More than six months after Sun Microsystems warned that a flaw in its Java virtual machine made it trivial for attackers to execute malware on end users' machines, the vulnerability remains unpatched on Apple's Mac platform. Most other operating systems, including Windows and major Linux distributions, fixed the bug months ago. …
Om nom nom nom, says the worm...
The worm is in the Apple. I repeat, the worm is in the Apple.
Hey, macs are so much more securester than anything else in the world, this little bug shouldn't be a problem... no need to patch guys. Now if you would excuse me, I have to get back up to speed with my Java programming skillz
that is crazy
(don't know if this is double posted)
its common to know that apple falls short when it comes to pachting your systems. thats why I'm glad I use windows coupled with safe browsing and anti-virus software. my never hasn't seen a virus for years now, and I can say no trogons for roughly 2 and half years now. its all about safe browsing. its never a good when someone's computer gets a virus or trogon so please do what is recommended and buckle down your macs to this vuln. by turning off java applets....this would be a bummer for me though because I play a lot of java based games online with my friends and family at yahoo games and games in windows live messenger with my girl.
however, to the author or anyone who can answer this question: when the user turns off java applets does that mean they can't use google docks? pesonally i don't use google docks but just for the sake of information I'd like to know.
Apple OS X and pre core duo MacBooks...
I'm still rather irritated by Apple's decision to not to release Java 1.6 for 32bit Macs. Unfortunately I bought my MacBook just before they went 64bit (with the update to core2 duo processors). Several work apps simply cannot run without 1.6, leaving me somewhat dismayed. Why they refuse to support Java 1.6 for such systems is beyond me. I'll not be buying any other computers from them as a result.
who really cares anyway
Before everyone starts ranting, has anyone actually had a Mac hacked because of this, or is this the usual case of lets start a panic to make ourselves look important from the press/virus software experts etc etc.
What's more important? Hypothesis or Probability?
Some people must have too little to worry about!
@James Robertson: You think they would know? They're Mac users...
People still use Java?
This is a rather sad reflection on the once-"cutting-edge" technology that is Java. No-one cares any more! Still, leaving an unpatched, known exploit is a bit stupid.
No one cares?
Apparently the criminals don't care.
Their entire skill set is focused on infecting Windows and developing the skills necessary to target a new platform isn't too much effort for too little gain.
Apple doesn't care because no ever bothered attacking them. Yes someone put a Trojan into some pirated mac software, but the blame and the responsibility for that falls on the end user not Apple.
Mac User's don't care because they never had to worry about this sort of thing before and they are not going to start until something actually happens.
Google docs don't use Java applets
As for Apple not patching their version of Java, the logical solution would be to let Sun distribute a JRE for OS X, instead of relying on Apple to do it. This is probably what will happen eventually. Hopefully, the bad PR will shame Apple into fixing this long standing security breach.
Apple and Java is a mixed bag :(
I don't think Apple really wants to support Java any more. One hint is the lack of any JVM on the iphone and another is the long time it takes until Apple supports new Java versions.
I use SoyLatte http://landonf.bikemonkey.org/static/soylatte/ although this is a X11 application and thus not very good integrated, but it works for most Java apps even on older Apple hardware.
Are you kidding?
"Mac User's don't care because they never had to worry about this sort of thing before and they are not going to start until something actually happens."
Yeah, thats a good plan.
RE: who really cares anyway
Everyone that uses a Mac should care. The point isn't a trivial vulnerability, its the fact that Apple is so slow in patching their software, and that Macs aren't as invulnerable as the users and Apple make them out to be.
Macs don't have viruses or problems. I know 'cause their commercials say so.
Java - too uncool for Apple
As a Java developer, I do love the fact that the mac comes with a better version of Java than MS ship for Windows. But that doesn't mean it is any good. Also, Apple like to leave all the old versions around, which may be good from a compatibility standpoint, but awful from a security perspective.
So is crApple now following Macro$lut in their secrioty issue management process, namely ignoring it in the hope that a) it will go away if no-one mentions it or b) wait until there are exploits out in the wild for the prob....... oh, wait. Scratch option b).
Come on crApple fannibopis. Why don't you defend "Those Who Can Do No Wrong"(tm). Or will you just stick your fingers in your ears and loudly yell "lalalalalalala I can't hear you. OSX is 100% secure! Lalalalalalalalala"?
re: People still use Java?
