back to article Apple FINALLY fills gaping Java hole that pwned its own devs

Apple has belatedly patched a security hole in the Java engine it ships with Mac OS X - the very hole exploited by hackers to infect Apple's own developers, their counterparts at Facebook and scores of other Mac-using companies. The vulnerability allowed miscreants to execute malicious code outside of the limited and …

COMMENTS

This topic is closed for new posts.
  1. Mostly_Harmless Silver badge
    Facepalm

    "all but dismissed malware as a Windows-only problem."

    Pride comes before a fall

    1. mrweekender
      Megaphone

      Bah...

      Just install Java 7 or better still get rid of shitty Java permanently - problem solved.

    2. Steve Evans

      Given the general Apple device bent of the BBC, I'm amazed they haven't been completely pwned too...

      Then again, maybe the whole NUJ strike the other day was just a cover?

      1. Anonymous Coward
        Anonymous Coward

        BBC

        Yes indeed those luvies have lost the use of their shiny iToys, how terrible it must be for them...but great for the rest of us.

    3. Michael Thibault

      Hyperbolic...

      bullshit on the part of chain-yanking, cage-rattling journos, methinks.

    4. Slabfondler
      Paris Hilton

      Oh the irony...are you proud to be the first poster and quote the bible baddly?

      "Pride goeth before destruction, and an haughty spirit before a fall."

      Oh oh, double irony alert...I'm fallinggggggg.......

      Paris as she thinks irony is something is something one of her PA's does.

  2. Destroy All Monsters Silver badge
    FAIL

    It's pretty hard to keep up, it's not like they are exactly loaded with money.

    Isn't it, Apple?

    1. Irongut

      Re: It's pretty hard to keep up, it's not like they are exactly loaded with money.

      My heart bleeds for this poor little company who have so few staff it took them 3 weeks to release someone else's patch.

      1. Anonymous Coward
        Anonymous Coward

        Re: It's pretty hard to keep up, it's not like they are exactly loaded with money.

        They are far to busy innovating more iRipoffs, you should get your priorities in order!

  3. Captain TickTock
    Facepalm

    Un bon exemple est mieux..

    qu'un long discours...

  4. Spender

    Why not...

    ...just hand management of the entire steaming poo over to Oracle instead of getting stuck in the middle of somebody else's release schedule. Then they can just point the finger without the reputation damage that Java is currently causing them.

    What is this cosy relationship between Java and Apple anyway?

    Since Apple demoted Java from being the "first class" citizen of OS X that they originally anticipated, there's no real decent reason for them to be involved in the release of somebody else's software.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why not...

      They have done for Java 7. Seeing as Java 6 was an Apple maintained release they are responsible for that.

      They wanted Java to look native as anyone would, hence their own re-skinned version.

      1. Anonymous Coward
        Boffin

        Re: Why not...

        >"They wanted Java to look native as anyone would, hence their own re-skinned version."

        Ouch! Apple hasn't just fallen years behind Google in Maps - now they've fallen years behind MS in their ability to cobble together a unified looking UI.

  5. jai

    perhaps not the best idea

    except, for some of us, we have to run Java to do our jobs. and if we don't, then we don't get paid, so can't pay the rent and so are thus homeless and starving to death.

    so, on balance, i'd say installing Java to remove the malware was a good idea, and at the same time, following the advice in this article to be aware if someone does manage to get malware on my machine:

    http://reviews.cnet.com/8301-13727_7-57415311-263/monitor-os-x-launchagents-folders-to-help-prevent-malware-attacks/

  6. NomNomNom

    How would you know your machine was part of a botnet these days? Given flash and java are so full of holes, browsers aren't always that secure, anti-virus is not perfect, then all it may have taken is some malicious google ad appearing on some website I visited at some point to have installed some rootkit.

    If anti-virus doesn't pick it up then it's hidden. I can't trust any readout from software for what my computer is doing. Internet running slow? I can run netstat to see all active connections, or run wireshark or something to look at packets, but have the underlying network assemblies been tampered with so that certain information is being hidden from me?

    The only thing I can think of is to resort to extremes like always browsing the internet under a VM, or setting up another machine as a router so that I can monitor the traffic without fear that some rootkit is hiding stuff. Or reinstall the OS regularly (under the idea that it might help).

    Then again there is the tree falls in a forest principle: if I am part of a botnet but don't know I am part of a botnet, do I care?

    1. Rob Carriere

      Browsing under a VM isn't a guarantee. There's been far too many break-out vulnerabilities for that to be a trusted setup. Monitoring from a router would be better, as the attack surface of the router can be made much smaller than that of the regular machine. And, nastily enough, there's been root kits that survive an OS reinstall by hiding in the boot memory...

      By and large, for most people, I suspect these days you know you're part of a botnet when your ISP calls you and tells you...

    2. Robert Helpmann??
      Childcatcher

      If a tree falls in a forest....

