, sees it supprts Macs from 2008*

Yep, nobody has the money to buy a Mac every few years. And you have to if you want to use ML. :rolleyes:

tevion5
Jun 18, 2013, 04:23 PM
Tell Notch/Jeb to learn a real language. I also play Minecraft, and it's frustrating how inefficient it is.

Damn right! That game should perform well on an intel GMA by the look of it but I get a third of the frame rate of half life 2 at the same resolution???

donutbagel
Jun 18, 2013, 05:08 PM
Some of us aren't made out of money to buy new Apple hardware every few years, to keep up with Apple's planned obsolescence schedule.

Some of us do have new enough Apple hardware, but it doesn't work with Mountain Lion for an unexplained reason. :(

2008 Mac Pro. It's on the list of supported Macs, and others say it works, but it just doesn't work well for me.

dakwar
Jun 18, 2013, 05:17 PM
"every few years"

....

*looks at the requirements of ML, sees it supprts Macs from 2008*

Yep, nobody has the money to buy a Mac every few years. And you have to if you want to use ML. :rolleyes:

Nope. Just some of us. My 2008 black MacBook is stuck at 10.7 but runs beautifully. All I am missing is Messages, which needs at least 10.8.

MACRM32
Jun 18, 2013, 05:20 PM
so I have java 7 installed on my mac, but i still get these updates, is that normal? do both versions coexist?

Yes. Apple supplies Java 6 and Oracle supplies Java 7. I need both, 7 for web and 6 for Minecraft.

FloatingBones
Jun 18, 2013, 06:28 PM
Glad to see Apple keeps working on it. I personally need Java for Work still.

Can you explain why you need Java in the browser for work? What apps are you running that requires Java? What exactly is keeping the vendor from packaging that code as a Java application? Oracle has provided packaging tools for a long time...

Now all I need is for Google to make Chrome 64bit (and accept 64bit extensions/plugins) then things will be a lot better, Not having Jave in Chrome is a pain for me sometimes.

As far as anyone can tell, Java in the browser will continue to be a risk. The way for things to get better is to insist that your vendors either provide Java apps for their mission-critical code or ditch Java entirely.

The only way to be safe is to remove this vector for infection.

Stella
Jun 18, 2013, 07:02 PM
Wasn't Oracle supposed to take over Java support for OS X?

They did - anything Java 7 or greater. Doing a better job at timely releases than Apple ever did manage.

SlCKB0Y
Jun 18, 2013, 07:40 PM
Can you explain why you need Java in the browser for work? What apps are you running that requires Java? What exactly is keeping the vendor from packaging that code as a Java application? Oracle has provided packaging tools for a long time...



As far as anyone can tell, Java in the browser will continue to be a risk. The way for things to get better is to insist that your vendors either provide Java apps for their mission-critical code or ditch Java entirely.

The only way to be safe is to remove this vector for infection.

Personally - at work I have 1000+ servers all of which include out-of-band management cards. These are essentially a very small stand-alone computer embedded into a PCIE card in the server with a separate network connection and a web GUI. The remote console feature of these (from at least Dell, IBM or HP) rely on Active X or Java. Sure, I can just disable Webstart and download and run the jnlp manually from command line, but its a pain.

FloatingBones
Jun 18, 2013, 07:47 PM
Personally - at work I have 1000+ servers all of which include out-of-band management cards. The remote console feature of these (from at least Dell, IBM or HP) rely on Active X or Java. Sure, I can just disable Webstart and download and run the jnlp manually from command line, but its a pain.

:confused:

Your vendors could trivially package those management programs and distribute them as apps. This Oracle page (http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/packagingAppsForMac.html) says how to package your Java apps and distribute them through the MAS. No jnlp. No command line. No pain.

If you guys don't have Java (and Flash) enabled in your browser, you have immediately removed the major security threat on your Mac computers. Insisting that your vendors package their Java code as a signed app sounds like a no-brainer to me. :) Are we missing something?

parapup
Jun 18, 2013, 08:37 PM
Good to see Apple diligently continuing to support Java6 even after Oracle has stopped. (To get Java 6 Update 51 on Windows or Linux I need a support contract with Oracle!)

