Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Releases New Java 6 Updates with Security Enhancements
- Thread starter MacRumors
- Start date
- Sort by reaction score
Hmm I don't have any problems with it. But they've already said they are sticking with Java. It's also fairly easy for people to write mods for it.
Since I'm making a Bukkit plugin right now, I'm glad it's Java at the moment since the only other thing I know is Objective-C (barely)
But seriously, it's become a joke by now. "Minecraft: 80s graphics, 2030s RAM usage."
You really don't know what you're talking about. Java in the browser has a number of sandbox security restrictions in place that you do not get when you just download and run a Java (or any native) application.
The main risk in a browser today is that you might "browse", find and inadvertently run untrusted code on the web. If I sent you a zip file of untrusted Mac applications for you to browse on your desktop and run, your computer would be at far greater risk.
In the end, the main thing is not Java/Flash/browsers/etc. it's knowing where the software you choose to run comes from and if you choose to trust it. Deriding people here for running trusted Java apps they use for their day to day jobs is pointless.
Since I'm making a Bukkit plugin right now, I'm glad it's Java at the moment since the only other thing I know is Objective-C (barely)
But seriously, it's become a joke by now. "Minecraft: 80s graphics, 2030s RAM usage."
It's not about the graphics. The worlds are immense and very heavy to keep in (virtual) memory.
Did you actually read the details of this update from Apple? From the announcement:
You can google those identifiers in the NIST National Vulnerability Database to get the gory details of the individual exploits. This bleeding has gone on for years, and there's no sign that it will be stopping. Nobody -- absolutely nobody -- should be running Java/Flash in the browser.
The distinction is that apps from the MAS are signed and distributed by a known entity. Contrast with the web browser where one is executing arbitrary code from random entities.
I have been explicit in this discussion: the safe behavior is to run applications from the MAS. I never said that one should accept and run zip files from random sources. Why in heaven's name are you arguing against a straw man?
Wrong. Adobe clearly disagrees: Flash code runs by default; they provide no way to selectively run Flash code. You must get plugins like ClickToFlash to selectively run Flash code.
The problem is that it's waaaay to easy to run UNtrusted apps in the browser.
Here's how we know you're wrong: if there was no value in creating malware that escaped the Java/Flash firewalls, there wouldn't be hundreds of individuals selling their malware for thousands of dollars causing millions of people to have to download these constant software updates. Adobe and Oracle have failed to secure their firewalls.
Also, like multiple posters here, you misrepresent my point of view. I think it's just fine for people to run trusted Java apps on their machines. For for the safe computing of all, I suggest that they run those trusted apps by getting them through the MAS.
Do you understand now?
Yeah, it's not about graphics. The joke is a little inaccurate. But the nearly 1GB of RAM usage after some playing time and massive CPU usage is not justified. Java is inherently inefficient. If I make something simple in Java, and I code properly for efficiency, it uses a lot more CPU and RAM than a comparable program written in C and compiled.
Why are you characterizing a change in packaging of the software as a "major change"?
Have you ever tried to get a multinational vendor to make any changes no matter how minor to any aspect of their processes (or in fact do anything at all)?
We were recently ready to switch from our current vendor for servers and make an immediate initial purchase with a competitor. This would have been in the range of 3-500K worth of gear.Our only request was that we be provided with a proof of concept setup to test integration on site in our current data centre setup.
This pretty basic sales request had to go through 5 different people, took 4 meetings and 3 months to achieve. We went with someone else.
So when I use the word "major" above, it is a relative term. If it takes all that effort to get a few testing servers and a SAN so we can give them an effortless half million dollar sale, getting them to globally update the firmware on a 3+ year old product is a major change.
Well, i'm not a developer (I was a Linux sysadmin and project leader before becoming management) and i'm not that familiar with the complexities of Java so perhaps you could take a guess at how this works
1. When i'm logged into the remote access card GUI and click on a remote console link, I get served a .jnlp file.
2. This file will only connect to the server which served it
3. It does not require me to perform any sort of authentication (but I know authentication is taking place).
4. It can only be used for one console login or within a certain expiry time, whichever comes first. After that it fails.
5. My remote IP is not relevant. If I get served the jnlp and change my IP it will still work as long as (4) is fulfilled.
6. It can handle concurrent console logins.
Last edited:
Just a heads up for anyone (forced) to use Junipers Network Connect -- this update bricks the connection phase of the program.
Since the app is 32 bit only, it can't run 1.7 either. I highly doubt Juniper will release a 64bit client, or change anything in the program for that matter. Apple may or may not change things further in future 1.6 updates.
Since the app is 32 bit only, it can't run 1.7 either. I highly doubt Juniper will release a 64bit client, or change anything in the program for that matter. Apple may or may not change things further in future 1.6 updates.
We sure do. They get a browser served via Remote Desktop Services from a VM on one of our servers.
True Java can be inefficient. But It's not going to go to C or anything else, so we'll just have to make due. They are dropping a lot of inefficiencies in the 1.6 update: no more Java 5 and minimum of opengl 2. Hopefully this will help a little bit.
It will help, but then it also won't work on my MacBook because it's stuck at Java 5 (not my main computer so it's not that bad). As I was complaining about earlier, Java support for Mac can sometimes suck.
Nope. It is a minor change. It involves no change in the code. If some vendor were inept at packaging their code this way, it could be farmed out to a third party shop -- or even an intern.
In this context, it is a nonsensical term.
If the vendor provides an app, you don't have do to any of those genuflections. You just run the app. Simple.
Good for you. Really. You should not be one of those shops who gets their production database hacked through the Java/Flash virus vectors.
One note: if you had your Java code installed as an app, you would obviate the need to have any Internet connectivity whatsoever on those VMs. That sounds like a very smart safety measure to me.