You could have been...
... but as far as I know no one was. I just turned java off until now.
Apple has released security updates for Mac OS X and Mac OS X Server 10.4.11 and 10.5.7 - more than six months after Sun Microsystems warned the world of flaws in its Java virtual machine that make it easy for attackers to execute malware on users' Macs, PCs, and Linux boxes. Better late than never. Last month, The Reg took …
"I just turned java off until now." ... By John Molloy Posted Tuesday 16th June 2009 17:53 GMT
Java is not something that you can off. And it is a Very Powerful Language able to Converse with All Virtual Machines and NINJA Machinery .... which are in Reality and Virtualisation, Neural Networks InterNetworking at Quantum Communications Levels/Higher Deeper Virtual Core Processor Architecture Builds.
Quote: "If you followed our suggestion last month to take Security researcher Landon Fuller's advice to disable Java applets in your browser and uncheck the "Open 'safe' files after downloading" setting in Safari's General preferences, you're now free to reverse those changes."
Or you could just leave them both off permanently. Is Java actually used for anything useful on the web these days, for the vast majority of people? It has been off in my browser for months and I haven't noticed it at all.
The 'safe' files thing is something that should never, ever be on. The most retarded setting in a browser anywhere. I just love how Apple puts it between quotes to indicate that even they don't believe that these files are 'safe'.
My advice - unless you really do need Java for anything, just leave it off. 'Safe' file opening should be left off regardless of what you want. If you are incapable of double-clicking a downloaded file to open it yourself then you shouldn't be using a computer. If you are stupid enough to double-click something in your Downloads folder that you didn't download yourself, then you shouldn't be permitted to carry on living in a Darwin Award type of way.
some evidence of working exploits in the wild taking advantage of this vulnerability? After all if it has been known about for over 6 months that's plenty of time for one or more, so where are they? Your tut tutting at Apple's tardiness would carry more weight if there was a real risk, without exploits the risk is only theoretical and the continuing lack of exploits on the platform would indicate that Apple is right in not choosing to rush these things.
10.5.7 was a big download and I hadn't got around to it yet. Shocked to find the fix wasn't offered at 10.5.6 so needless to say I have now done both.
I'd echo Muscleguy's comment that if there's no exploit then the tone of your article was scaremongering. But better safe than sorry.
Analysing the outcome of 6 months of unpatched Java, in hindsight, and excusing Apple's tardiness because nothing happened doesn't make much sense, does it? You wouldn't leave your front wide open all day, every day simply because you're not aware of any burglars in the area.
Surely it's the fact that there COULD have been exploits developed at any point over the last 6 months that's important. That's the difference between proactive and reactive security... or in Apple's case inactive.
So, no need to patch unless there's an exploit? *REALLY* clever! This would be the famed Apple security would it?
Oh, of course, I'm forgetting that the blessed Steve *KNEW* that there wouldn't be an exploit for at least six months and so it was safe to do nothing. Get real - if there's a vulnerability you patch for it, you don't wait for it to be exploited.
"So, no need to patch unless there's an exploit? *REALLY* clever! This would be the famed Apple security would it?"
No. But the point is that it was easy enough to NOT have running which is what I did when the security alert came up. I don't have any reason to run it anyway and one would assume that those that did would be on some kind of trusted network anyway.
Biting the hand that feeds IT © 1998–2020