Are people still using Macs?!!!
"Everyone that uses a Mac should care. The point isn't a trivial vulnerability, its the fact that Apple is so slow in patching their software, and that Macs aren't as invulnerable as the users and Apple make them out to be."
Please tell me how this impacts on my life in any way whatsoever and how I should 'care'. Should I stop using my Mac, sit here terrified or inconvenience myself by altering my habits?
I don't care. I never will care. And I will blunder around the net forever more knowing full well the chances of anything bad happening to be infinitesimal.
No OS is 'invulnerable', but when it comes down to the fact no harm will come to me in a month of Sundays, semantics are irrelevant.
Practically, I *am* invulnerable. And no smart alec preaching what I should or shouldn't feel or do makes no difference whatsoever.
Stick that in your pipes and smoke it!
"ows coupled with safe browsing and anti-virus software. my never hasn't seen a virus for years now, and I can say no trogons for roughly 2 and half years now. its"
I love it when Windows users claim they've never had a trojan. I mean how would they know?! Because their copy of Norton never mentioned it?!? Surely the entire point of a trojan is to silently penetrate your system, quietly nobble your antivirus and then stealthily sit their awaiting further instructions? Even many of the payloads a trojan might deliver go out of their way to to avoid detection while they log your every keystroke and act as anonymous proxies for their criminal controllers further misdeeds.
MAc, Windows, Linux or Solaris the only time you can be absolutely sure you don't have a trojan is on a freshly installed system that's never been connected to the internet or used by anybody else. Boldy asserting you've never had one (on the worlds most virus ridden platform) just because you have anti-virus software and you've never noticed one makes you look stupid.
This article is confused. JAVA is not part of the OS. So giving other vendors kudos for updating is totally bogus. Castigating Apple for giving such a low priority to JAVA updates is fair.
Still - plagued - by critical Java vuln
I take it this 'plague' is about as worrisome as H1N1?
No wonder no one is all that worried.
Request for comment
"An Apple spokeswoman didn't respond to an email requesting comment."
You're surprised? Do you think Apple's press office even read emails from El Reg? I suspect not...
My dictionary defines "plague" as, "cause continual trouble or distress to." (Yes, dangling preposition and all!)
Somehow, despite the existence of exploit code, one doesn't hear about Mac users "still" having "continual trouble or distress" from this problem. In fact, one doesn't hear that they "occasionally" have trouble or distress.
Maybe because OSX won't run the exploit until the user says she wants to run some strange program downloaded from AbandonAllHope.Com, the source of grief can be quickly shut down, if indeed it has infected more than a handful of Mac users.
I'm not claiming that we Macbois _mightn't_ have trouble, just that the headline seems horribly overwrought. As in, "Man Stomps on Elephant!!!" (without an elephant).
Don't get too complacent about H1N1.
The "Spanish Flu" that killed about 50,000,000 people in 1918-1919 was an H1N1 flu.
"This is a rather sad reflection on the once-"cutting-edge" technology that is Java"
You kidding me? You're kidding me, right?
If a language was cutting-edge ten years ago, it's going to be pretty difficult for it to still be cutting-edge. Most "cutting-edge" developments turn out to be bullshit, and die a quiet death about a year after their hype, whereas Java is mainstream now. Your comment seems to imply that it's fallen on its arse. The various Java-based enterprise systems I use on a daily basis would tend to disagree.
@ Roger Heathcote
"I love it when Windows users claim they've never had a trojan. I mean how would they know?! Because their copy of Norton never mentioned it?!?"
Because alongside a basic anti virus package, I check for suspoious network connections every couple of weeks, check the packets that are coming in and out of my computer , scan with at least 2 different scans (online scans) each month and keep my system up to date with security patches.OH and i scan for spyware as well because at the moment that is more liekly to infect you it seems.
Boldly saying that the person can't have a clean system based on limited information about how the person is checking makes you look like an idiot.
".....the mac comes with a better version of Java than MS ship for Windows."
From the Article:
"There's no such requirement on Microsoft developers, since Sun provides Java fixes on that platform."
So MS don't actually ship a version for Windows, Sun do. I suspect that MS may well bundle what was the latest version at the time on install media and offer updates via Win update for those with the Java updater turned off, but I wouldn't know. I get my updates automagically from Sun.
I'm intrigued as to how exactly Apple's later interpretation of a Java release is always "better" than the vanilla Sun version.
