Forgot your password?
typodupeerror
Java Apple

Recent Apple Java Update Doesn't Fix Critical Java Flaw Claims Researcher 102

Posted by samzenpus
from the try-again dept.
hypnosec writes "Just yesterday Apple released updates to fix Java vulnerabilities, but it seems the patch doesn't actually target the recently discovered high-profile Java bug that has been the talk of the web during the last two weeks. The two updates – Java for OS X 2012-005 for OS X Lion and Java for Mac OS X 10.6 Update 10 for Mountain Lion, are meant to tackle the vulnerability described in CVE-2012-0547. But according to KerbsOnSecurity, it seems Cupertino hasn't addressed the recent mega-vulnerabilities in Java as described in CVE-2012-4681." Update: 09/07 12:00 GMT by S : As readers have pointed out, these updates address flaws in Java 6, which is the version Apple maintains. The recently-reported Java vulnerabilities primarily affect Java 7, the patching of which is handled solely by Oracle. Nothing to see here.
This discussion has been archived. No new comments can be posted.

Recent Apple Java Update Doesn't Fix Critical Java Flaw Claims Researcher

Comments Filter:
  • by Anonymous Coward

    Isn't it Oracle's job to maintain Java on OS X now that Apple kicked it to the curb?

    • by fm6 (162816)

      Not sure what you mean by "kicked to the curb", but OS X Java is still maintained by Apple.

      • Re:Huh? (Score:4, Informative)

        by kybred (795293) on Thursday September 06, 2012 @08:43PM (#41255613)

        Not sure what you mean by "kicked to the curb", but OS X Java is still maintained by Apple.

        Not completely. Apple maintains Java for Mac OS X through version 6. Oracle took over starting with version 7. It's not clear how long Apple will continue to provide updates for version 6, though.

        Apple stopped including it as a default install with Lion (Mac OS X 10.7), I believe.

        • Re:Huh? (Score:4, Interesting)

          by fm6 (162816) on Thursday September 06, 2012 @08:58PM (#41255733) Homepage Journal

          I stand corrected, About 18 months ago, I was writing the installation docs for a Java application that had to run on Mac, and I went to rather a lot of trouble to find out how to configure Java on the Mac. (The main reason I got the job: they'd had bad experiences with users on various platforms who didn't understand Java runtime idiosyncrasies.) I was actually quite impressed by the way OS X support for Java worked — very elegant and carefully thought out,

          Now I suppose my work will have to be thrown out and replaced by the cruder procedures Oracle uses. Oh well.

  • Story is misleading. (Score:5, Informative)

    by Anonymous Coward on Thursday September 06, 2012 @07:28PM (#41254907)

    Except that Apple have never even installed Java 7 to be vulnerable.. this is update to their Java 6, so the story is bogus.

    It's oracles job to handle Java 7 on mac, Apple are only dealing upto 6.

  • by sasparillascott (1267058) on Thursday September 06, 2012 @07:40PM (#41255023)
    While the Apple update doesn't fix the v7 vulnerability, it shouldn't as the Apple Java is v6 which supposedly doesn't have it (or some part of it). So this seems to make sense. To get v7 on a Mac you have to go out of your way and download v7 from Oracle separately.
  • Garbage story (Score:4, Informative)

    by Anonymous Coward on Thursday September 06, 2012 @07:43PM (#41255055)

    Apple doesn't ship Java installed by default... but if you do install it, it's Java 6. The "unpatched" vulnerability in the summary only affects new Java 7 functionality and does not affect Java 6.

  • ...is that CVE-2012-4681 uses a vulnerability during Applet execution.

    Apple's Java for OS X 2012-005 [apple.com] disables all browser Applet support, and if re-enabled by the user, will automatically disable it again if it goes unused for 35 days. The Java for Mac OS X 10.6 Update 10 [apple.com] release appears to go a step further, and disables applets in browsers until they are clicked on explicitly by users, along with disabling the applet plug-in if unused for 35 days.

