PDA

View Full Version : Mac flaw may also affect Windows


MacBytes
Apr 24, 2007, 08:03 AM
http://www.macbytes.com/images/bytessig.gif (http://www.macbytes.com)

Category: News and Press Releases
Link: Mac flaw may also affect Windows (http://www.macbytes.com/link.php?sid=20070424090330)
Description:: none

Posted on MacBytes.com (http://www.macbytes.com)
Approved by Mudbug

ppc_michael
Apr 24, 2007, 08:16 AM
Yet another reason to hate Java. :(

clevin
Apr 24, 2007, 08:37 AM
users of both the Mac OS X and Windows should turn off Java, if they have Apple's QuickTime software installed, Dai Zovi said.
another reason to use VLC rather than quicktime, lol

dmelgar
Apr 24, 2007, 08:48 AM
Yet another reason to hate Java. :(
There are no reasons to hate Java. Java is the key portable language. Its hated by Microsoft. Every other language tends to lock you into an operating system or platform, but you can write a Java program and run it on Mac OSX, or Linux or Windows or just about anywhere. Microsoft hates that. Thats enough for me to love it.
BTW, Java has an excellent security model as well, unlike other languages.

Sam0r
Apr 24, 2007, 09:35 AM
To me, Java and TCL/TK are two of those scripting languages that should never ever ever ever have been created.

They're so amazingly slow and resource hungry, its just astonishing how they've actually lasted this long.

Take a look at Azureus, aMSN, Mercury Messenger and you'll see what I mean.

dejo
Apr 24, 2007, 09:41 AM
To me, Java and TCL/TK are two of those scripting languages that should never ever ever ever have been created.
Java is not a scripting language. That would be JavaScript. And although JavaScript and Java are (loosely) related, they are not at all the same thing.

clevin
Apr 24, 2007, 09:41 AM
To me, Java and TCL/TK are two of those scripting languages that should never ever ever ever have been created.

They're so amazingly slow and resource hungry, its just astonishing how they've actually lasted this long.

Take a look at Azureus, aMSN, Mercury Messenger and you'll see what I mean.

if there were no osx, linux, unix, only windows, then u won't need to bear java anymore.

nothin in this world is perfect, you sure can complain its defects, but dont forget its benefit at the same time.

Sam0r
Apr 24, 2007, 09:45 AM
Sorry, not scripting language, I forgot the word for a languate that isn't compiled.

Anyway, the only reason people use java is because its so damn easy to port the application to other operating systems.

Yeah, thats a great thing, but i'd much rather the application be as snappy as a c++ application which has been compiled than a slow, memory hungry, uncompiled java application.

Java isn't too bad from my experience with it on windows, but it sure is slow on a mac, and dont even get me started on TCL/TK.

jwa276
Apr 24, 2007, 09:55 AM
I hate Java apps. I wish they would all dissappear! They are always buggy, slow, and hog all my resources (especially when used over the web).

Has anybody seen Adobe's new Apollo? It looks like the graphic designer's revenge to Java. It covers the multi platform issue seamlessly while being up to date on the most recent web 2.0 technologies.

I for one hope that Java dies a painful and meaningless death. :D

Sorry if that's a bit dark, I just had a sudden spurt of hatred because my health plan's online chat system uses Java and it crapped out on every computer I own...

iJawn108
Apr 24, 2007, 09:56 AM
What's Java, you ask? Beats me. I think I used it in 1995. Really, would you allow a 12-year old to run wild in your browser?

I never run with Java on, and I have yet to see any need to.

dejo
Apr 24, 2007, 09:58 AM
Sorry, not scripting language, I forgot the word for a languate that isn't compiled.
I believe the term you're looking for is "interpreted language". Ah, but Java is compiled, normally just to bytecode, but compilation to native machine code is also possible. Seems like you have heard some common Java misconceptions. I'd suggest doing a bit of research. :)

Sam0r
Apr 24, 2007, 10:00 AM
I believe the term you're looking for is "interpreted language". Ah, but Java is compiled, normally just to bytecode, but compilation to native machine code is also possible. Seems like you have heard some common Java misconceptions. I'd suggest doing a bit of research. :)

You're probably right. I always thought it was an interpreted languge (thankyou).

So, if it IS infact compiled, why is it so slow?

dejo
Apr 24, 2007, 10:07 AM
So, if it IS infact compiled, why is it so slow?
It's normally not compiled to machine code and most compilers don't do any optimization but rather leave it to the JRE.

