back to article Apple Java update fails to address mega-flaw – researcher

Apple released a Java update on Wednesday but it does not tackle a high-profile flaw that has become the target of attacks over recent weeks. Java for OS X 2012-005 and Java for Mac OS X 10.6 Update 10 offer patched versions of Java for OS X Lion and Mountain Lion systems that tackle CVE-2012-0547. But this is a different …

COMMENTS

This topic is closed for new posts.
  1. Aaron Em

    That's OK --

    -- Oracle's update didn't address it either, so I hear.

  2. Test Man
    Mushroom

    I just simply uninstalled it on my XP PC, Vista laptop and 7 netbook.

    On my new 7 64-bit laptop, Java will never touch it, ever.

    1. Anonymous Coward
      Anonymous Coward

      Do consumers really use it that much on any platform?

      I don't blame you! For my sins, my day job involves server-side Java development, but as a Windows and Mac user at home there aren't any Java applications that I use. It's not like you can even get a consistent cross-platform UI without writing your own Look&Feel and even then it's obviously a different kettle-of-fish to platform-specific applications. Cross platform toolkits only seem to work inconspicuously when they closely imitate the host system they're running on, otherwise it's a jarring experience. Why bother?

      1. Anonymous Coward
        Anonymous Coward

        Re: Do consumers really use it that much on any platform?

        I have no love of Java nor it's many exploitable vectors. However I must point out that SWT is an ingenious cross-platform solution since it uses the native controls on each.

        Perhaps you mean to suggest that any platform-agnostic program must be either different from it's host, or different from other instances of itself. In which case, this is a no-win situation for all, not just Java examples.

        1. Anonymous Coward
          Anonymous Coward

          @AC re: SWT is ingenious

          So how do you use a Mac OS X NSSegmentedControl in SWT?

        2. BobaFett

          Re: Do consumers really use it that much on any platform?

          You are correct, any platform agnostic program is either different from the host or from instances of itself. This is quite evident using GTK or X-Window based apps on Macs, so it's not specific to Java. The problem lies in the fact that most cross-platform UI toolkits imitate the standard set of controls found in Microsoft Windows leaving little room for doing things differently other than doing something custom (and usually not fitting with user's expectations on the platform they are accustomed to).

          My main point was that, this being the case, writing cross platform apps with UIs that don't behave like normal native applications isn't particularly gratifying as a developer. Not to mention the fact that if you really want to do clever things with the file system, etc. you need to use the new File API in Java 7. Prior to that, you'll struggle not to end up writing native code. So personally, I'd rather just code to the operating system in ObjectiveC or .Net (apologies Linux) than settle for a sub-optimal cross-platform solution.

      2. ArmanX
        Facepalm

        Re: Do consumers really use it that much on any platform?

        A (thankfully small) part of my job involves working with (and trying to fix) a signed Java applet. Forget vulnerabilities, a signed Java applet can do almost anything to a computer. In XP, with an admin account, a signed applet can literally erase your drive. Without permission. It doesn't even have to be a "known" signer; all a user has to do is click "run", and away it goes. File system access, hardware access, anything that isn't locked down is toast.

        And yet people keep it installed. It's insanity, I tell you...

      3. toadwarrior

        Re: Do consumers really use it that much on any platform?

        Many IDEs are java based, most desktop sharing is java based so that covers businesses and some consumers.

        Then there is minecraft which is definitely popular with kids so there are definite reasons for businesses and consumers to be using java still.

      4. KroSha
        Unhappy

        Re: Do consumers really use it that much on any platform?

        Adobe Creative Suite requires Java. Which means that I have to have it on the Mac at home, as the LSOH occasionally does work from home.

  3. Anonymous Coward
    WTF?

    Erm...

    Mac OS X ships (even after the update) with Java SE 6, but I'm quite sure the mega-bug mentioned (CVE-2012-4681) applies only to Java SE 7.

    1. Peter Mount
      WTF?

      Re: Erm...

      yes you are right - Java 6 and earlier are not affected by that one, only Java 7 is

      So the only way to have it on OSX is to be running a build of Java 7 thats not from apple & tbh if you've got that installed then you'll most likely have got the patch on there as it's not a 'normal user' level thing to do

  4. ChrisM
    IT Angle

    I think we are all agreed

    The only place for Java now in the world of IT is in a mug, piping hot, on your desk....

    1. Anonymous Coward
      Anonymous Coward

      Re: I think we are all agreed

      I'm tempted to feel the same way about Flash, but in its defence, it's original intention was never the same as Java's. Are we all safer by going with HTML5? What do people think about Google's Native Client (NaCl)?

