Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Unpatched OS X Java Vulnerabilities Drawing Attention

Prsitic said:
Over the past 14 years I've ran every possible version of Windows, various flavors of Linux, BSD, and now of course OS X. I've seen the worst, patched the worst and quite simply all I can say about this is chill out and disable java. Who uses java applets anymore anyhow? I worry more about the user than the OS. Phishing, scams, swine flu :D, etc etc etc.. Basically I don't see this becoming a problem, widespread or wild.
Click to expand...

Well, it won't. But even light of my comments in this thread, it's still better to adopt the "better safe than sorry" approach. You don't necessarily need to run any AV software, but make sure your firewall is on, your browser secured, your router settings are sound, and that you have sound browsing habits. And this last item relates well to your phishing and scams comment.
 
*LTD* said:
I do have Java turned off. I run an admin account but I also have ClamXav running, and my router is set up correctly, my OS X firewall on, and stealth mode enabled, etc.
Click to expand...

I disabled my Java as well but I couldn't have my firewall in OS X enabled since that ended up in iTunes bugging me with an "allow or deny" dialog. Tried everything I could find on the net, nothing worked. Guess Apple patched that one a little too hard.

Sad part is, it's true. Search the web if you don't believe me since more people have this issue without a solution from Apple. Their suggestion was that I repeatedly delete it from the exceptions list and let it re-add itself. :apple: = repeat!
 
celtikmind said:
I disabled my Java as well but I couldn't have my firewall in OS X enabled since that ended up in iTunes bugging me with an "allow or deny" dialog. Tried everything I could find on the net, nothing worked. Guess Apple patched that one a little too hard.

Sad part is, it's true. Search the web if you don't believe me since more people have this issue without a solution from Apple. Their suggestion was that I repeatedly delete it from the exceptions list and let it re-add itself. :apple: = repeat!
Click to expand...

I wasn't able to replicate your problem. I have Leopard's firewall enabled, including stealth mode. I'm able to use iTunes without issues. I even bought a song just now in order to test my account. No problems. It's working normally. iTunes doesn't appear on my exceptions list or anything.

Have you tried de-authorizing and then reauthorizing your computer? I assume you've got that latest Leopard update from Apple.
 
NickHansen said:
Not true. Back in the early days of OSX Apple used to actively sell the tight integration of the OS with Java. Used to be you could write near-native mac apps in Java--and if you were decent at abstracting you could really fulfill the write-once, run anywhere concept that makes Java attractive to begin with.

As a sometimes Java developer the fact that Jobs is purposely train-wrecking Java on OS X is almost enough to stop me from buying Apple products..And don't even get me started on the extremely stupid binning of QT4J that Apple has been quietly doing for the past five years (or so).

Circling back to the topic though, it is completely negligent that Apple has left this dangling for so long. It is criminal they way Apple treats Java. If I were a paranoid person I'd begin to think that Apple is waiting for an exploit so they have grist for the "Java is unsafe, we need to make a clean break" campaign Steve has filed away. But I'm not. So I just chalk this up to malcompetence.
Click to expand...

Sorry, but I still think Java should die already. It's old and it needs to be replaced with a better solution. Every Java app I have ever used is crude and buggy. I really would like some examples of actual CURRENT use of Java based applications on the web. I can't seem to locate one that is not better or at least equally suited to run natively on my Mac.
 
*LTD* said:
I wasn't able to replicate your problem. I have Leopard's firewall enabled, including stealth mode. I'm able to use iTunes without issues. I even bought a song just now in order to test my account. No problems. It's working normally. iTunes doesn't appear on my exceptions list or anything.

Have you tried de-authorizing and then reauthorizing your computer? I assume you've got that latest Leopard update from Apple.
Click to expand...

I too have the OS X firewall enabled with Stealth mode and can use my iTunes account without having to "Allow or Deny" anything. Perhaps it's some other setting in your system prefs.
 
sleeptodream said:
Except it wasn't major until today and they fixed it within hours. Good luck getting that kind of support from Microsux
Click to expand...

it's not critical until someone exploits it? Good to know my unpatched winXP box hooked up directly to the internet hasn't gotten anything yet....ZOMG!!!!!!! it must be SOOOOOOOOOOOO secure!
 