ArtOfWarfare
Jun 18, 2013, 09:49 PM
Some of us aren't made out of money to buy new Apple hardware every few years, to keep up with Apple's planned obsolescence schedule.

My 2006 Air is running Lion. It's extremely sluggish and I frequently check my bank accounts to see if I can scrap enough together to replace it, but alas, it looks like I won't have enough disposable cash to buy a replacement until September. At least I just gave my 2007 iMac a memory upgrade so it can keep going for another year or two.

(I guess this is what a Recession is? Or is this just called being a broke college student who has to pay all their own bills?)

SlCKB0Y
Jun 19, 2013, 12:16 AM
:confused:

Your vendors could trivially package those management programs and distribute them as apps.

There are a number of problems with this:

1. A lot of these cards are in servers which are 3-5+ years old and major changes like this are very unlikely - security patches to the card firmware is about the best we could expect.

2. The jlnp seems to be generated on the fly as they are machine specific and include some sort of one-time authentication mechanism (using certificates/keys I think).

They all use some sort of modified Java VNC (but which can still get video output when the server is turned off or in pre-OS boot stages). If they could support vanilla VNC clients this would remove the need for Java completely.

Due to the security issues i've taken to using a Windows VM to isolate anything flash or Java related, but it's not an elegant solution.

foobarbaz
Jun 19, 2013, 01:19 AM
so I have java 7 installed on my mac, but i still get these updates, is that normal? do both versions coexist?

Yes, both versions coexist and certain GUI apps will only use version 6. (Command line tools automatically use 7, though.)

So install the update. :)

foobarbaz
Jun 19, 2013, 01:37 AM
Wait, that download link points to version 2013-003... where can we download 2013-04? (The update doesn't appear in the AppStore for 10.9.)

vmachiel
Jun 19, 2013, 07:19 AM
I can't. It's for Lion and up.

----------



Tell Notch/Jeb to learn a real language. I also play Minecraft, and it's frustrating how inefficient it is.

Yeah like their going to rewrite the whole game. Plus, it's kinda nice that updates comes for PC and Mac at the same time.

FloatingBones
Jun 19, 2013, 07:45 AM
1. A lot of these cards are in servers which are 3-5+ years old and major changes like this are very unlikely - security patches to the card firmware is about the best we could expect.

Why are you characterizing a change in packaging of the software as a "major change"? :confused: Did you look at the Oracle page showing how to do this?

2. The jlnp seems to be generated on the fly as they are machine specific and include some sort of one-time authentication mechanism (using certificates/keys I think).

Again, I'm confused. As I noted earlier, generating an app means that you are not using jnlp.

Due to the security issues i've taken to using a Windows VM to isolate anything flash or Java related, but it's not an elegant solution.

This is good news. It's a superb idea even if you're only running Java and Flash that has been packaged as apps.

Here's the $64K question: does your shop have a policy to only allow Flash and Java to be runnable under those protected VMs? Do you prevent your operators from installing Flash/Java plugins on the top-level OS on those machines?

arkmannj
Jun 19, 2013, 08:40 AM
Can you explain why you need Java in the browser for work? What apps are you running that requires Java? What exactly is keeping the vendor from packaging that code as a Java application? Oracle has provided packaging tools for a long time...


There's a system security check, and a bit that does launches/kickstarts another Java application. So I actually need both in browser Java, and Java Applications to work. I'm not sure there is anything preventing the vendor from doing things differently but this is what our company has, it works,and it's what I'm paid to use. I'm glad to see Apple still supporting Java. If I want to connect with a windows machine then I can connect using a proprietary application, as our company standard is Windows. I prefer to connect with my Mac or Linux machines so Java is apart of that solution. I realize there is a disdain for Java, and I do have my share of frustrations, but not all of us have the luxury of switching technologies at the drop of a hat so we use what works and what is offered. If you don't like it then fine, don't use it. But for many of us, Java does the job well enough.

autrefois
Jun 19, 2013, 09:35 AM
:confused:
If you guys don't have Java (and Flash) enabled in your browser, you have immediately removed the major security threat on your Mac computers. Insisting that your vendors package their Java code as a signed app sounds like a no-brainer to me. :) Are we missing something?