This is precisely why I have never parted dollars for anything made by Apple. Well, that, and the fact that I consider their build quality to be flaky. I know I can do a better job (and have, consistently, over the last 10 years) - and the likes of Intel, Asus, Creative, WD and Antec have yet to let me down. But getting back to Apple's attitude to its customers, I would say that I'd rather be on the other side of the fence than having my money in Apple's hands.
Besides, Microsoft Windows XP isn't such a bad OS if you are actually in the business of doing something useful. I avoid the need for both Linux and Mac OS X by having Cygwin installed - so I can do my ssh and gnu stuff at the same time as my Outlook, Photoshop and Visio sessions. Just a Solaris x86 VMware instance allows me to compile software for my x86 UNIX boxen, so I don't have to install everything under the sun (literally).
"But Mac's don't suffer from viruses and malware"
Java is a Sun thing?
OK so you get the JRE from Apples sources but if its created by or in collaboration with Sun then perhaps the reason behind the lack of update lies outside apple. Its quite possible apple have got into MS's 'its our operating system but we dont have a clue how it works' mode (Samba had to tell them how their SMB worked) and Java is not simple so they cant work out how to mend it.
Java is part of OS X
"...This article is confused. JAVA is not part of the OS..."
It is, being Apple the one who maintains and distributes OS X' custom version.
Sounds about right for Apple!
There are lots of problems with OSX, that never see the light of day due to the low number of twonks using Apple stuff. Sanctimonious khaki-clad fools that they are!
To a certain extent Apple is worse than WIndows, at least with Windows MS only make the O/S and others can try it on any hardware to spot the problems, with OSX you have to use it on one brand of hardware and nothing else ( hackintosh's aside ). Java is a pig at the best of times and the fact that Apple can't be arsed to fix something that is not a problem yet, just about sums their attitude up as usual!
( Oh by the way I own three iMacs, great systems love 'em to death, I am just fed up with narrow-minded, self-rightous fanboi's giving us serious IT people using OSX, a bad name! )
"I'm intrigued as to how exactly Apple's later interpretation of a Java release is always "better" than the vanilla Sun version."
Maybe in the same way that IBM's and Blackdown's JVM on Linux are better than Sun's.
I don't know whether it is the case but those other 2 consistently manage to better Sun on Linux
"Maybe in the same way that IBM's and Blackdown's JVM on Linux are better than Sun's."
Right, right, that must be why I always have to install the Sun JVM to stop memory problems, Eclipse grinding to a halt, etc.
Who uses JAVA anymore?
/I keed... I keed...
"Because alongside a basic anti virus package, I check for suspoious network connections every couple of weeks, check the packets that are coming in and out of my computer , scan with at least 2 different scans (online scans) each month and keep my system up to date with security patches.OH and i scan for spyware as well because at the moment that is more liekly to infect you it seems."
I guess the economy depends on sad bastards like you.
Shock headline: Java user defends Java! Meanwhile, the rest of the world carries on not caring. While I enjoyed your tangent, you appear to have missed my point entirely. The only reason for my "cutting-edge" reference was ironic (note sarcastic quotation marks), to suggest that it's always been lowest-common-denominator crap. HTML and ECMAScript were around before Java on the web, and have learned lots of fancy new tricks so they're even more relevant today; Java has undeniably 'fallen on its arse', as it thoroughly deserved to. It's left with a small niche in enterprise, of course – where infrastructure traditionally evolves at sub-glacial speeds.
I'm convinced it's time to have Java off by default for web browsers, and really to seriously consider whether it's worth including at all. I know the last time I used a Java applet was the late nineties.
Microsoft Java VM
It's a shame the Microsoft JVM is no more. Because now every few months we have to log on as an admin and click through an unnecessarily lengthy wizard and be shown adverts for OpenOffice. I'd much rather have Windows Update do it for me while I'm asleep.
"Java has undeniably 'fallen on its arse', as it thoroughly deserved to. It's left with a small niche in enterprise, of course – where infrastructure traditionally evolves at sub-glacial speeds."
That's so wrong it's not even worth responding to.
- Crawling from the Wreckage Want a more fuel efficient car? Then redesign it – here's how
- Apple SILENCES Bose, YANKS headphones from stores
- TV Review Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
- Vid NASA eyeballs SOLAR HEAT BOMBS, MINI-TORNADOES and NANOFLARES on Sun
- Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt