backtop


Print 41 comment(s) - last by mmcdonalataocd.. on Jun 17 at 11:51 AM

Fortunately no serious damage was done during the meantime

With close to 75 million OS X distributions reportedly in the wild, triple the number two years ago, Apple has to start taking security more seriously.  Fortunately for Apple users, while security researchers regularly demonstrate OS X exploits, the Black Hat community remains rather apathetic to attacking the Mac community.

The latest highlight in a growing picture that OS X may not be as secure as some think came in May when security firm Intego, which makes security software for Macs, warned users of a Java flaw in the OS X Java distribution which could allow Java applets to execute malicious code.  Intego complained, "Apple has been aware of this vulnerability for at least five months, since it was made public, but has neglected to issue a security update to protect against this issue."

The flaw, was originally found by Sami Koivu, who reported it to Sun Microsystems on August 1st 2008.  The vulnerability also affected OpenJDK, GIJ, icedtea and Sun's JRE, which share the same core classes with Apple's Java SE and J2SE.  A patch was issued by Sun on December 3rd 2008, with most of these distributions quickly incorporated it.

Months went by with no action from Apple, though.  Programmer Landon Fuller aired proof-of-concept code of how to use the exploit to attack Apple OS X installs in May.  Still, Apple did not incorporate the patch.  States Mr. Fuller, "Unfortunately, it seems that many Mac OS X security issues are ignored if the severity of the issue is not adequately demonstrated.  Due to the fact that an exploit for this issue is available in the wild, and the vulnerability has been public knowledge for six months, I have decided to release my own proof of concept to demonstrate the issue."

Now a month later Apple has finally released a patch for Java on OS X 10.5 Leopard (the latest version) and 10.4 Tiger.  Describes Apple, "Java for Mac OS X 10.5 Update 4 delivers improved reliability, security, and compatibility for Java SE 6, J2SE 5.0 and J2SE 1.4.2 on Mac OS X v10.5."

The patch for OS X 10.5 can be found here, while the patch for OS X 10.4 can be found here.

This is not the first serious door that Apple has left open.  Last September a researcher going by the pseudonym "Securfrog" published code to crash Apple's QuickTime video player after Apple ignored a glaring flaw for months.  Similarly, a DNS flaw discovered by Dan Kaminsky was only fixed months later.

In Apple's defense, Microsoft also occasionally is slow to patch issues -- such as the recent patch of a long-standing Microsoft Office bug.  However, when it comes to security flaws in web accessible content -- such as QuickTime, Java, or Safari -- Microsoft's track record is much better than Apple's.  These are the types of content most frequently exploited to attack machines over the web.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Java patches....
By solgae1784 on 6/16/2009 9:47:26 AM , Rating: 2
This is really a great disadvantage Apple has to other platforms, in that Apple chose to implement Java by themselves. But let's get into the reality here.

I've seen many people or organizations that hasn't bothered updating Java for almost an eternity, and, at least from what I saw in the Windows side, Sun chose to leave all the prior releases alongside with the newer releases until around Update 13, when they finally started uninstalling prior releases before installing a new one. Also, many organizations just doesn't seem to put Java updates as much priority as the Windows updates. The average Joe is even worse, often just flat-out ignoring the Java update messages that has been there for months. To me, not knowingly patching the vulnerabilities is just as worse as not releasing them.

One good reason why you don't want to update Java, though, are compatibility reasons. I had MATLAB stopped working on me once when I updated Java, and I know some other programs that refused to work correctly with certain later releases of Java unless I go back to the earlier release. This forced me to remain on the earlier Java release until either Sun or the App developer released an update.

Botton line is, the issue isn't so cut-and-dried. While Apple do need to get their act together on the security side, there's more that's going on than what you read in the news.




RE: Java patches....
By mfed3 on 6/16/2009 10:18:33 AM , Rating: 2
totally agree about the prior release versions of java sitting there ready to be exploited.

java is so bad security wise that i dont keep it on any of my family members' pcs or trust them to update it.

jusched.exe = fail.


RE: Java patches....
By vbNetGuy on 6/16/2009 10:58:06 AM , Rating: 2
Some applications rely on older versions of Java as well since there are quite a few backwards compatibility issues. If i update to Sun Java 1.5 Update 13, some of the software that is required on users PC's will not work because they require 1.5 Update 10. This also leaves a huge security hole for PC's that require these older versions.


RE: Java patches....
By inighthawki on 6/16/2009 12:42:10 PM , Rating: 2
Not that it's not true or that i don't believe you, but can you name some? I don't think I've ever run into a situation where a java program didn't work because of the wrong version (though being completely honest, i haven't used many java apps before). I'm just curious is all...


RE: Java patches....
By HotdogIT on 6/16/2009 1:33:16 PM , Rating: 2
Enterprise eTime.

I have no idea how wide spread it is used, but I know for a fact that we load up client PCs with version 1.4.2_12, and nothing else. Some of the 1.5 versions work, but any of the newer versions totally fail to function.


RE: Java patches....
By GaryJohnson on 6/16/2009 4:13:04 PM , Rating: 2
Sun should seperate out the version of Java used for applications from the version used for Applets. Applets are where the risk is and they should only run with the latest version. If they break, too bad. Applications are typically what you see being used for Enterprise/Commercial software and those need backwards compatability.


RE: Java patches....
By SoCalBoomer on 6/16/2009 4:56:25 PM , Rating: 2
Just FYI - it seems to have been fixed (that's what I've been told, anyway. . .) and you could put a new version of Java on the computers as long as you had 1.5.13 (the specific version we needed) on the machine. Right now, we have 1.5.13 and the latest 1.6 build and it works fine.


RE: Java patches....
By MamiyaOtaru on 6/16/2009 7:03:20 PM , Rating: 2
I don't remember the program name (fail) but the app the hospital here uses for viewing radiology reports over the network is limited to some old version.

When we put in a bunch of new PCs for the exam rooms and forgot to turn off updates it wouldn't run. Had to uninstall and reinstall whatever specific java version it was and nail it there.

At least they are planning on rolling out a new version next month that will let us turn java updates back on :-/


"Young lady, in this house we obey the laws of thermodynamics!" -- Homer Simpson














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki