Apple has released security updates for Mac OS X and Mac OS X Server 10.4.11 and 10.5.7 - more than six months after Sun Microsystems warned the world of flaws in its Java virtual machine that make it easy for attackers to execute malware on users' Macs, PCs, and Linux boxes. Better late than never. Last month, The Reg took …
You could have been...
... but as far as I know no one was. I just turned java off until now.
Java for Cloud Assignations and AIMissions
"I just turned java off until now." ... By John Molloy Posted Tuesday 16th June 2009 17:53 GMT
Java is not something that you can off. And it is a Very Powerful Language able to Converse with All Virtual Machines and NINJA Machinery .... which are in Reality and Virtualisation, Neural Networks InterNetworking at Quantum Communications Levels/Higher Deeper Virtual Core Processor Architecture Builds.
Do you mean there was more than one? Aaaargh!
Was that a BuzzwordsBot?
Can we vivisect it? Can we?
@ El Reg
Quote: "If you followed our suggestion last month to take Security researcher Landon Fuller's advice to disable Java applets in your browser and uncheck the "Open 'safe' files after downloading" setting in Safari's General preferences, you're now free to reverse those changes."
Or you could just leave them both off permanently. Is Java actually used for anything useful on the web these days, for the vast majority of people? It has been off in my browser for months and I haven't noticed it at all.
The 'safe' files thing is something that should never, ever be on. The most retarded setting in a browser anywhere. I just love how Apple puts it between quotes to indicate that even they don't believe that these files are 'safe'.
My advice - unless you really do need Java for anything, just leave it off. 'Safe' file opening should be left off regardless of what you want. If you are incapable of double-clicking a downloaded file to open it yourself then you shouldn't be using a computer. If you are stupid enough to double-click something in your Downloads folder that you didn't download yourself, then you shouldn't be permitted to carry on living in a Darwin Award type of way.
Any chance of
some evidence of working exploits in the wild taking advantage of this vulnerability? After all if it has been known about for over 6 months that's plenty of time for one or more, so where are they? Your tut tutting at Apple's tardiness would carry more weight if there was a real risk, without exploits the risk is only theoretical and the continuing lack of exploits on the platform would indicate that Apple is right in not choosing to rush these things.
No update for 10.5.6!
10.5.7 was a big download and I hadn't got around to it yet. Shocked to find the fix wasn't offered at 10.5.6 so needless to say I have now done both.
I'd echo Muscleguy's comment that if there's no exploit then the tone of your article was scaremongering. But better safe than sorry.
Wait just a damn second here. Will the real amanfromMars please stand up?
Oh god I hate that song and for that I am going to go swallow a gun barrel now.
/Anon becuase I dont want to be associated with this comment
Analysing the outcome of 6 months of unpatched Java, in hindsight, and excusing Apple's tardiness because nothing happened doesn't make much sense, does it? You wouldn't leave your front wide open all day, every day simply because you're not aware of any burglars in the area.
Surely it's the fact that there COULD have been exploits developed at any point over the last 6 months that's important. That's the difference between proactive and reactive security... or in Apple's case inactive.
OK I down loaded the OS update Sunday (~140 MB) and another ~ 500 MB today.... I wonder what this thing will run like after the download has fully expanded.
@ George Schultz
The 'WOW' starts now!
No not really. No difference for 10.5.7. Doing a separate download for 10.4.
Well said, good summary.
Must be something important right? To warrant such a speedy response?
No Script protects against this, allowing only scripts & Java from specified domains to be run. It's been protecting me since this situation was outed and as a side-benefit I've had a nicer net experience, as a majority of ads get blocked as well. http://noscript.net
So, no need to patch unless there's an exploit? *REALLY* clever! This would be the famed Apple security would it?
Oh, of course, I'm forgetting that the blessed Steve *KNEW* that there wouldn't be an exploit for at least six months and so it was safe to do nothing. Get real - if there's a vulnerability you patch for it, you don't wait for it to be exploited.
@ Qwertyuiop and others
"So, no need to patch unless there's an exploit? *REALLY* clever! This would be the famed Apple security would it?"
No. But the point is that it was easy enough to NOT have running which is what I did when the security alert came up. I don't have any reason to run it anyway and one would assume that those that did would be on some kind of trusted network anyway.
Well, at least that explains why I occasionally understood one of his posts - it was actually an imposter using his name.
They're about as similar as cow's milk and soya milk
- Analysis BlackBerry Messenger unleashed: Look out Twitter and Facebook
- Nine-year-old Opportunity Mars rover sets NASA distance record
- IT bloke publishes comprehensive maps of CALL CENTRE menu HELL
- Prankster 'Superhero' takes on robot traffic warden AND WINS
- British LulzSec hackers hear jail doors slam shut for years