You are missing that millions of people in a wide variety of fields (including mine, education) use Java on a daily basis — in many cases, others have made the decision about which product to use and we have little or no say in it sometimes. Last year, I woke up one day and suddenly could not use a tool that I use every day because Java was out of date and Apple had disabled it, and no working version was available at the time. At least it hasn't happened recently AFAIK that a non-blocked version isn't even available yet (which was the case initially), but throughout the semester a number of students had problems because their Java was out of date. I've heard similar anecdotes elsewhere and a number of people were rightly up in arms about it at MacRumors as well. Just because you don't think Java is needed doesn't mean that there aren't other people who have to use it and have little control over the situation.

Some of us aren't made out of money to buy new Apple hardware every few years, to keep up with Apple's planned obsolescence schedule.

Bingo. Lots of people (heck, I would even go out on a limb and say billions of people) can't afford to buy a new computer every few years. It doesn't help that Apple has made it nearly impossible to upgrade its machines because of its obsession with shrinking everything (even the iMac and Mac Pro, non-portable devices). It's very hard if not impossible to upgrade most of Apple's current line-up. You either have to buy a completely new machine or just wait things out.

Given that Apple just dropped the pricing of Macbook Air, I wonder if they realize that with the state of the global economy, they need to lower prices or their sales will drop. Even with the "reverse halo effect" of people buying Macs because of their love for iDevices, some people and institutions can't afford the latest and greatest Macs (I initially said "hardware", but whether Apple uses the latest and greatest hardware as compared to others is a discussion for another thread...).

EDIT: I do applaud Apple btw for making iOS 7 compatible with iPhone 4, we'll see how feature-crippled it is (due to actual or artificial constraints) but I think this is a step in the right direction.

vanjabucic
Jun 19, 2013, 10:31 AM
:confused:

Your vendors could trivially package those management programs and distribute them as apps. This Oracle page (http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/packagingAppsForMac.html) says how to package your Java apps and distribute them through the MAS. No jnlp. No command line. No pain.

If you guys don't have Java (and Flash) enabled in your browser, you have immediately removed the major security threat on your Mac computers. Insisting that your vendors package their Java code as a signed app sounds like a no-brainer to me. :) Are we missing something?

At least you seem to be missing a lot.
If you don't grasp the premise of webstart deployment strategy and implementation details, please refrain from commenting. And please keep MAS out of it as it has zero relevance to this discussion.

donutbagel
Jun 19, 2013, 10:38 AM
Yeah like their going to rewrite the whole game. Plus, it's kinda nice that updates comes for PC and Mac at the same time.

They already re-wrote it for XBOX 360. If they do it right, it should be easy to distribute Mac and Windows versions at the same time like how AssaultCube does it.

----------

They did - anything Java 7 or greater. Doing a better job at timely releases than Apple ever did manage.

Except Java 7 doesn't work for Snow Leopard or below even though it works with Windows XP.

yg17
Jun 19, 2013, 10:46 AM
Java? Who cares?


The millions of people who use it every day and the Java developers like myself who make a living with it. The world doesn't revolve around you. Just because you don't use it doesn't mean no one else does.

MacMan988
Jun 19, 2013, 11:09 AM
wait, didn't they stop producing java updates for OS X?

FloatingBones
Jun 19, 2013, 11:17 AM
There's a system security check, and a bit that does launches/kickstarts another Java application. So I actually need both in browser Java, and Java Applications to work. I'm not sure there is anything preventing the vendor from doing things differently but this is what our company has, it works,and it's what I'm paid to use.

Let's summarize:

Your vendor is complacent. They fail to provide signed Java apps -- even though it's very straightforward to package, sign, and deliver their apps this way.

Your company is complacent. They fail to recognize the vectors for computer viruses they leave open because of the artificial requirement for running Java (and, for other complacent companies, Flash) in the browser.

You are complacent. You allow these gaping security holes to exist -- holes that could have massive costs to your company.

This is not the first time we've had a massive complacency towards infection. Have you ever heard of this book and movie (http://en.wikipedia.org/wiki/And_the_Band_Played_On_(film))?

I prefer to connect with my Mac or Linux machines so Java is apart of that solution.

Running Java and Flash in the browser is not part of the solution. It is a huge chunk of the problem. Remove these 2 plugins from computers and major vectors for infections on Macs disappear instantly.