    2. Lars Silver badge
      Joke

      Re: I think we are all agreed

      Sadly some sites I use, use Java, and will not work properly without it. The suggestion to use an other browser for those few sites was a good one. As such I have nothing against Java and as a programmer I have not really ever used it. The slowness, bye Oracle, to respond seems to be the problem, otherwise we would have ceased to use computers, He he.

    3. Anonymous Coward
      Anonymous Coward

      Re: I think we are all agreed

      Its also in just about every shopping cart web app that has a oracle data base

      What evs I almost got fired over letting my boss know about this. "You are not part of the security group I am sure that the security group will know about something like this well before it is published in the media especialy some cut rate foreign web magazine"

      I only warned him because 3 years worth of work and bad decisions have us using an old version of java to create an inhouse product with a web app front end that will replace an old mainframe app designed before most of the current internet was developed. we catch it we are boned.

      1. Destroy All Monsters Silver badge

        Re: I think we are all agreed

        You are not talking about an Applet, so your point is moot. Could be your boss has a point.

  5. Chris Gray 1
    Alert

    how?

    I'm lazy, so instead of trying to do my own research on what's going on, I'm just going to ask, and hope someone will answer me. :-)

    I haven't used Java since 1.1, and have never used Javascript. However, my understanding is that Java has a fairly strong security model. It also doesn't have pointers, and checks all array references. So, how do all of these vulnerabilities work? Have the browsers, etc. put in too much JNI (Java Native Interface), so that the holes are not really in the Java virtual machine, but in native code stuff that it is letting programs access? Or, are these holes problems in the native code parts of the JVM? E.g. URL parsing or something?

    As for HTML5, my understanding is that that is all Javascript, just wrapped up a bit differently in web pages. And, Javascript doesn't even have a security model, last I knew! My tradition in the past was to have Javascript disabled, but I left Java enabled. Now both are disabled. My belief is that Javascript, however your browser gets to it, is the biggest single security hole related to web browsing, and likely always will be.

    1. Death_Ninja
      Black Helicopters

      Re: how?

      Yes Java has a sandbox which is supposed to make it safe....

      ...however the much talked about exploit breaks out of the sandbox.

      Thats the simple story.

    2. Brewster's Angle Grinder Silver badge

      Re: how?

      I've not programmed Java for a long time. But it looks to be a weakness in the standard JVM. And because Java is pre-compiled it's possible to attack the "VM" directly. Flash suffers from the same problem.

      That kind of attack is not feasible against javascript because you only transmit the source. So attacking javascript means tricking the "interpreter" into generating code that then breaks out its (internal) VM, or breaking out the interpreter directly. It's doable, but much harder. And each of the main browsers has their own javascript engine. So javascript is less hackable (in that sense).

      I have mixed feelings about NaCl. The NaCL VM is the processor itself, so there is no way to attack it. Of course you could trick the code verifier but that's a far simpler piece of software than a full VM, so less likely to suffer from bugs. The "Portable NaCL" adds a translation layer, so is a bit more complicated and a result more likely to be subject to bugs.

  6. Dummy00001
    Facepalm

    And some prominent developers still insist that we should rewrite all software in Java or other managed languages. It's all about security and safety, they say, which one can never achieve with the C/C++.

    Well, I'm glad to see the people being repeatedly proven wrong.

    Worst part is of course the fact that the managed language VMs themselves become the targets. Considering complexity of e.g. Java VM I think we are going to have a bumpy road ahead.

  7. Matt Piechota
    Thumb Down

    "And some prominent developers still insist that we should rewrite all software in Java or other managed languages. It's all about security and safety, they say, which one can never achieve with the C/C++.

    Well, I'm glad to see the people being repeatedly proven wrong.

    Worst part is of course the fact that the managed language VMs themselves become the targets. Considering complexity of e.g. Java VM I think we are going to have a bumpy road ahead."

    I think there's a baby and bathwater issue here. If you write in C/C++, you're going to have pretty close to full access to the system (barred only by OS user permissions). With this Java flaw, you get pretty close to full access to the system (same user permissions as above). So Java, at worst case with a giant flaw, is as secure as C/C++ on a given system. The only issue I see is that people might feel "Java is secure" and run things they wouldn't normally run.

  8. Anonymous Coward
    Anonymous Coward

    Webex....is one applet use I can think of

    Webex uses Java. Which is a bit of a pain given that it always seems to fail on 10.7...

