back to article Six months on, Macs still plagued by critical Java vuln

More than six months after Sun Microsystems warned that a flaw in its Java virtual machine made it trivial for attackers to execute malware on end users' machines, the vulnerability remains unpatched on Apple's Mac platform. Most other operating systems, including Windows and major Linux distributions, fixed the bug months ago …

COMMENTS

This topic is closed for new posts.
  1. Pierre
    Jobs Horns

    Om nom nom nom, says the worm...

    The worm is in the Apple. I repeat, the worm is in the Apple.

    Hey, macs are so much more securester than anything else in the world, this little bug shouldn't be a problem... no need to patch guys. Now if you would excuse me, I have to get back up to speed with my Java programming skillz

  2. lennie

    that is crazy

    (don't know if this is double posted)

    its common to know that apple falls short when it comes to pachting your systems. thats why I'm glad I use windows coupled with safe browsing and anti-virus software. my never hasn't seen a virus for years now, and I can say no trogons for roughly 2 and half years now. its all about safe browsing. its never a good when someone's computer gets a virus or trogon so please do what is recommended and buckle down your macs to this vuln. by turning off java applets....this would be a bummer for me though because I play a lot of java based games online with my friends and family at yahoo games and games in windows live messenger with my girl.

    however, to the author or anyone who can answer this question: when the user turns off java applets does that mean they can't use google docks? pesonally i don't use google docks but just for the sake of information I'd like to know.

  3. Adam Doran
    Linux

    Apple OS X and pre core duo MacBooks...

    I'm still rather irritated by Apple's decision to not to release Java 1.6 for 32bit Macs. Unfortunately I bought my MacBook just before they went 64bit (with the update to core2 duo processors). Several work apps simply cannot run without 1.6, leaving me somewhat dismayed. Why they refuse to support Java 1.6 for such systems is beyond me. I'll not be buying any other computers from them as a result.

  4. James Robertson
    Stop

    who really cares anyway

    Before everyone starts ranting, has anyone actually had a Mac hacked because of this, or is this the usual case of lets start a panic to make ourselves look important from the press/virus software experts etc etc.

  5. Richard Cartledge
    Jobs Halo

    never mind

    What's more important? Hypothesis or Probability?

    Some people must have too little to worry about!

  6. nicholas22
    Flame

    heh

    @James Robertson: You think they would know? They're Mac users...

  7. Andy

    People still use Java?

    This is a rather sad reflection on the once-"cutting-edge" technology that is Java. No-one cares any more! Still, leaving an unpatched, known exploit is a bit stupid.

  8. David Wilkinson

    No one cares?

    Apparently the criminals don't care.

    Their entire skill set is focused on infecting Windows and developing the skills necessary to target a new platform isn't too much effort for too little gain.

    Apple doesn't care because no ever bothered attacking them. Yes someone put a Trojan into some pirated mac software, but the blame and the responsibility for that falls on the end user not Apple.

    Mac User's don't care because they never had to worry about this sort of thing before and they are not going to start until something actually happens.

  9. Luke
    Jobs Halo

    Google docs don't use Java applets

    Google Docs run on HTML/JavaScript/CSS on the browser.

    As for Apple not patching their version of Java, the logical solution would be to let Sun distribute a JRE for OS X, instead of relying on Apple to do it. This is probably what will happen eventually. Hopefully, the bad PR will shame Apple into fixing this long standing security breach.

  10. Volker Hett

    Apple and Java is a mixed bag :(

    I don't think Apple really wants to support Java any more. One hint is the lack of any JVM on the iphone and another is the long time it takes until Apple supports new Java versions.

    I use SoyLatte http://landonf.bikemonkey.org/static/soylatte/ although this is a X11 application and thus not very good integrated, but it works for most Java apps even on older Apple hardware.

  11. John
    Thumb Down

    Are you kidding?

    "Mac User's don't care because they never had to worry about this sort of thing before and they are not going to start until something actually happens."

    Yeah, thats a good plan.

  12. Christopher Ahrens
    Jobs Horns

    RE: who really cares anyway

    Everyone that uses a Mac should care. The point isn't a trivial vulnerability, its the fact that Apple is so slow in patching their software, and that Macs aren't as invulnerable as the users and Apple make them out to be.

  13. Anonymous Coward
    Jobs Horns

    But...

    Macs don't have viruses or problems. I know 'cause their commercials say so.

  14. Steve Loughran

    Java - too uncool for Apple

    As a Java developer, I do love the fact that the mac comes with a better version of Java than MS ship for Windows. But that doesn't mean it is any good. Also, Apple like to leave all the old versions around, which may be good from a compatibility standpoint, but awful from a security perspective.

  15. Nordrick Framelhammer

    crApple==Macro$lut?