I realize there is a disdain for Java

Incorrect. You have stepped over a crucial distinction -- you're arguing against a straw man.

I have no disdain for Java/Flash per se. You are welcome to run signed Java standalone apps and signed Flash standalone apps. You're welcome to run Java or Flash apps on any computing platform you wish: servers, desktops, laptops, tablets, smart phones, and other portable devices. The problem happens when Java and Flash are run on any of those platforms in the browser.

but not all of us have the luxury of switching technologies at the drop of a hat so we use what works and what is offered.

In short, you are apathetic about the risk and a clear and effective way to address it. Your above "disdain for Java" conjecture reveals you didn't even understand the nature of the problem and its solution.

If you don't like it then fine, don't use it. But for many of us, Java does the job well enough.

Java-in-the-browser just the job well enough -- for the hackers and spear-phishers. :(

What will it take to break through this attitude of complacency?

You are missing that millions of people in a wide variety of fields (including mine, education) use Java on a daily basis — in many cases, others have made the decision about which product to use and we have little or no say in it sometimes.

Why do you think you have little say?

What happened when you asked the vendors of that software to package their Java code as an app rather than run it in the browser?

This distinction between Java-in-the-browser and signed standalone Java apps was clearly made in the discussion. The issue is not with Java, it's with running Java in the browser. Did you read the discussion up to this point? Do you now understand the distinction?

Last year, I woke up one day and suddenly could not use a tool that I use every day because Java was out of date and Apple had disabled it, and no working version was available at the time.

If you wish to avoid such problems in the future, an obvious solution is to convince the providers of those programs to package them as apps. Does that make sense to you?

Some teacher/administrator who championed providers to package their code as signed apps would be a hero. :cool:

I've heard similar anecdotes elsewhere and a number of people were rightly up in arms about it at MacRumors as well.

If you're saying there's an attitude of complacency in multiple uses of Java/Flash in the browser, you'll get no disagreement from me. :D

Stop. Being. Complacent.

Just because you don't think Java is needed doesn't mean that there aren't other people who have to use it and have little control over the situation.

You have misconstrued the problem. And you have underestimated your power to influence the providers of your Java apps with a simple suggestion to ensure their availability.

Indirectly, by lowering/eliminating the need for Java/Flash in the browser, you will have helped make everybody's computer safer from infection.

At least you seem to be missing a lot.
If you don't grasp the premise of webstart deployment strategy and implementation details, please refrain from commenting. And please keep MAS out of it as it has zero relevance to this discussion.

Welcome to MacRumors, vanjabucic.

Why exactly do you think that we should live with the risks of running Java and Flash in the browser? Why do you think that distributing code via signed apps is the way to go? Claiming that we're missing something without explaining why is a FAIL.

ed724
Jun 19, 2013, 12:09 PM
10.8.4 is out as well !!!!!!

Stella
Jun 19, 2013, 12:40 PM
They already re-wrote it for XBOX 360. If they do it right, it should be easy to distribute Mac and Windows versions at the same time like how AssaultCube does it.

----------



Except Java 7 doesn't work for Snow Leopard or below even though it works with Windows XP.

Yes. But how does that change the fact that oracle are fulfilling their promise. Oracle never promised to support Java 1.6 or older on the Mac.

In any case Java 1.6 is EOL.

donutbagel
Jun 19, 2013, 01:15 PM
Yes. But how does that change the fact that oracle are fulfilling their promise. Oracle never promised to support Java 1.6 or older on the Mac.

In any case Java 1.6 is EOL.

Then they didn't promise enough. It says on their site: "From laptops to datacenters, game consoles to scientific supercomputers, cell phones to the Internet, Java is everywhere!" and "Java is the foundation for virtually every type of networked application and is the global standard for developing and delivering mobile applications, games, Web-based content, and enterprise software." But the so-called standard has terrible support for Macs that aren't new.

I'm also still stuck with Java 1.5 on my 2006 MacBook unless I upgrade it to Snow Leopard, which I'm afraid to do.

vmachiel
Jun 19, 2013, 02:48 PM
They already re-wrote it for XBOX 360. If they do it right, it should be easy to distribute Mac and Windows versions at the same time like how AssaultCube does it.

----------



Except Java 7 doesn't work for Snow Leopard or below even though it works with Windows XP.