      @NomNomNom, I was going to comment on Apple's idea of security (...to use the malware removal tool you have to install Java...), but it seems self explanatory as to why it is a bad plan. Instead, you raise a couple of good points.

      I do not see how browsing through a VM should be considered an extreme act, especially as at least one OS is in the works which virtualizes (if that is even a word) pretty much everything.

      As far as being lost amongst the trees, well, I suspect you will not care why your machine acts odd from time to time, or runs slow, or that your identity has been stolen, only that these things have happened. If your machine has been compromised and is part of a botnet, it probably has other malware, too.

      1. Robert Carnegie Silver badge

        Hang on -

        It says on the anti-malware page, "This update is available for systems that installed Java 6", but does that imply that you have to still have Java 6 installed to use that?

        By the way, PUBLIC and free updates to Java 6 (not Java 7) from Oracle are due to terminate at the end of this month, according to,

        http://www.oracle.com/technetwork/java/eol-135779.html

        Updates to a Mac version may be different. And business users who are stuck with Java 6 for their particular needs presumably are expected to pay for support.

    3. jai

      How would you know your machine was part of a botnet these days?

      install something like LittleSnitch. That'll alert you to anything new that starts communicating from your machine to the outside world.

      It's a pain for the first week or so, as you get alerted to everything, and have to acknowledge the ones you're okay with and investigate the ones you're suspicious of. But after you've got it bedded in, then you know that any alert that comes up which you didn't do anything unusual to initiate is likely malware trying to dial home, and so you can kill it.

    4. Anonymous Coward
      Anonymous Coward

      Botnets

      The best, but not guaranteed, way would be to have two computers, one of them being completely standalone and not exposed to your network / internet and comprising of all your data and applications that you actually do work on. Files are then burned to a CD / DVD and transferred to the other PC for emailing, etc. I don't actually do this, but am beginning to consider it. The isolated PC would also be one of my self-built older ones, to help minimise the risk that the hardware / firmware is infiltrated by the Chinks.

  7. Mike Bell

    A world without browser Java and Flash would be great

    Perhaps Apple should block users from installing deadly software like Flash and Java. I can't help thinking it would be for the best, given the track record of Adobe and Oracle.

    I have Java disabled in my browser and Flash won't run because the browser doesn't have the most recent Adobe plug-in. I think I'll keep it that way.

    1. Michael Thibault

      Re: A world without browser Java and Flash would be great

      > Perhaps Apple should block users from installing deadly software like Flash and Java

      Perhaps Adobe and Oracle should be required to provide complete, current, cumulative, and detailed instructions, prominently displayed on their own sites, for how to go about definitively uninstalling software like Flash and Java--nuke-it-from-orbit-style.

  8. LPF

    Can someone explain to me ....

    How a hole in the Java software ... is Apples fault???

    And lets get something straight Malware on desktops computers is pretty much a windows problem, we are still talking small change when it comes to Apple, and no amount of snide reporting , or AC boot licking is going to change that.

    1. Test Man
      Stop

      Re: Can someone explain to me ....

      Cos apparently the Java on Mac OS X is Apple's responsibility.

      1. Anonymous Coward
        Anonymous Coward

        Re: Can someone explain to me ....

        Wrong, it was for Java 6. Oracle maintain Java 7 on OSX.

        When you install OSX Mountain Lion it doesn't install Java. The first Java app you run causes a prompt asking you if you want to install Java.

        It's not like Java was pre-installed.

      2. Anonymous Coward
        Anonymous Coward

        Re: Can someone explain to me ....

        " the Java on Mac OS X is Apple's responsibility"....no, the iFanboys believe that the Java on their machines is MS' responsibility, they always blame MS.

    2. diodesign (Written by Reg staff) Silver badge

      Re: Can someone explain to me ....

      "How a hole in the Java software ... is Apples fault???"

      It's more than that people accuse Apple of being slow to roll out security patches, such as this one from Oracle. Ultimately, Apple was stung by its own schedule.

      C.

    3. Tom 13

      Re: Can someone explain to me ....

      For the same reason a problem in IE is an OS issue at MS: they built it that way. As in 'the user has no ability to fix the problem' absent a patch from the relevant OS vendor.

      Yes, they have belatedly realized that made a mistake worthy of Balmer and reversed course, but given that it was obvious to everyone who wasn't a fanboi, it's not helping them.

  9. Test Man
    Stop

    Can anyone explain why Apple machines would be infected when Apple had removed the browser plug-in part of Java back in October?

    1. Anonymous Coward
      Anonymous Coward

      Some people still need the Java plugin.

  10. Tom 13
    Joke

    Meh, it's an Apple OS problem.

    I run Windows, so no concern of mine.

    1. Anonymous Coward
      Anonymous Coward

      Re: Meh, it's an Apple OS problem.

      Wrong, if you have Java 6 without the patch then you are vulerable.

      Java is a compiled interpreted language and any exploit in the VM can be possible on multiple OSes in some cases.