  9. Anonymous Coward
    Anonymous Coward

    Most mainstream sites, with the exception of a few e-banking sites don't need Java in order to work

    Of course this depends on what you mean by "work". Facebook and GMAIL (in standard view) for instance will not run or look as you'd expect them to, indeed, you have to switch to the HTML version of GMAIL to be even able to access it without javascript enabled.

    1. This post has been deleted by its author

      1. Anonymous Coward
        Anonymous Coward

        Re: Most mainstream sites...

        "And BBC IPlayer heavily relies on it so also won't work."

        By "it", do you mean "Java"? If so, then you're wrong. Works fine for me with no trace of the stuff.

        1. GreggS

          Re: Most mainstream sites...

          Try disabling your Java plugin (Chrome) and see what happens!

          1. This post has been deleted by its author

          2. Steve Foster
            FAIL

            Re: Most mainstream sites...

            I don't have Java installed at all on my PCs, yet the BBC iPlayer works just fine.

            (note that Java and Javascript are two different animals that happen to share similar syntax)

    2. Anonymous Coward
      Anonymous Coward

      Re: Most mainstream sites...

      Don't you love it when e-banking sites - for which security ought to be THE OVERRIDING goal - insist that you use insecure languages, techniques, or browsers?

      1. GreggS

        Re: Most mainstream sites...

        Is anything anywhere really secure when accessed over the Internet?

  10. Tim 11

    "Users could use an alternative browser for such sites after disabling Java on their main browser"

    hmm, so this could be one case when IE is safer than other browsers :-O (assuming nobody uses IE as their main browser of course)

    1. RICHTO
      Mushroom

      "Users could use an alternative browser for such sites after disabling Java on their main browser"

      IE9 is already safer than other browsers.

      1. ArmanX
        Trollface

        Re: "Users could use an alternative browser for such sites..."

        >IE9 is already safer than other browsers.

        To be fair, this is correct. IE9 *is* safer than other browsers. It's safer than IE 8, and IE 7, and IE 6... even Netscape 4! I'll bet it's even more secure than FireFox 1.5! Why, in another 10 years, I'll bet that IE will be as safe as today's browsers!

  11. Ken Hagan Gold badge

    Quick question

    Let's say I'm tempted to completely uninstall Java, but I'm worried that at some point in the last few years I might have installed some application that (at least in part) depends on a bit of Java code. (After all, presumably there was a reason it got installed in the first place, right?) In the absence of an easy way to identify such code, saying that the safest course of action is to ditch Java is surely just asking for millions of people to break applications in ways that might be really hard for a novice to diagnose and put right.

    So what is the easy way to check for civilians in the target zone before dropping that nuke from orbit?

    1. Anonymous Coward
      Anonymous Coward

      Re: Quick question

      Uninstall Java and see if anything doesn't work. It takes about 5 minutes to reinstall it if necessary. To be safe, disconnect from the Internet while doing this.

      1. Ken Hagan Gold badge

        Re: Quick question

        You are presuming that I (or any normal person) happen to have a comprehensive test suite for every program on my system. Your "to be on the safe side" suggestion presumes that none of the people who use the computer (not just me) depend on web-sites that use Java.

        Yes I know I can just break everything and wait for my users to perform the above testing by their random efforts *and* have the IT literacy to realise that their stuff doesn't work anymore because of something I did rather than something they did. I just wondered if there was a less Neanderthal approach.

        1. Anonymous Coward
          Anonymous Coward

          Re: Quick question

          Sorry, I assumed you were an individual user with a single PC. My mistake.

    2. Anonymous Coward
      Anonymous Coward

      Re: Quick question

      Suck it and see, reinstall if something breaks.

      Best of all, use it as an opportunity ti make a fresh backup, then uninstall it. I removed Java some time ago, nothing cared, and I was glad not to have the updater polling the network and flapping about so much.

  12. Bradley Hardleigh-Hadderchance
    WTF?

    What was/is wrong with Java?

    Serious question.

    It seemed like such a great idea at the time. But from the start a lot of people were talking about security flaws. I know that it is used quite a bit on the enterprise server end of things and it seems it has found a few other niches too, reading what some have had to say about all this fuss.

    But was it inherently flawed from the start? If so? Why? I am a failed programmer so don't have the depth of knowledge in this area, but I can understand a bit if it is explained to me. Was it the embrace and destroy of Microsoft - they didn't have that much to do with it surely? I remember writing my first Java code in VisualJ++ and being a bit miffed that it wouldn't run in Netscape Navigator at the time - ok in IE of course - cross platform - surely some mistake.

    Anyway, this is a simple question really, and if anyone who is in a position to explain, could put it it layman's terms for me, I would be grateful.