Hmm true, but the xbox version is different in many ways. It gets updated by a whole different team then the main version. A rewrite would take a long time, and the game is working great as it is.

Stella
Jun 19, 2013, 05:32 PM
Then they didn't promise enough. It says on their site: "From laptops to datacenters, game consoles to scientific supercomputers, cell phones to the Internet, Java is everywhere!" and "Java is the foundation for virtually every type of networked application and is the global standard for developing and delivering mobile applications, games, Web-based content, and enterprise software." But the so-called standard has terrible support for Macs that aren't new.

I'm also still stuck with Java 1.5 on my 2006 MacBook unless I upgrade it to Snow Leopard, which I'm afraid to do.

Oracle OSX implementation of Java 1.7 is based upon Apple's 1.6 JVM. It is probably difficult for Oracle to get 1.7 working for older OSX's - and probably little point either - no enough user base.

Just be glad Oracle is supporting Java on OSX to begin with after Apple gave it up ( like a lot of other of its software ).

donutbagel
Jun 19, 2013, 05:58 PM
Hmm true, but the xbox version is different in many ways. It gets updated by a whole different team then the main version. A rewrite would take a long time, and the game is working great as it is.

It would take a lot of time, but no, the game is not working well right now. It hogs RAM and CPU and has random crashing problems.

FloatingBones
Jun 19, 2013, 06:27 PM
Then they didn't promise enough. It says on their site: "From laptops to datacenters, game consoles to scientific supercomputers, cell phones to the Internet, Java is everywhere!" and "Java is the foundation for virtually every type of networked application and is the global standard for developing and delivering mobile applications, games, Web-based content, and enterprise software." But the so-called standard has terrible support for Macs that aren't new.

The statement was a gross overreach. Java was never a global standard for mobile apps (whatever that is supposed to mean). Android is not a standard port of the Java API. Since Oracle's lawsuit was a failure (http://en.wikipedia.org/wiki/Oracle_v._Google), they get no value from Google's use of the language/API.

Most of the problems Steve Jobs discussed in the "Thoughts on Flash" memo (April, 2010) are equally applicable to Java. Native code for the particular platform will consistently perform better, and accessibility will consistently perform poorly. I recommend reading that memo to see the particulars.

No matter what Steve wrote or what I think, I fully support anyone who wishes to develop and distribute their code as Java apps (or Flash apps). OTOH, the distribution of Java/Flash code to run in web browsers is dangerous; both Oracle and Adobe have had countless exploits of their runtime environments. IMHO, nobody should be running Java/Flash in the browser.

Oracle and Adobe are trying to hype Java/Flash. They over-emphasize their value and fail to note the clear and present danger of these environments. Looking to an Oracle's webpage for an objective evaluation of Java would be foolish.

Harry2706
Jun 19, 2013, 06:51 PM
Having trouble with Harmony Remote since the change - appears others also with problems on Apple Forums

donutbagel
Jun 19, 2013, 06:54 PM
Having trouble with Harmony Remote since the change - appears others also with problems on Apple Forums

That's why I don't install these kinds of updates.

vmachiel
Jun 20, 2013, 04:37 AM
It would take a lot of time, but no, the game is not working well right now. It hogs RAM and CPU and has random crashing problems.

Hmm I don't have any problems with it. But they've already said they are sticking with Java. It's also fairly easy for people to write mods for it.

donutbagel
Jun 20, 2013, 11:40 AM
Hmm I don't have any problems with it. But they've already said they are sticking with Java. It's also fairly easy for people to write mods for it.

Since I'm making a Bukkit plugin right now, I'm glad it's Java at the moment since the only other thing I know is Objective-C (barely) :D
But seriously, it's become a joke by now. "Minecraft: 80s graphics, 2030s RAM usage."

pmjoe
Jun 20, 2013, 12:12 PM
OTOH, the distribution of Java/Flash code to run in web browsers is dangerous; both Oracle and Adobe have had countless exploits of their runtime environments. IMHO, nobody should be running Java/Flash in the browser.

You really don't know what you're talking about. Java in the browser has a number of sandbox security restrictions in place that you do not get when you just download and run a Java (or any native) application.

