Java vulnerabilities?

[Azathoth]

http://www.mozilla.com/en-US/plugincheck/

Tells me that Java is out of date - is this a security issue (Apple has it's own Java, which has not been updated AFAIK).?

 

[MisterMe]

http://www.mozilla.com/en-US/plugincheck/

Tells me that Java is out of date - is this a security issue (Apple has it's own Java, which has not been updated AFAIK).?

Java is an integral part of MacOS X. Apple provides the updates to Java via Software Update. It is interesting that you look to a Mozilla website as an authority. Firefox and other Mozilla browsers include their own Java VM [developed by Symantec, IIRC]. However, the Mozilla JVM lags behind Apple's. This is why the Javaplugin Project developed the Java Embedding Plugin. It allows Mozilla browsers to access the Apple JVM.

 

[Azathoth]

Java is an integral part of MacOS X. Apple provides the updates to Java via Software Update. It is interesting that you look to a Mozilla website as an authority. Firefox and other Mozilla browsers include their own Java VM [developed by Symantec, IIRC]. However, the Mozilla JVM lags behind Apple's. This is why the Javaplugin Project developed the Java Embedding Plugin. It allows Mozilla browsers to access the Apple JVM.

Current Java is 6 update 22 for most platforms (http://www.java.com/en/download/manual.jsp#apple), my system is reportedly running Java 6 update 20 (http://www.java.com/en/download/help/testvm.xml) - there have been a number of security fixes in update 22. That is why I am wondering if this is a potential security issue.

 

[wrldwzrd89]

Security issues do indeed exist in the latest Java version for Mac OS X. Apple is working on an update - as evidenced in their developer site (free registration required). However, the update only brings Mac OS X Java 6 to u21 currently. I firmly believe that Apple will integrate the u22 changes into the update that they are currently working on, though.

 

[Azathoth]

Security issues do indeed exist in the latest Java version for Mac OS X. Apple is working on an update - as evidenced in their developer site (free registration required). However, the update only brings Mac OS X Java 6 to u21 currently. I firmly believe that Apple will integrate the u22 changes into the update that they are currently working on, though.

Thank you.

Because Apple do their "own" version of Java, I was wondering if the Java vulnerabilities are also applicable to OS X, seeing as it reports itself as Java 6u20 I guess so. Oh well hopefully OS X sandboxed model (with FF & No Script) will protect me til the update

 

[luci747]

Acording to Microsoft blog, Java is vulnerable until latest update 23. One of this vulnerability is afecting also MacOS X.
http://blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-java.aspx

"CVE-2008-5353 3,560,669 1,196,480 A deserialization issue in vulnerable versions of JRE (Java Runtime Environment) allows remote code execution through Java-enabled browsers on multiple platforms, such as Microsoft Windows, Linux, and Apple Mac OS X."

 

[Winni]

Firefox and other Mozilla browsers include their own Java VM [developed by Symantec, IIRC]. However, the Mozilla JVM lags behind Apple's. This is why the Javaplugin Project developed the Java Embedding Plugin. It allows Mozilla browsers to access the Apple JVM.

I think you are mistaken. Firefox and others contain and own implementation of JavaScript, but that has NOTHING to do with Java the language or Java the platform/VM. All web browsers require a platform specific installation of Java when you visit a Java enabled website, and Firefox on Mac definitely launches Apple's Java VM when you navigate to a Java website.

Since Apple officially deprecated its own Java implementation (and used to be awfully slow with updating the VM even when it was still officially supported), this is now just another security hole in OS X that probably won't ever be closed.