Skip to navigation
Latest News

Why did it take Apple six weeks to fix critical Java exploit?

Mac

By Stewart Mitchell

Posted on 4 Apr 2012 at 08:36

Apple has been criticised for taking six weeks to fix a Java flaw that was being openly exploited by criminals.

The Mac maker has come under fire from security experts for failing to react more quickly to the problem – a Java vulnerability so serious that security company F-Secure and other security vendors recommended disabling Java.

The patch arrvied days after drive-by exploits were seen in the wild and the vulnerability was included in blackhat exploit kits available online.

“After leaving Mac users vulnerable for more than six weeks, Apple has finally released a new version of Java for OS X 10.6 and 10.7,” wrote Chester Wisniewski on the Sophos blog.

Why Apple did not deploy these fixes before Mac users were victimised by criminals is unclear

The release updates Java to Version 6, Update 31, which Oracle released for Windows, Linux and Unix on 14 February, leaving security professionals questioning Apple's commitment to protecting its users.

“This does make you wonder whether Apple takes security as seriously as it should,” Wisniewski said. "Perhaps its public facing image of being invulnerable is the prevailing attitude within the company.

“Why Apple did not deploy these fixes before Mac users were victimised by criminals is unclear.”

The fix addresses the Java vulnerability known as CVE-2012-0507 and is available from the Apple security update centre.

Apple declined to comment on why it took so long to respond.

Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here
User comments

It's the way it's always been

It's no excuse, but it is the way it's always been on OS X. I think we had to wait around 8 months to get Java 6 (IIRC).

10.8 was also updated to Version 6, Update 31, though most people wouldn't see that.

It is strange, I thought Apple had handed Java control on OS X over to Oracle?

By forquare1 on 4 Apr 2012

Apple don't need to try too hard

.
Because their fan-bois will buy their products no matter how shoddy, how overpriced or how bad the customer support.

By qpw3141 on 4 Apr 2012

Patience, patience ...

Having used a Mac for 25 years and only ever had a virus from PC Word files, I never get tired of seeing these PC-biased scare stories.
Apple simply make sure that when they do patch things they do it right.

And don't keep calling people like me "Fanbois" - I've used PCs for 30 years and they have always been inferior in design and usability, never mind the non-intuitive interface - unless you wanted to use them for 'scientific' purposes. All the Macs I have had also lasted twice as long as the PCs and without the high maintenance, so 'shoddy' is a joke qpw3141.

It is ironic that PCPro never had anything positive to say about Apple products until the last few years, but now has to report frequently in a positive mode.

Let's hope MSoft and Co. catch up soon on the gesture tablet interface that has so decimated the laptop market.

By marland on 4 Apr 2012

@marland

I've been using PCs for over 25 years and had 0 viruses. Not one.

I've also had my current PC since 2004 (originally XP based) and just tested Windows 8 on it.

By JStairmand on 4 Apr 2012

@marland

I've been using PCs for over 30 years and Macs since 1984.

To be honest, my current Mac (2006) isn't old enough yet to say whether it will last longer than a PC.

My firewall is running on a 1992 vintage PC, my old laptop is still doing sterling service (2004 Acer) and the previous one's battery stopped working in 2008, but the laptop itself is fine (2000 vintage Advent from PC World).

None of them have needed anything in the way of maintenance, other than the usual automatic updates, whether it be Linux, Windows or OS X, I haven't experienced any difference in support and maintenance requirements.

The iMac is running dog slow since Snow Leopard and Lion came out - although I am beginning to think that the hard drive might be on its last legs.

As to the "scare" stories, the point in this case is that the exploit has been actively exploited, specifically on the Mac, for several weeks, with the trojan installing itself and hijacking the browser. Good, it tries to trick the user into authorising a certificate (enter admin password to allow it to instal itself globally on the machine).

By big_D on 4 Apr 2012

@marland

Who's talking about a virus, Marland? This article is written about vulnerabilities in the implementation of Java on OS X, which meant that your (and my) shiny, well designed and intuitive Mac was vulnerable to attack from potentially any source of java code (website for example) which you may have unwittingly exposed your computer to.

No need to install anything new, no need to click on any warning dialogs and no need to offer up any elevated user rights. Just a wide open door.

Unless you never browse the interweb, then your Mac was just as vulnerable as all of those inferior Windows boxes, with the exception that six weeks after the discovery of the vulnerabilities, your Mac was STILL at risk while the PCs had all long since been patched.

It is not just about getting it right, it is about doing it in a timely fashion and not showing a frankly offensive level of contempt and disdain for your customers.

Ignorance may be bliss, but blind ignorance is foolhardy.

By PaleRider on 4 Apr 2012

@marland

It's funny how the worst fan-bois NEVER realise that they are fan-bois and ALWAYS take most offence at the epithet.

By qpw3141 on 4 Apr 2012

@JStairmand and big_D

Anyone who contracts a virus from a Word file really isn't worth paying attention to.

By TheHonestTruth on 4 Apr 2012

Comment deletion

Are the mods wantonly deleting posts, or is the forum software misbehaving yet again?

By PaleRider on 4 Apr 2012

Oh good God!

I guess it's a bungled attempt to prevent multiple postings from refreshes, but what it does is prevents posters from reading posts in threads to which they have posted until they post again.

Pay peanuts, get monkeys.

By PaleRider on 4 Apr 2012

Dennis are weird

They insist on using this abysmal forum software when there is perfectly good software available. No mark-up, no preview, no editing mistakes, absurdly small edit box, and problems with being unable to see comments that are actually there.