The main risk in a browser today is that you might "browse", find and inadvertently run untrusted code on the web. If I sent you a zip file of untrusted Mac applications for you to browse on your desktop and run, your computer would be at far greater risk.

In the end, the main thing is not Java/Flash/browsers/etc. it's knowing where the software you choose to run comes from and if you choose to trust it. Deriding people here for running trusted Java apps they use for their day to day jobs is pointless.

vmachiel
Jun 20, 2013, 01:30 PM
Since I'm making a Bukkit plugin right now, I'm glad it's Java at the moment since the only other thing I know is Objective-C (barely) :D
But seriously, it's become a joke by now. "Minecraft: 80s graphics, 2030s RAM usage."

It's not about the graphics. The worlds are immense and very heavy to keep in (virtual) memory.

FloatingBones
Jun 20, 2013, 01:48 PM
OTOH, the distribution of Java/Flash code to run in web browsers is dangerous; both Oracle and Adobe have had countless exploits of their runtime environments. IMHO, nobody should be running Java/Flash in the browser.
You really don't know what you're talking about. Java in the browser has a number of sandbox security restrictions in place

Did you actually read the details (http://support.apple.com/kb/HT5797) of this update from Apple? From the announcement:

Multiple vulnerabilities existed in Java 1.6.0_45, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox: CVE-2013-1500, CVE-2013-1571, CVE-2013-2407, CVE-2013-2412, CVE-2013-2437, CVE-2013-2442, CVE-2013-2443, CVE-2013-2444, CVE-2013-2445, CVE-2013-2446, CVE-2013-2447, CVE-2013-2448, CVE-2013-2450, CVE-2013-2451, CVE-2013-2452, CVE-2013-2453, CVE-2013-2454, CVE-2013-2455, CVE-2013-2456, CVE-2013-2457, CVE-2013-2459, CVE-2013-2461, CVE-2013-2463, CVE-2013-2464, CVE-2013-2465, CVE-2013-2466, CVE-2013-2468, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-3743, and CVE_2013-2445.

You can google those identifiers in the NIST National Vulnerability Database (http://nvd.nist.gov/) to get the gory details of the individual exploits. This bleeding has gone on for years, and there's no sign that it will be stopping. Nobody -- absolutely nobody -- should be running Java/Flash in the browser.

that you do not get when you just download and run a Java (or any native) application.

The distinction is that apps from the MAS are signed and distributed by a known entity. Contrast with the web browser where one is executing arbitrary code from random entities.

If I sent you a zip file of untrusted Mac applications for you to browse on your desktop and run, your computer would be at far greater risk.

I have been explicit in this discussion: the safe behavior is to run applications from the MAS. I never said that one should accept and run zip files from random sources. Why in heaven's name are you arguing against a straw man? :confused:

In the end, the main thing is not Java/Flash/browsers/etc. it's knowing where the software you choose to run comes from and if you choose to trust it.

Wrong. Adobe clearly disagrees: Flash code runs by default; they provide no way to selectively run Flash code. You must get plugins like ClickToFlash to selectively run Flash code.

Deriding people here for running trusted Java apps they use for their day to day jobs is pointless.

The problem is that it's waaaay to easy to run UNtrusted apps in the browser.

Here's how we know you're wrong: if there was no value in creating malware that escaped the Java/Flash firewalls, there wouldn't be hundreds of individuals selling their malware for thousands of dollars causing millions of people to have to download these constant software updates. Adobe and Oracle have failed to secure their firewalls.

Also, like multiple posters here, you misrepresent my point of view. I think it's just fine for people to run trusted Java apps on their machines. For for the safe computing of all, I suggest that they run those trusted apps by getting them through the MAS.

Do you understand now?

donutbagel
Jun 20, 2013, 01:49 PM
It's not about the graphics. The worlds are immense and very heavy to keep in (virtual) memory.

Yeah, it's not about graphics. The joke is a little inaccurate. But the nearly 1GB of RAM usage after some playing time and massive CPU usage is not justified. Java is inherently inefficient. If I make something simple in Java, and I code properly for efficiency, it uses a lot more CPU and RAM than a comparable program written in C and compiled.

SlCKB0Y
Jun 20, 2013, 07:49 PM
Why are you characterizing a change in packaging of the software as a "major change"? :confused: Did you look at the Oracle page showing how to do this?


