Filed under: Bad Apple, Security
Mac OS X Java security hole exposed
You know, it's fine to make the argument that "Macs are safer than Windows-based PCs," because in real-world usage, this is generally true. Nothing does more to undermine that argument, however, like a five-month old unpatched Java vulnerability.As Landon Fuller has pointed out, a potentially nasty Java exploit remains unpatched in Mac OS X, including last week's OS X 10.5.7 update. Essentially, this exploit can allow malicious code to run outside of the confines of Java, and run arbitrary commands with whatever user permissions the logged in user has. So just by visiting a website, you could be allowing malicious software access to running commands on your system. Not cool. Not cool at all.
Although the exploit was initially discovered and filed back in August of 2008, Sun issued its own fix addressing the exploit back in December.
So, five months, two point OS updates, one Java update in February and stil, Apple hasn't patched the exploit on their end.
Can I just say, "WTF?" I mean, seriously, get on the ball Apple. You only have $20 billion in cash, maybe investing in a bunch of full-time security patchers for your operating system would be a worthwhile investment!
Julien Tinnes has some excellent commentary on the exploit here. As Landon says on his blog, all users are advised to disable Java applets in their browsers and disable "open safe files after downloading" in Safari. You should also consider using a SSB (site-specific browser) for any Java-crucial web work (see below).
Of course, being forced to disable Java applets just so one can ensure safety kind of puts Mac users who, I don't know, use a web-based SSL VPN client to connect to work systems or e-mail in a bind.
And, let the flogging from the Apple-haters commence.
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 2)
Mike Nilsen said 2:02PM on 5-20-2009
Applets are not very common anymore; it shouldn't be too onerous to disable them for regular surfing. The vulnerability only affects client-side Java; nothing powered by server-side Java is going to be affected by the exploit or by disabling applets.
Reply
required said 3:24PM on 5-20-2009
actually they are more common then you think
ryemac3 said 2:05PM on 5-20-2009
Pleeeeeeze. Enough with the security holes already. How many Macs are actually affected by this? None. Half these security "threats" we hear about are nothing more than proofs of concepts, and no code has actually even been written to exploit then yet. So when that day comes, then I'd agree with the sense of urgency.
If I had to choose between Apple fixing this now, and letting Snow Leopard slip 2 weeks, I'd say let Java wait.
Reply
Janak Parekh said 2:14PM on 5-20-2009
If you look at the links above, example exploit code has been posted that you can try out yourself by just clicking on the link. This is a real, serious vulnerability, unlike many of the "theoretical" ones you mention.
Dano said 2:06PM on 5-20-2009
very, very disappointing. your stocks should drop after this one. tsk tsk tsk....
Reply
smak said 2:10PM on 5-20-2009
Hopefully Microsoft will match Apple's low-brow advertising on this one and go right for the jugular. Apple would release a patch the next day to avoid the shame after touting "we never get viruses" bs in their commercials.
Sorry, i'm a little pissy because my stupid Mini just spontaneously rebooted on me with no crash report (again).
Reply
keynoteken said 8:48AM on 5-21-2009
But, There's still no viruses. This is a "REALLY BAD THING", but being able to do this wouldn't count as a virus anyway. Malware, maybe, but, even so, where's the actual malicious content?
6 Months, and, well, maybe we should wait until we see how many millions of computers have tiny files sitting around on them doing nothing before we see how widespread the "actual" damage is.
Hawkman said 2:10PM on 5-20-2009
It's a poor show to not have this fixed – but maybe it's time to stop including Java, or at least have it off by default. The last time I used an applet was the late 90s...
Reply
webterractive said 2:57PM on 5-20-2009
I have both a Mac and PC and they are absolutely fine, holes or not. PCs are safe if you keep them safe, and Macs are safe if you keep them safe. I don't have DOD plans on my computers so I'm not worried.
Reply
macserv said 3:13PM on 5-20-2009
Apple has always seen Java on the desktop as a second-class citizen, and the small team they do employ to keep it updated and enhanced on OS X is tremendously overworked. Maybe now that Java is owned by Steve's bosom buddy Larry Ellison, we might hope for some more regular updates on OS X.
Reply
required said 3:27PM on 5-20-2009
I hope so. Maybe the iphonepodtouch will become compatible. Doubtful, but it would be great nonetheless.
KosherSalt said 3:38PM on 5-20-2009
Fact is, the biggest security hole in your OS is you.
Not being stupid plays a big part in the battle.
Reply
Brian said 4:48PM on 5-20-2009
Could not have said it better myself.
slpdload said 4:03PM on 5-20-2009
Apparently is needs to be said again:
Macs are safer, but less secure.
All this particular exploit does is emphasize the second point. Rather poor information to panic ratio in this article.
Macs are safer, but less secure.
Macs are safer, but less secure.
Macs are safer, but less secure.
Macs are safer, but less secure.
Macs are safer, but less secure.
Reply
Steve Simitzis said 4:22PM on 5-20-2009
I can't remember the last time I encountered a Java applet. Is this technology still needed for anything?
Reply
Travis Walls said 5:21PM on 5-20-2009
Just because some of you guys haven't used Java applets in awhile, doesn't mean no one else does. My school uses them for online classes in Blackboard/Elluminate, and my workplace uses them for remote desktop access through GoToMyPC/Citrix. Those are both pretty popular services last time I checked. I'd just love telling my professor or boss that I can't connect from home because I use a Mac and it is advised that I disable Java applets until Apple gets around to patching a five-month old security hole.
Reply
Mike Nilsen said 6:37PM on 5-20-2009
No doubt applets are still common in an educational or scientific contexts, but for the average surfing experience, they're pretty rare. I'm a Java developer and I have my Java Console enabled, so it's very in-your-face when I hit an applet. I don't encounter too many. Flash and other rich Web ui plug-ins (maybe JavaFX!) are the weapon of choice these days.
Universities should probably switch to Java Web Start deployment with signed applets. It might not cure this exploit, but at least you can verify the source of the applet as trusted or not.
Reply
iBearTouch said 6:51PM on 5-20-2009
I disabled all the Java stuff and then had a peek at the American Apple start page (/startpage), then I jumped over to the Canadian version to have another peek.
All I can say is I sure am glad to be Canadian. X-)
Reply
Hawkman said 7:17PM on 5-20-2009
Did you disable Javascript? Despite the really stupidly misleading name, it has nothing at all to do with Java.
iBearTouch said 8:44PM on 5-20-2009
OK Hawk, I see what you mean. I appreciate the edumacation! Cheers