By qpw3141 on 4 Apr 2012

balance

I don't think pc pro can be accused of bias against macs - they love 'em! It's good to point out when companies screw up. As I see it the main problem with macs is that you can't take the thing apart and change what's gone wrong.

By janerog on 4 Apr 2012

@ qpw3141

This is not a forum, it's a comments section.

By lokash20 on 4 Apr 2012

The article said days not weeks

Apple patched when the vulnerability once it was an actual threat. Would it have been better to have patched 2 days ago. Sure! But the bottom line is that apple is reacting to the threat at the speed it needs to to keep its users safe (most of the time).

Apple is removing Java from its default install to put this back on Oracle.

By dpetrosky on 5 Apr 2012

@dpetrosky

2 days after it was known that there was an exploit, but they had had 6 weeks in order to release that patch, so that users wouldn't have been susceptible to the exploit in the first place.

I'm sure you'd react differently if a car manufacturer knew there was a problem with the breaking system and waited until the first cars started crashing, before doing a recall...

By big_D on 5 Apr 2012

600,000 infected

http://www.zdnet.com/blog/security/over-600000-mac
s-infected-with-flashback-trojan/11345

According to Dr. Web, over 600,000 Macs are currently infected with Flashback, with over 12% being in the UK.

The FlashBack trojan steals usernames and passwords

By big_D on 5 Apr 2012

Java no longer shipped

Let's make one thing clear. Neither Microsoft or Apple ship Java as part of the default OS install anymore, so this flaw doesn't impact out-of-the-box versions of either OS.

That also means PCs were not 'all patched' weeks ago. My work PC definitely isn't, as we block all vendor auto-updates, so my Java is out-of-date. I don't think we are unique - most IT organisations like to control updates, in case a vendor update is incompatible with a business critical system.

That said, most PCs don't have Java installed either, particularly anywhere with a strong IT department (we run up against the no plugin mentality a lot). Which is why no significant website uses Java applets - you can't rely on the client having Java installed, or the admin rights to install it.

So this whole story is exaggerated - only a small percentage of machines were vulnerable those that had installed the optional Java plugin.

As for how long it took the patch to be shipped - how many people commenting here actually write software for a living? And presumably this is why Apple are ditching their fork of Java, in favour of OpenJDK. (Which won't integrate as nicely with the operating system, but will be 'up to date' in the Java sense).

As for fan-bois - I don't use a Mac because they're more secure - although it's a nice benefit. I use it because I find it to be better (I spend all day coding on Windows, I've been using computers for 30 years, and only got a Mac in 2006. Of course, as soon as you buy one, your opinion of them is instantly regarded as biased by PC owners - a significant number of whom still seem to regard Macs as the emperor's new clothes).

By JulesLt on 5 Apr 2012

@lokash20

"This is not a forum, it's a comments section."

That's a rather stupid comment because a 'comment section' is nothing more than the forum software bolted on to a short article header. It is quite clearly used in exactly the same way as a forum.

Dennis use the exact same grotty software for what they actually call a forum - if that make you any happier.

By qpw3141 on 5 Apr 2012

@JulesLt

Of course when people see a fanboi they tend to disregard their comments because the are generally obsessive zealots.

There are many people using Mac and many people using both Macs and PC's who aren't fanbois. Most of them are quite normal users.

You can identify the fanbois because they become butt hurt the instant anything in the slightest bit derogatory is said about their fetish and make fools of themselves trying to spin the problem away.

They also have the weird attribute (in the context of computers) that they spend their time using 'A Mac' or 'A PC'. Normal users spend their time using a browser, WP package, email client, development IDE, etc. But fanbois are not doing this, they are using their 'X machine' and delighting in how much better it is than those poor fools using their 'Y machines'. It's rather sad, really.

By qpw3141 on 5 Apr 2012

Programmer

I am commenting, and I write software, professionally and full-time, and have done so for decades, thank you very much.

e-wang waving is not a pretty sight though, and nor are internet pissing competitions, so since this is an informal comments section (and obviously not a forum! :-) ) a contributor's credentials are meaningless and cannot be verified, so perhaps we ought to leave them at the door.

Wintel at work and Mactel at home, by the way.

By PaleRider on 5 Apr 2012

Once again

I can't now read the comments in this silly sodding software unless I post another (pointless) comment. Sorry.

By PaleRider on 5 Apr 2012

@JulesLt

I write software for a living, well I did, I now manage several development teams...

By big_D on 5 Apr 2012

@ qpw3141

Your comments paint you as the biggest fanboy in this "forum"! You came out with troll flames right out of the gate on this one! Is that a Zune in your front shirt pocket?

By georgeh on 5 Apr 2012

@georgeh

FYI:

A 'fan-boi' is someone who has an obsessive and excessive attachment to a company or product.

It is not someone who finds fan-bois annoying.

You'll need to think up your own word for that. ;)

By qpw3141 on 5 Apr 2012

@georgeh

FYI:

A 'fan-boi' is someone who has an obsessive and excessive attachment to a company or product.

It is not someone who finds fan-bois annoying.

You'll need to think up your own word for that. ;)

By qpw3141 on 5 Apr 2012

Leave a comment

You need to Login or Register to comment.

(optional)

advertisement

Latest Blog Posts Subscribe to our RSS Feeds
Latest ReviewsSubscribe to our RSS Feeds
Latest Real World Computing

advertisement

Sponsored Links
 
SEARCH
Loading
WEB ID
SIGN UP

Your email:

Your password:

remember me

advertisement


Hitwise Top 10 Website 2010
 
 

PCPro-Computing in the Real World Printed from www.pcpro.co.uk

Register to receive our regular email newsletter at http://www.pcpro.co.uk/registration.

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.