Have you ever tried to get a multinational vendor to make any changes no matter how minor to any aspect of their processes (or in fact do anything at all)? :D We were recently ready to switch from our current vendor for servers and make an immediate initial purchase with a competitor. This would have been in the range of 3-500K worth of gear.

Our only request was that we be provided with a proof of concept setup to test integration on site in our current data centre setup.

This pretty basic sales request had to go through 5 different people, took 4 meetings and 3 months to achieve. We went with someone else.

So when I use the word "major" above, it is a relative term. If it takes all that effort to get a few testing servers and a SAN so we can give them an effortless half million dollar sale, getting them to globally update the firmware on a 3+ year old product is a major change.


Again, I'm confused. As I noted earlier, generating an app means that you are not using jnlp.

Well, i'm not a developer (I was a Linux sysadmin and project leader before becoming management) and i'm not that familiar with the complexities of Java so perhaps you could take a guess at how this works

1. When i'm logged into the remote access card GUI and click on a remote console link, I get served a .jnlp file.

2. This file will only connect to the server which served it

3. It does not require me to perform any sort of authentication (but I know authentication is taking place).

4. It can only be used for one console login or within a certain expiry time, whichever comes first. After that it fails.

5. My remote IP is not relevant. If I get served the jnlp and change my IP it will still work as long as (4) is fulfilled.

6. It can handle concurrent console logins.

darkplanets
Jun 20, 2013, 08:05 PM
Just a heads up for anyone (forced) to use Junipers Network Connect -- this update bricks the connection phase of the program.

Since the app is 32 bit only, it can't run 1.7 either. I highly doubt Juniper will release a 64bit client, or change anything in the program for that matter. Apple may or may not change things further in future 1.6 updates.

SlCKB0Y
Jun 20, 2013, 08:09 PM
Here's the $64K question: does your shop have a policy to only allow Flash and Java to be runnable under those protected VMs?

We sure do. They get a browser served via Remote Desktop Services from a VM on one of our servers.

vmachiel
Jun 21, 2013, 01:46 AM
Yeah, it's not about graphics. The joke is a little inaccurate. But the nearly 1GB of RAM usage after some playing time and massive CPU usage is not justified. Java is inherently inefficient. If I make something simple in Java, and I code properly for efficiency, it uses a lot more CPU and RAM than a comparable program written in C and compiled.

True Java can be inefficient. But It's not going to go to C or anything else, so we'll just have to make due. They are dropping a lot of inefficiencies in the 1.6 update: no more Java 5 and minimum of opengl 2. Hopefully this will help a little bit.

donutbagel
Jun 21, 2013, 02:01 AM
True Java can be inefficient. But It's not going to go to C or anything else, so we'll just have to make due. They are dropping a lot of inefficiencies in the 1.6 update: no more Java 5 and minimum of opengl 2. Hopefully this will help a little bit.

It will help, but then it also won't work on my MacBook because it's stuck at Java 5 (not my main computer so it's not that bad). As I was complaining about earlier, Java support for Mac can sometimes suck.

FloatingBones
Jun 21, 2013, 06:38 AM
Have you ever tried to get a multinational vendor to make any changes no matter how minor to any aspect of their processes (or in fact do anything at all)?

Nope. It is a minor change. It involves no change in the code. If some vendor were inept at packaging their code this way, it could be farmed out to a third party shop -- or even an intern.

So when I use the word "major" above, it is a relative term.

In this context, it is a nonsensical term. :D

Well, i'm not a developer (I was a Linux sysadmin and project leader before becoming management) and i'm not that familiar with the complexities of Java so perhaps you could take a guess at how this works [SNIP]

If the vendor provides an app, you don't have do to any of those genuflections. You just run the app. Simple.

Here's the $64K question: does your shop have a policy to only allow Flash and Java to be runnable under those protected VMs? Do you prevent your operators from installing Flash/Java plugins on the top-level OS on those machines?

We sure do. They get a browser served via Remote Desktop Services from a VM on one of our servers.

Good for you. Really. You should not be one of those shops who gets their production database hacked through the Java/Flash virus vectors.

One note: if you had your Java code installed as an app, you would obviate the need to have any Internet connectivity whatsoever on those VMs. That sounds like a very smart safety measure to me.