Morod said:
I too have the OS X firewall enabled with Stealth mode and can use my iTunes account without having to "Allow or Deny" anything. Perhaps it's some other setting in your system prefs.
Click to expand...

It's not related to the iTunes Music Store - it's AirTunes freakin' out in some way. Which makes it even more dumb, since then it's about local traffic. It's something about "com.alf" in the logs. Figured "com.alf" is the OS X firewall but can't figure out how it's related. Apple claims to be working on it as it happens to other Applications as well for other people. I guess it'll happen any year now. ;)

Made a thread about it in OS X forum here at MR. It was getting off-topic.

On topic, still no update. It's so nice to know that Apple is toying with my security just to discourage people from using Java and to strengthen their argument. Thanks Apple - you're the best! :p
 
Apple has got a new developer preview of Java 1.6 update 4 available on the members dev site but still doesn't seem to contain a fix for the current issue.

Lets hope we see a fix for this and other issues we all have that apple seems to have become rather lame ass about fixing.
 
Yeah, I guess Apple is just going to ignore this one entirely and hope it somehow fixes itself. Strange that Apple has released two beta updates for Java on the developer's site, yet not bothered to fix, address or even mention a flaw that, according to pundits, makes it possible to erase a user's entire root partition remotely without any sort of user interaction or activity required.

If this problem is indeed as bad as everyone claims it to be, then WTF is Apple doing not even mentioning it in the JVM1.6b4 release notes?

Moreover, I am having difficultly understanding why this bug is still a huge problem: over the weekend, I installed the new Java for OS 10.5 Update 4 Beta 4 build from the ADC site. My Java1.6 runtime version is listed as 1.6.0_13b03 and the Java1.5 routine version is 1.5.0_19--which is equivalent to the current 1.5 release by Sun. According to Sun documents concerning Java security fixes, this bug should have been addressed by JRE 1.5.0_17 (or something like that). So why wouldn't Apple's so-called "JRE 1.5.0_19" have any of the fixes from the last couple revisions of Java 1.5? Is Apple just lying about the version number? Something is just not adding up. In addition, with Java enabled, I still can't get the "proof-of-concept" site to seize control of my machine...yet everyone seems to claim that nothing can stop it from working, save for eliminating Java web-applet support altogether.
 
Some of y'all are just crazy.

This is as bad as exploits get.

Let me say that again...

A single-click remote exploit that allows complete access including file read/write/delete and process launching is as bad as any browser exploit on the planet has ever been.

This exploit is available, by default, on every Mac running OS X on the planet.

And Apple hasn't done a thing about it for six months.

There's no excuse. None.

The only thing not as bad as humanly possible about it is that the user needs to visit a maliciously crafted site, rather than being able to self-propagate across a network.

NO EXCUSE for allowing this to sit for half a year...
 
can somebody please hack into big newspaper-, tv-network-, collage-, macintosh-related-, etc... websites simultaneously and exploit this security hole in a harmless but noticeable way, to show every ignorant out there how serious this is? One actually could as well write a hack which deactivates java in safari, firefox, opera, camino, etc... which would be fixing the risk by a hack :D Forcing the ignorants to take measures.

This is so bad, and with all the talk about security, which apple luckily inherited from OS X's UNIX past and improved on it, just the fact that they don't bother to fix an minimal-effort/maximum-effect exploit for over half a year is a shame. The sound and safe system architecture with file permissions and user permissions doesn't help a single bit here... Go and fix this apple!
 
Deanster said:
Some of y'all are just crazy.

This is as bad as exploits get.

Let me say that again...

A single-click remote exploit that allows complete access including file read/write/delete and process launching is as bad as any browser exploit on the planet has ever been.

This exploit is available, by default, on every Mac running OS X on the planet.

And Apple hasn't done a thing about it for six months.

There's no excuse. None.

The only thing not as bad as humanly possible about it is that the user needs to visit a maliciously crafted site, rather than being able to self-propagate across a network.

NO EXCUSE for allowing this to sit for half a year...
Click to expand...

Hey, how about those iPhones, eh? Over Six billion served....