      1. Stevie

        Re: Meh, it's an Apple OS problem.

        "Wrong, if you have Java 6 without the patch then you are vulerable.

        Java is a compiled interpreted language and any exploit in the VM can be possible on multiple OSes in some cases."

        But you see, since any time there is an "issue" in the Wintel world so many tektards are gleefully shouting about it you can pretty much get the gist within hours from the side of a milk carton, everyone else got the memo about Java from their browser weeks ago and, if they had any sense, took the suggestion seriously and turned the bugger off, since Oracle weren't being terribly pro-active about dealing with the problem.

        In the Apple world the problems still exist, it's just that no-one talks about them (sometimes because getting a fix involves NDA paperwork - according to one famous Apple promoting geek). The uninformed Apple kit user - which is most of 'em - is rather hung out to dry on a string of increasingly untrue assumptions drawn using an internet crime model from the last century. No glee here in saying that, I use whatever comes to hand. Linux, Solaris, AIX, OS2200, Windows; all just tools needed to get the real work done (which isn't anything to do with computers as I keep reminding our "server division").

        That bloke who was crying about not getting paid will likely either be overjoyed at the overtime or crying again soon - I'm told by our Java lot that installing 7 caused no end of problems in some of our legacy applications. Serves 'em right. We move money from place to place, we don't launch rockets or run massive shared world online games and we don't offer anything sophisticated in our website access because we don't need to. What we need is more Cobol* not closer ties to Oracle.

        * which works, gets upgraded maybe twice a decade and has intrinsic money-handling data types that obviate stupid programmer lack-of-accumen. Never heard of scaled decimal young feller me lad? Let me introduce you to Mr Textbook. Mr Textbook, meet Mr Programmer's head.

        1. All names Taken

          Re: Meh, it's an Apple OS problem.

          Younger participants (assuming that there are some?)

          CoBoL

          Common Business Oriented Language - an attempt to take geekiness out of geek to provide solutions pragmatic and practical (and usually anti-theory, non-theory or contra-theory business types favoured such as: No, don't want a new computer language. Computer has a language and we just want it to do as we want it to do. Okay?)

          thus doing things on a pootah that emulated older, traditional non-computational working methods that might have lacked logic yet oozed human values in a way that non-geeks enjoyed an intimate understanding of and influence in, no?

          1. Michael Wojcik Silver badge

            Re: Meh, it's an Apple OS problem.

            Common Business Oriented Language - an attempt to take geekiness out of geek to provide solutions pragmatic and practical (and usually anti-theory, non-theory or contra-theory business types favoured such as: No, don't want a new computer language. Computer has a language and we just want it to do as we want it to do. Okay?)

            thus doing things on a pootah that emulated older, traditional non-computational working methods that might have lacked logic yet oozed human values in a way that non-geeks enjoyed an intimate understanding of and influence in, no?

            The syntactic structure is reasonably close, but no one would believe this was written by a human. I think your model needs more training.

      2. Tom 13

        @AC 2013/2/20 14:51 GMT

        Wow. Not only no sense of humor, but while you can make out the words you can't interpret the icon. It was a riff on all the Mactards always posting that malware is only a Windows problem.

        If you've read ANY of my other posts you'd know I take vulnerabilities ANYWHERE seriously. I particularly take note of Java vulnerabilities because some fucktards way up the chain of command insist critical financial apps in our organization run on java versions known to be vulnerable. At one point we were still depended on 1.5.16 and Sun had discontinued support for any version of v5 3 years earlier. That this app potentially conflicted with any of three OTHER financial apps that depend on still different specific outdated versions of Java only made it more fun when one of them failed because of a corruption somewhere in the Java stack because we still pushed updates to try to protect the network.

    2. asdf

      Re: Meh, it's an Apple OS problem.

      The problem isn't Apple or Microsoft its Oracle. Oracle has the worst security practices in the industry (granted SUN really got the ball rolling with their shit jvm implementation originally). I can't believe so many of the world's databases are running on their junk software methodology. If you install Oracle or Adobe software it doesn't really matter what your OS is. You are asking for a world of hurt if your computer is connected to a network.

      1. Oninoshiko
        FAIL

        Oracle's problem

        No, it's not. Oracle released a patch for all oracle versions of java. APPLE RELEASED A CUSTOM VERSION OF JAVA 6, THEN DIDN'T BOTHER TO RELEASE A PATCH. The blame for that is squarely at the feet of Apple.

  11. asdf
    FAIL

    hahahahahahahah

    Oracle Unbreakable! Epic fail.

  12. Kevin McMurtrie Silver badge
    Thumb Down

    Duh

    "But to use the malware removal tool you have to install Java and this is perhaps not the best idea especially since the language has become a prime target for hacking attacks of late, as Sean Sullivan of security software firm F-Secure notes."

    Install Java but don't enable the browser applet plugin. Java by itself is no danger.

This topic is closed for new posts.

Other stories you might like