    It seemed such a graceful language - I have a shelf or two of books - must have spent hundreds and hundreds of pounds on TYJ slabs of pulped wood. It made so much sense, It was powerful but not too dense. I ended up doing some quite useful servlet thingies with it, plus some basic graphics drawing code.

    I wanted to love it, but trigonometry got the better of me...

    "Don't know much trigonometry"....

    But that's just me being a thickie. Was Java doomed from the start, has it mutated into something new, is it considered a failure in the field?

    Thanks.

    1. This post has been deleted by its author

      1. This post has been deleted by its author

      2. asdf

        Re: What was/is wrong with Java?

        For more of historical reason why Java sucked early on.

        http://www.advogato.org/article/624.html

    2. asdf

      Re: What was/is wrong with Java?

      Well putting aside the whole managed language debate (as a c++ dev, managed languages seem like tinker toys for freshouts but I digress) Java's main problem has always been its steward. The reference JVM implementation put out by Sun and then Oracle has always been bloated, buggy, poorly written sh_t . The language itself though it has some flaws (http://tech.jonathangardner.net/wiki/Why_Java_Sucks) is useful enough to largely own the mobile phone market (Dalvik VM a bit better, Java ME not so much) though.

      1. Destroy All Monsters Silver badge
        Megaphone

        Help me, Obi-Wan Kenobi! Non-Java languages on the JVM are my only hope!

        > managed languages seem like tinker toys for freshouts

        It's 2012. The fact that people still like their balls feel the hard warm touch of the CPU instruction set and are still coding in C or C++ is NOT a testament to either - it mainly shows how fucked-up, conservative and driven by primate hindbrains this "industry" actually is- It's the anthrophic C principle - it's still with us, so it must be good, right? No.

        > bloated, buggy, poorly written

        Opinions can be had for 15 cents at the next corner.

        > The language itself though it has some flaws is useful enough

        The language is useful enough, but that's faint praise. It doesn't seem to progress. It has lots of problems. Many cannot be solved because one needs to stay backward compatible. As for the API, it's generally adequate only and often rather HERP DERP. Just looking at java.util.Calendar will make you age by 10 years. It's that bad. Then people use it and also forget the synchronize keyword....

        And it's not getting better. JEE uptricks the program semantics with runtime and composition semantics, not to mention persistence semantics that are hard to grasp, resulting in JEE managed programs croaking with mysterious exceptions under mysterious circumstances. It's not pretty. No sir I don't like it.

        Java should be put out to pasture. The JVM can stay. There are lots of interesting languages for it.

        1. asdf

          Re: Help me, Obi-Wan Kenobi! Non-Java languages on the JVM are my only hope!

          >It's 2012. The fact that people still like their balls feel the hard warm touch of the CPU instruction set and are still coding in C or C++ is NOT a testament to either - it mainly shows how fucked-up, conservative and driven by primate hindbrains this "industry" actually is- It's the anthrophic C principle - it's still with us, so it must be good, right? No.

          Automagical is for people who think by writing a dozen lines or whatever they can create an instance of IE and skin and they have made their own browser. Regardless we can agree to disagree.

          >Opinions can be had for 15 cents at the next corner.

          > The JVM can stay. There are lots of interesting languages for it.

          Really do I really have to go find the dozens of CVEs with the highest severity for the JVM in the last few years alone to back up my claim? If the JVM was so great we wouldn't be discussing this article. Even Micro$oft did a better job with their VM imho.

          >The language is useful enough, but that's faint praise. It doesn't seem to progress.

          I agree on this.

    3. Ken Hagan Gold badge

      Re: What was/is wrong with Java?

      "Was Java doomed from the start, has it mutated into something new, is it considered a failure in the field?"

      It was not doomed from the start. As a programming language, Java was (and remains) very conventional, with no ground-breaking features. However, the JVM had a provably correct execution model that (if correctly implemented) would have permitted running untrusted code (think: web pages) without compromising the security of the client. That was and remains a desirable feature.

      It *has*, however, mutated into something new. Hardly anyone uses Java on the client side anymore. Consequently, no-one bothers to implement the security model correctly and so we are left with a conventional programming language used for conventional applications but with a gratuitous layer between the code and the actual hardware. Quality of implementation in Java-land is a euphemism for just how much of that gratuitous layer can be optimised away. The answer is "most, but not all".

      It isn't a complete failure in the field, but it has certainly had its day. Since it no longer pretends to be a client-side language, its main claim to success must surely be the extensive libraries it can tap into. However, both Android and C# have demonstrated that a large company can make extensive libraries available to any new language they come up with. The fact that Java already has these libraries is nice, but it isn't a compelling argument. (Fortran has lots of numerical libraries, but coders in various other languages can use them too, so no-one choose Fortran just to use the libraries.)