    So while I'm presuming the vulnerability does still exist

    • by fm6 (162816)

      You can't take advantage of the vulnerability if you can't run any applets

      Not true.

      http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136112.html [oracle.com]

    • by _xeno_ (155264)

      ...is that CVE-2012-4681 uses a vulnerability during Applet execution.

      Not quite. Applets are the most likely infection vector, but the vulnerability exists in any Java code.

      Basically, what CVE-2012-4681 does is let untrusted Java code turn off the Java sandbox. Applets are about the only Java code where the sandbox is likely to be enabled by default, but there are scenarios where the sandbox is used by non-applet code. (As an example, in a Java servlet environment (think Java CGI), the individual pages might be run in the Java sandbox.)

      Which means that, for the most part, th

      • As an example, in a Java servlet environment (think Java CGI), the individual pages might be run in the Java sandbox.

        Java servlets are running on the server side, which makes this a moot point. The client side isn't running any Java code for a servlet and the client's JVM (if present) is never invoked.

        Unless, or course, the page hosts an applet, but you already discussed applets.

        • by _xeno_ (155264)

          Java servlets are running on the server side, which makes this a moot point.

          Not if it's your server. For example, say you're a hosting provider, and offer hosting of Java servlets. Tomcat provides an option to enable the Java sandbox for embedded servlets, and the vulnerability being discussed would allow them to bypass it. If the servlets are being provided by potentially hostile sources, that's a problem.

          I can't really think of any other scenarios where the Java sandbox is enabled (other than Java Web Start, I suppose, which are basically "applets" by another name). The point rem

  • by Anonymous Coward on Thursday September 06, 2012 @08:12PM (#41255323)

    Hey Editors, you've been trolled. The "mega-vulerabilites" described in CVE-2012-4681 don't even apply to the version of Java Apple ships. Do some homework before jumping on the bandwagon next time.

    • The janitors running this site can't even be bothered to read submissions over for spelling and grammar mistakes.

    • by Jesus_666 (702802)
      Oh come on, you apologist. Stop splitting hairs.

      Apple missed a lot of serious issues with this Java patch. The JRE7 security flaw. iOS text message spoofing. The Pentium FDIV bug. The Prius stuck accelerator problem. PHP's inherent design flaws. Unity.

      I salute the efforts of Mr. What'shisname to warn us of Apple's disastrous negligience. Now if you'll excuse me, I'm off to demonstrate against the Vatican for not having achieved break-even with fusion power yet.
  • by WD (96061) on Thursday September 06, 2012 @08:45PM (#41255629)

    CVE-2012-4681 is a vulnerability that affects Java 7. Apple has only ever provided Java 6 with OS X, and with recent OS X versions, it's not even included by default. So it's pretty silly to make a sensational story that calls out Apple for not addressing CVE-2012-4681 in their update to Java, since they're not even affected by it.

    For more details, see: http://www.kb.cert.org/vuls/id/636312 [cert.org]

  • by DeadboltX (751907) on Thursday September 06, 2012 @09:10PM (#41255819)
    The bug described in CVE-2012-4681 [mitre.org] affects Java SE 7. OS X uses Java SE 6. It would be a little weird if they patched Java SE 6 for a bug that doesn't exist in Java SE 6.
  • Why would anyone want to use Java anyway?
    It was all promises, and now we know they were lies.
    There are better alternatives like perl, python and ruby.

  • Finally they did Snow Leopard as well! You know, that OS that most Mac users are currently using?

    They still haven't released Safari 6 for Snow Leopard or released Safari 5.1.8 etc to address the 121 fixes that Safari 6 brought to Lion. That's a huge problem. I'm very happy they fixed Java but why did they bother when Safari 5 is loaded with so many other flaws they won't bother fixing?

"Catch a wave and you're sitting on top of the world." - The Beach Boys

Working...