    So is crApple now following Macro$lut in their secrioty issue management process, namely ignoring it in the hope that a) it will go away if no-one mentions it or b) wait until there are exploits out in the wild for the prob....... oh, wait. Scratch option b).

    Come on crApple fannibopis. Why don't you defend "Those Who Can Do No Wrong"(tm). Or will you just stick your fingers in your ears and loudly yell "lalalalalalala I can't hear you. OSX is 100% secure! Lalalalalalalalala"?

  16. Mick F
    Jobs Horns

    re: People still use Java?

    Are people still using Macs?!!!

  17. Anonymous Coward
    Anonymous Coward

    So what

    "Everyone that uses a Mac should care. The point isn't a trivial vulnerability, its the fact that Apple is so slow in patching their software, and that Macs aren't as invulnerable as the users and Apple make them out to be."

    Please tell me how this impacts on my life in any way whatsoever and how I should 'care'. Should I stop using my Mac, sit here terrified or inconvenience myself by altering my habits?

    I don't care. I never will care. And I will blunder around the net forever more knowing full well the chances of anything bad happening to be infinitesimal.

    No OS is 'invulnerable', but when it comes down to the fact no harm will come to me in a month of Sundays, semantics are irrelevant.

    Practically, I *am* invulnerable. And no smart alec preaching what I should or shouldn't feel or do makes no difference whatsoever.

    Stick that in your pipes and smoke it!

  18. Roger Heathcote
    Flame

    @lenny

    "ows coupled with safe browsing and anti-virus software. my never hasn't seen a virus for years now, and I can say no trogons for roughly 2 and half years now. its"

    I love it when Windows users claim they've never had a trojan. I mean how would they know?! Because their copy of Norton never mentioned it?!? Surely the entire point of a trojan is to silently penetrate your system, quietly nobble your antivirus and then stealthily sit their awaiting further instructions? Even many of the payloads a trojan might deliver go out of their way to to avoid detection while they log your every keystroke and act as anonymous proxies for their criminal controllers further misdeeds.

    MAc, Windows, Linux or Solaris the only time you can be absolutely sure you don't have a trojan is on a freshly installed system that's never been connected to the internet or used by anybody else. Boldy asserting you've never had one (on the worlds most virus ridden platform) just because you have anti-virus software and you've never noticed one makes you look stupid.

  19. Anonymous Coward
    Flame

    Confusion

    This article is confused. JAVA is not part of the OS. So giving other vendors kudos for updating is totally bogus. Castigating Apple for giving such a low priority to JAVA updates is fair.

  20. Matt
    Thumb Up

    Still - plagued - by critical Java vuln

    I take it this 'plague' is about as worrisome as H1N1?

    No wonder no one is all that worried.

  21. Jeremy
    Heart

    Request for comment

    "An Apple spokeswoman didn't respond to an email requesting comment."

    You're surprised? Do you think Apple's press office even read emails from El Reg? I suspect not...

  22. Walt French

    "Plagued?"

    My dictionary defines "plague" as, "cause continual trouble or distress to." (Yes, dangling preposition and all!)

    Somehow, despite the existence of exploit code, one doesn't hear about Mac users "still" having "continual trouble or distress" from this problem. In fact, one doesn't hear that they "occasionally" have trouble or distress.

    Maybe because OSX won't run the exploit until the user says she wants to run some strange program downloaded from AbandonAllHope.Com, the source of grief can be quickly shut down, if indeed it has infected more than a handful of Mac users.

    I'm not claiming that we Macbois _mightn't_ have trouble, just that the headline seems horribly overwrought. As in, "Man Stomps on Elephant!!!" (without an elephant).

  23. elderlybloke
    Dead Vulture

    Dear Matt

    Don't get too complacent about H1N1.

    The "Spanish Flu" that killed about 50,000,000 people in 1918-1919 was an H1N1 flu.

  24. Greg

    @Andy

    "This is a rather sad reflection on the once-"cutting-edge" technology that is Java"

    You kidding me? You're kidding me, right?

    If a language was cutting-edge ten years ago, it's going to be pretty difficult for it to still be cutting-edge. Most "cutting-edge" developments turn out to be bullshit, and die a quiet death about a year after their hype, whereas Java is mainstream now. Your comment seems to imply that it's fallen on its arse. The various Java-based enterprise systems I use on a daily basis would tend to disagree.

  25. Anonymous Coward
    Anonymous Coward

    @ Roger Heathcote

    "I love it when Windows users claim they've never had a trojan. I mean how would they know?! Because their copy of Norton never mentioned it?!?"

    Because alongside a basic anti virus package, I check for suspoious network connections every couple of weeks, check the packets that are coming in and out of my computer , scan with at least 2 different scans (online scans) each month and keep my system up to date with security patches.OH and i scan for spyware as well because at the moment that is more liekly to infect you it seems.