:apple:
 
I tried the exploit from the link on page 1 of this thread and have Intego VirusBarrier X5 10.5.8 installed and it tells me the following

The file 'Exec$1.class-4620a35a-31830ec9.class' is infected by the exploit 'Java/Evasion.A'

It shows as a virus so I feel protected enough not disable java due to some sites I need for my work which require java to be usuable.

All I get from the link the

This Applet is loaded in the top lefthand corner and nothing else before VB kicks in.

So for me it also shows that Antivirus apps are useful on my mac
 
can be useful, but the developers of VirusBarrierX only recently updated their program so it would block this java security hole. So they needed as well this hacker guy to be aware of it, and didn't fix it instantly when the security hole was public 5 month ago. hm... useful, but could have been faster as well for my taste.
 
Still no fix released to the public. It's been a week now. Like the guy up there said, this is about as bad as exploits get.
 
supmango said:
I really would like some examples of actual CURRENT use of Java based applications on the web. I can't seem to locate one that is not better or at least equally suited to run natively on my Mac.
Click to expand...
http://variations2.indiana.edu/

I'd link to one I worked on specifically but it had to be canned because it relied on QT4J which Apple no longer supports in any meaningful context and will die off once the state of Java and Quicktime have progressed to the point where they're completely incompatible.

So find me an academic-grade music search and annotation application that
1. runs natively on your mac
2. runs natively on Windows

Why is this app written in Java? Because it is research-driven, thus its development was grant-funded, and you're never going to get a grant to fund development for an application if one of the stipulations is that it must be ported from one platform to another.

Granted, fewer applets are seeing the light of day with the advent of proprietary frameworks like Flash and Silverlight. While you want to restrict the conversation to applets, my point was much broader. This particular example is demonstrative of how Apple treats Java in general. There are a great many more desktop applications that are Java based and even more back-end apps use Java.

Probably the absolute most useful single tool I have in my day-to-day work life is Eclipse which is completely Java based. You know why a significant number of useful Eclipse plugins won't work on a Mac? Because Apple refuses to fix threading issues in Java. Not to mention, every UI event runs through a single thread, this bottlenecks the bejeezus out of Java apps running on a mac. It doesn't have to be that way. Doesn't work that way in *nix or Win JVMs. Oddly enough, Sun writes those JVMs...

Further, with the advent of SWT you are probably unaware of the number of applications out there that are Java based or utilize Java components. Regardless of the validity of your contention that *you* don't see Java in *your* world, Java is an integral tool in many environments. To unilaterally declare that Java should die is ignorant hyperbole. Apple ignores Java to its own detriment--especially given the 180 degree turn this shows from Apple's emphatic embrace of Java early in OS X. Corporate, government, and academic environments see this kind of arbitrary behavior from Apple and it confirms in their mind that this is a non-serious work platorm geared to diletantes and naifs.
 
Why doesn't someone make a web based version of terminal?

LPZ said:
Using Java Preferences in /Applications/Utilities to set "Run applets" to "In their own process" (rather than "Within the browser process") seems to keep the proof-of-concept from working.
Click to expand...

How do you do that? I can't find that setting
 
NickHansen said:
http://variations2.indiana.edu/
Apple ignores Java to its own detriment--especially given the 180 degree turn this shows from Apple's emphatic embrace of Java early in OS X. Corporate, government, and academic environments see this kind of arbitrary behavior from Apple and it confirms in their mind that this is a non-serious work platorm geared to diletantes and naifs.
Click to expand...

Thanks for the info on currently used Java Apps. I did not know they still existed, although as a grad student I am not surprised academia still uses them (they are the primary culprit for holding technology back in many instances). If you don't believe me, just go to some professor's websites at a few big universities. Many are improving, so it may take a few times to find an old one. But you will find that a lot, if not most, are strict html based sites probably written in the late 90's. Not to mention they still use Windows XP at many universities (granted because Vista is not trustworthy). Although it would be nice if they would just switch to Apple to stay ahead of the times.
I guess my point is that most Java applications had their day in the late 90's, and perhaps up until 2005. I have a hard time believing that Apple would ignore a technology "to its own detriment." There are some better solutions that rely heavily on AJAX frameworks that replicate most useful Java applications out there and include the ability to control aesthetics with CSS (I am pretty sure that is not possible with Java, I could be wrong). Most likely, this is what Apple is developing to replace Java. However, I do understand your frustration with the growing lack of support for Java in your instance.
 
supmango said:
I really would like some examples of actual CURRENT use of Java based applications on the web. I can't seem to locate one that is not better or at least equally suited to run natively on my Mac.
Click to expand...