  13. Mikel
    Facepalm

    Water still wet!

    To the Romerocopter!

  14. Andrew Hodgkinson
    FAIL

    Publish a retraction or update, please

    As only one other poster, remarkably, has pointed out the "megabug" is in Java 7 only.

    Apple stopped supporting Java in-house at Java 6. Development was transferred to Oracle who are entirely responsible for Java 7. Apple's recent update patches currently known vulnerabilities in Java 6. It's up to Oracle to patch Java 7.

    1. DerekCurrie
      FAIL

      Re: Publish a retraction or update, please

      Further Details:

      Apple and Oracle have made the Java JRE for OS X into an open source project with both companies providing support. Apple had originally planed to drop out of providing Java updates to OS X users. For now, Apple is remaining in the supply chain, forwarding updates for ONLY Java 6 JRE as required.

      Meanwhile, the JRE of Java 7 for OS X is available only through Oracle. The only reason OS X users would want the Java 7 JRE would be for specific projects or applications that require it. As has been noted in the thread, at this time there is NO safe version of Java 7 for browsing the Internet. Therefore, if you installed Java 7 on ANY platform, turn Java 7 OFF while browsing the Internet, or only turn it on ONLY at trusted websites, or UNINSTALL Java 7 entirely.

      (JRE = Java Runtime Engine, the part of Java that is specific to any particular operating system).

  15. Bradley Hardleigh-Hadderchance
    Happy

    Thanks for the 'pointers'

    Silly programmers joke. You might not get it ;-)

    I fear I am the one that does not get it after all.

    But thanks to asdf and Ken Hagan.

    Most informative.

    That's why my next programming language shall be written in CGI (Non-programmers joke ;-{)

    I loved it when I was programming Java. Perl was my next favourite - God I loved Perl - I must be a weirdo.

    I have K&R in my garden shed under lock and key (not that I am worried about anyone nicking it - it's more the lawnmowers and spades [Just to clarify: small shovels - I'm not into that human trafficking shit ;-]) I am worried about.

    But it's like they don't say: once a failed programmer, always a failed programmer.

    Though I have lots of programmer friends members of the CCC and Reversers too...

    I was top of my class at school, but bottom at maths... maybe there is a correlation...

    Anyway, thanks for the interesting read, that's why I love the REG.

  16. DerekCurrie
    Facepalm

    CORRECTION: The CVE-2012-0547 'mega-flaw' does NOT affect Apple's Java update

    This article by The Register is INCORRECT. This was pointed out previously in the comments thread.

    Please allow me to teach you how to discover the CORRECT information:

    The 'mega-flaw' in Java 6, is described in CVE-2012-0547. You can read the CVE description HERE:

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0547

    "Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier, and 6 Update 34 and earlier, has no impact and remote attack vectors involving AWT and "a security-in-depth issue that is not directly exploitable but which can be used to aggravate security vulnerabilities that can be directly exploited."

    Note that this security hole is specific to Java 6 Update 34 and earlier as well as Java 7 Update 6 and earlier. In response to this security hole, Oracle rushed out two patched versions of Java: Java 6 Update 35 and Java7 Update 7. Apple then forwarded Java 6 Update 35 to its OS X users.

    NO further security holes have been found in Java 6 Update 35 at this time.

    UNRELATED to Java 6 was the discovery of a further Java security hole described in CVE-2012-4681. This vulnerability is ONLY in Java 7 Update 6 and earlier, NOT Java 6, as is evident in the CVE report found HERE:

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4681

    "Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier..."

    Also UNRELATED to Java 6 was the discovery of a new security hole in Java 7 Update 7, discovered by Security Explorations. So far, it does not have a CVE report. You can read about it HERE:

    http://seclists.org/fulldisclosure/2012/Aug/388

    "Today we sent a security vulnerability report along with a Proof of Concept code to Oracle. The code successfully demonstrates a complete JVM sandbox bypass in the environment of a latest Java SE software (version 7 Update 7 released on Aug 30, 2012)."

    In fact, the ONLY secure version of Java being distributed at this time is Java 6 Update 35, the version Apple is currently providing to OS X users. There is currently no secure version of Java 7.

    Learning about and reading CVE reports is easy. Below are links to the Wikipedia article about CVEs as well as the link to the CVE website. You can search for any CVE report using the 'SEARCH' link at the top right of the CVE home page.

    http://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures

    http://cve.mitre.org/

This topic is closed for new posts.

Other stories you might like