    Boldly saying that the person can't have a clean system based on limited information about how the person is checking makes you look like an idiot.

  26. TeeCee Gold badge

    @Steve Loughran

    You:

    ".....the mac comes with a better version of Java than MS ship for Windows."

    From the Article:

    "There's no such requirement on Microsoft developers, since Sun provides Java fixes on that platform."

    So MS don't actually ship a version for Windows, Sun do. I suspect that MS may well bundle what was the latest version at the time on install media and offer updates via Win update for those with the Java updater turned off, but I wouldn't know. I get my updates automagically from Sun.

    I'm intrigued as to how exactly Apple's later interpretation of a Java release is always "better" than the vanilla Sun version.

  27. This post has been deleted by its author

  28. Anonymous Coward
    Flame

    snigger snigger

    "But Mac's don't suffer from viruses and malware"

  29. Tom

    Java is a Sun thing?

    OK so you get the JRE from Apples sources but if its created by or in collaboration with Sun then perhaps the reason behind the lack of update lies outside apple. Its quite possible apple have got into MS's 'its our operating system but we dont have a clue how it works' mode (Samba had to tell them how their SMB worked) and Java is not simple so they cant work out how to mend it.

  30. snafu

    Java is part of OS X

    "...This article is confused. JAVA is not part of the OS..."

    It is, being Apple the one who maintains and distributes OS X' custom version.

  31. Sergie Kaponitovicz

    NoScript

    Firefox+NoScript=Sorted.

  32. Anonymous Coward
    Thumb Up

    Sounds about right for Apple!

    There are lots of problems with OSX, that never see the light of day due to the low number of twonks using Apple stuff. Sanctimonious khaki-clad fools that they are!

    To a certain extent Apple is worse than WIndows, at least with Windows MS only make the O/S and others can try it on any hardware to spot the problems, with OSX you have to use it on one brand of hardware and nothing else ( hackintosh's aside ). Java is a pig at the best of times and the fact that Apple can't be arsed to fix something that is not a problem yet, just about sums their attitude up as usual!

    ( Oh by the way I own three iMacs, great systems love 'em to death, I am just fed up with narrow-minded, self-rightous fanboi's giving us serious IT people using OSX, a bad name! )

  33. Mark

    @TeeCee

    "I'm intrigued as to how exactly Apple's later interpretation of a Java release is always "better" than the vanilla Sun version."

    Maybe in the same way that IBM's and Blackdown's JVM on Linux are better than Sun's.

    I don't know whether it is the case but those other 2 consistently manage to better Sun on Linux

  34. Greg

    @Mark

    "Maybe in the same way that IBM's and Blackdown's JVM on Linux are better than Sun's."

    Right, right, that must be why I always have to install the Sun JVM to stop memory problems, Eclipse grinding to a halt, etc.

  35. Aaron
    Jobs Halo

    JAVA

    Who uses JAVA anymore?

    /I keed... I keed...

  36. albaleo

    @AC

    "Because alongside a basic anti virus package, I check for suspoious network connections every couple of weeks, check the packets that are coming in and out of my computer , scan with at least 2 different scans (online scans) each month and keep my system up to date with security patches.OH and i scan for spyware as well because at the moment that is more liekly to infect you it seems."

    I guess the economy depends on sad bastards like you.

  37. Andy

    @Greg

    Shock headline: Java user defends Java! Meanwhile, the rest of the world carries on not caring. While I enjoyed your tangent, you appear to have missed my point entirely. The only reason for my "cutting-edge" reference was ironic (note sarcastic quotation marks), to suggest that it's always been lowest-common-denominator crap. HTML and ECMAScript were around before Java on the web, and have learned lots of fancy new tricks so they're even more relevant today; Java has undeniably 'fallen on its arse', as it thoroughly deserved to. It's left with a small niche in enterprise, of course – where infrastructure traditionally evolves at sub-glacial speeds.

    I'm convinced it's time to have Java off by default for web browsers, and really to seriously consider whether it's worth including at all. I know the last time I used a Java applet was the late nineties.

  38. Martin Edwards
    Gates Halo

    Microsoft Java VM

    It's a shame the Microsoft JVM is no more. Because now every few months we have to log on as an admin and click through an unnecessarily lengthy wizard and be shown adverts for OpenOffice. I'd much rather have Windows Update do it for me while I'm asleep.

  39. Greg

    @Andy

    "Java has undeniably 'fallen on its arse', as it thoroughly deserved to. It's left with a small niche in enterprise, of course – where infrastructure traditionally evolves at sub-glacial speeds."

    That's so wrong it's not even worth responding to.

This topic is closed for new posts.