Okay, enough thread hijacking...

Earendil
Apr 24, 2007, 11:46 AM
After taking a crash course in Java Programming this last January term from the amazing (at least to us) Dr. Jones, I'd like to add my two sense concerning Java Bashing :-)

Java used to be dog slow due to the interpretation.
However, Java as it stands today has about a 1% loss in performance, and if done well, even less, application depending.

There are probably a number of Java shareware apps that you use and don't know they are even written in Java because they don't act/behave like the java apps of the late 90's early 00's.

Peace,
~Tyler

tutubibi
Apr 24, 2007, 11:50 AM
I hate Java apps. I wish they would all dissappear! They are always buggy, slow, and hog all my resources (especially when used over the web).

Has anybody seen Adobe's new Apollo? It looks like the graphic designer's revenge to Java. It covers the multi platform issue seamlessly while being up to date on the most recent web 2.0 technologies.

I for one hope that Java dies a painful and meaningless death. :D

Sorry if that's a bit dark, I just had a sudden spurt of hatred because my health plan's online chat system uses Java and it crapped out on every computer I own...

Nobody is forcing you to use Java apps (unless you are in the SW development field :D ).

And often it's not Java but sloppy programming to blame. Entry criteria to be considered a programming these days is pretty low (started going downhill with Visual Basic :) ).

aranhamo
Apr 24, 2007, 12:22 PM
Java is nominally an interpreted language, and it used to be slow back in the old days. A lot of the FUD about Java used to be true, just like a lot of the criticisms of Macs used to be true, but are mostly false today.

Just-In-Time compilers have greatly improved the performance of interpreted languages like Java and C#. I don't have a lot of experience with .NET applications, but as I understand it, all .NET applications are compiled into a form of bytecode called Common Intermediate Language, regardless of which language they were originally developed in. They are then compiled at runtime, using a JIT, but the performance is still very good and for most applications indistinguishable from compiled code.

This is how modern Java JVMs work as well. Most of the code executed during a typical Java program is actually native code, as common packages are precompiled, and each class is only interpreted the first time that it is loaded. During my undergrad studies, we performed a number of benchmarks comparing Java performance with compiled C and C++ code, and for most applications the Java code performed about as fast as the native code, and in a few cases even faster. There were of course some applications where the native code always beat the Java code, but usually not by much.

JVMs vary, and I've heard that performance is poor in Apple's JVM, but I've never noticed it myself. But I rarely have an opportunity to code in Java at all, let alone on a Mac. At my current job I work mostly in Perl on Linux and VSC++ 6.

Every language and programming environment has its advantages; sometimes Java is an appropriate language to use, sometimes it's not. Development with Java is often faster and more bug-free than many other languages, particularly C and C++. There are great IDEs available for Java development. It can be easier to develop multi-platform programs in Java. It's more object-oriented than most other languages, which can contribute to better, more bug-free code.

Especially don't confuse Java with Javascript. They have similar syntax, but they are totally different, and most of the problems I encounter with websites have nothing to do with Java, but rather Javascript.

As another poster said, there are probably a lot of applications you use that were written in Java and you don't even know it.

Below is a nice article on what's good about Java, but other languages have their strengths as well:
http://www.unix.org.ua/orelly/java-ent/jnut/ch01_02.htm

aranhamo
Apr 24, 2007, 12:36 PM
I never run with Java on, and I have yet to see any need to.

Strikes me as ironic that Pinkerton calls Java irrelevant while posting on his Camino blog...

daveL
Apr 24, 2007, 02:00 PM
From what I recall, no one had been able to hack the Mac after the first 2 days of the contest, so the organizers rigged up a malformed, empty Web page to provide a target for the attack. It was only then that the winner of the contest succeeded in breaking in.

I won't be turning Java off.

aranhamo
Apr 24, 2007, 02:42 PM
From what I recall, no one had been able to hack the Mac after the first 2 days of the contest, so the organizers rigged up a malformed, empty Web page to provide a target for the attack. It was only then that the winner of the contest succeeded in breaking in.

I won't be turning Java off.

My understanding is that the attacker created the web page, which exploited a Java-related flaw in Quicktime (which Safari uses for a number of things). Then, when viewing the page in Safari on the target computer, it allows the attacker to gain access to a shell with user-level privileges.