Every single website that deals with real estate and virtual tours of properties for sale.

I have to use it several times a day.

:apple:
 
supmango said:
Thanks for the info on currently used Java Apps. I did not know they still existed, although as a grad student I am not surprised academia still uses them (they are the primary culprit for holding technology back in many instances). ...
I guess my point is that most Java applications had their day in the late 90's, and perhaps up until 2005. ...However, I do understand your frustration with the growing lack of support for Java in your instance.
Click to expand...

As a Java developer for the past 13 years I felt compelled to comment on this thread because it was making me smile reading through the posts.

It's obvious from reading through the posts that the perception of the majority of the posters here is that Java lives only in the browser or on the desktop, but this could not be further from the truth. The backend processing of the majority (not all, and I know this is going to open the doors for flaming, but based on my own experience this is true) of business systems developed today are developed using Java and are running on Java application servers. True, as a user of a front end system, web-based application or website you have no indication that Java is being used to do the heavy processing for the backend systems, but it is there, humming away 24x7 in mission critical business systems.

Now here's the catch from my perspective as a Java developer. I don't like Windows. I have struggled with Linux for years. As a recent switcher to the Mac, I love the Apple combo of hardware and OS. It's how computers should be. I only wish I bought a Mac sooner. With Apple being slow on it's Java VM releases though, I've heard from many that this is putting them off sticking with Macs, because Java is their bread and butter and they need to (obviously) use a platform that has Java support to do their job.

That said, you would be surprised how many Java developers use Macs. Attend JavaOne (this year's conference is next week) and look around between the presentations and you'll see a sea of developers sitting around using their MacBooks. The majority of the presenters all use Macs too. I've honestly never seen as many Macs in one place.

Hope you find this interesting from a Java developer's point of view!
 
khooke said:
As a Java developer for the past 13 years I felt compelled to comment on this thread because it was making me smile reading through the posts.

It's obvious from reading through the posts that the perception of the majority of the posters here is that Java lives only in the browser or on the desktop, but this could not be further from the truth. The backend processing of the majority (not all, and I know this is going to open the doors for flaming, but based on my own experience this is true) of business systems developed today are developed using Java and are running on Java application servers. True, as a user of a front end system, web-based application or website you have no indication that Java is being used to do the heavy processing for the backend systems, but it is there, humming away 24x7 in mission critical business systems.

Now here's the catch from my perspective as a Java developer. I don't like Windows. I have struggled with Linux for years. As a recent switcher to the Mac, I love the Apple combo of hardware and OS. It's how computers should be. I only wish I bought a Mac sooner. With Apple being slow on it's Java VM releases though, I've heard from many that this is putting them off sticking with Macs, because Java is their bread and butter and they need to (obviously) use a platform that has Java support to do their job.

That said, you would be surprised how many Java developers use Macs. Attend JavaOne (this year's conference is next week) and look around between the presentations and you'll see a sea of developers sitting around using their MacBooks. The majority of the presenters all use Macs too. I've honestly never seen as many Macs in one place.

Hope you find this interesting from a Java developer's point of view!
Click to expand...
What he said.
I can second most of his comments. I've also been a long time Java developer and am also dismayed at how slow Apple has been to update Java. In my case annoyed because Java 6 won't run on my 32bit Macbook.

I don't understand why or how Java ever got a bad wrap. Maybe it was initially over hyped. There are still a number of sites that use Java for real functional processing even in the browser.

I've worked many years on server side b2b infrastructure in Java, but also did a extensive work on Java end user applications. Applications I've worked on have been fast, responsive and looked good.

Having worked on Apple's Cocoa for the last year, I still think Java has a much cleaner and better object model. Cocoa is a mess, never really architected. Yes it does some things well and can be made to work.

And back to the thread, in general Java is very secure and not "legacy" at all.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back