The rules were relaxed to allow that exploit, but only in that I believe the first day rules required the attacker to gain access without user intervention, which no one was able to do on the first day. The successful exploit requires the user to visit the malicious web site.

nagromme
Apr 24, 2007, 04:47 PM
From what I recall, no one had been able to hack the Mac after the first 2 days of the contest, so the organizers rigged up a malformed, empty Web page to provide a target for the attack. It was only then that the winner of the contest succeeded in breaking in.

I won't be turning Java off.

That's not quite what happened. Nothing was done to make the target MacBook more vulnerable than normal. Rather, exploits that involved the World Wide Web were not allowed at first, with the plan being to allow them later. That's what happened. Perfectly fair rules, since people do use the World Wide Web.

YOUR computer is vulnerable to this bug, regardless of whether you use Safari, Firefox, or IE, with no rigging needed, if you visit a malicious Web site, or if a site you already use is hacked to make it malicious.

The reason there's not much cause to worry is that the details have not been shared with the public. But in theory someone else COULD find the flaw before Apple fixes it, and COULD craft a malicious page, and you COULD visit that page for some reason before it gets caught and shut down.

Pretty long odds, but if you don't need Javascript*, turning it off for a week or two is simple protection :)

Stratification
Apr 24, 2007, 05:25 PM
I hate Java apps. I wish they would all dissappear! They are always buggy, slow, and hog all my resources (especially when used over the web).

Has anybody seen Adobe's new Apollo? It looks like the graphic designer's revenge to Java. It covers the multi platform issue seamlessly while being up to date on the most recent web 2.0 technologies.

I for one hope that Java dies a painful and meaningless death. :D

Sorry if that's a bit dark, I just had a sudden spurt of hatred because my health plan's online chat system uses Java and it crapped out on every computer I own...

Keep in mind that a lot of Apollo apps will be written in Flex Builder, which is built on Eclipse, which is . . . a Java application.

dejo
Apr 24, 2007, 05:48 PM
Pretty long odds, but if you don't need Javascript, turning it off for a week or two is simple protection :)
You meant Java, right? ;)

nagromme
Apr 24, 2007, 06:00 PM
You meant Java, right? ;)

* Yes, indeed I do :o Which is lucky, since turning off JavaScript would inconvenience me more.

zv470
Apr 25, 2007, 05:52 AM
So, if it IS infact compiled, why is it so slow?

...because Java does all the memory management for you.

SPUY767
Apr 25, 2007, 06:01 AM
So are we certain that this is Java because originally it was JavaScript's webkit implementation, now, it's a Quicktime but with java. All this, while being reported by SecuurityFocus which is believe is a Symantec sponsored website. With David Dai Zoi or whatever the hell his name is being quoted as saying now three different things that I have read. Someone needs to get down to the bottom of this. The most likely scenario is a combination of Java not playing like its supposed to, and Quicktime not handling some erroneous data properly.

SPUY767
Apr 25, 2007, 07:40 AM
...because Java does all the memory management for you.

I'm pretty sure that isn't even close to right. All applications do memory management, Java just does it for you, releasing chunks of memory when they are no longer referenced, and collecting garbage. Automatic memory management may cause a slight slowdown since it's not possible to streamline the process, but any application that didn't have memory management wouldn't work properly. Java isn't really that slow any more. Almost all new processors are waiting to do stuff because it processes things faster than a human can input them. With notable exception such as high end graphics work, video, and gaming, there is little that we do that can tax a modern processor. Java's engine has been streamlined, and there is very little performance lost when running a java app vs a regular app built on any API.

To note, VisualBasic and C# apps run much slower than java. A few years ago, my employer needed a specific DB application designed and relied on some suckup in the organization to program it using VB. After about 6 weeks, he designed a client side app and a database that ran under MS SQL. It was slow, but the boss didn't know any better. I asked him to give me a week and I'd offer a different solution. I cobbled together a sloppy app that used a Java Applet to interface with a Database running under MySQL.

In order to show how much more efficient my application was, I borrowed my friend's Mac mini, set up the web server, and ran MySQL, on the same machine. (The VB based app ran on a seperate client, and the MS SQL server ran on a Dual 2.8 XEON.) The throughput of the java application was over 300% what the VB app was, so don't tell me that java is slow. It's not, if it's done right.

aranhamo
Apr 25, 2007, 08:54 AM
...because Java does all the memory management for you.

No, that's why Java sometimes consumes a lot of memory. Java's memory management has little to no effect on performance these days, but sometimes it takes a while to clean up unused references since the garbage collector is the lowest priority.