Does Apple's Java move mean a less secure Mac?

Security experts take sides over Java patching

Security experts are split over whether Apple's decision to hand over Java to an Oracle-backed open-source project is a good deal for Mac users.

On Friday, Apple announced it would join Oracle's OpenJDK and contribute "most of the key components, tools and technology required for a Java SE 7 implementation on Mac OS X."

The move followed Apple's earlier decision to "deprecate" Java -- in other words, to stop bundling the software with Mac OS X -- in future versions of the operating system.

On Friday, Apple committed to continue shipping Java SE 6 with Mac OS X 10.6, aka Snow Leopard, and in the next edition, Mac OS X 10.7, known as Lion. The latter is set to launch in the third quarter of 2011. Apple will also patch Java SE 6 in those operating systems.

But Java SE 7, and all later versions of the software for Mac OS X, will come from Oracle, not Apple.

One security researcher thinks that would make Mac users less secure in the long run.

"Instead of having to worry about one thing being updated -- the operating system -- users will now have to worry about three things being kept up to date: the OS, Java and Flash," said Charlie Miller, an analyst with Baltimore-based Independent Security Evaluators (ISE) and co-author of The Mac Hacker's Handbook .

"This is what people on Windows have done, and I think history shows that people aren't very good at keeping these up to date," said Miller in an e-mail reply to questions about Apple deprecating Java. "Until now, out of the box, the browser could handle just about anything since Java and Flash were installed. Just updating the OS kept these up to date. [In the future], the browser won't handle many popular sites and if you download the plug-in, you have to worry about it getting out to date."

Apple has also decided to ditch Adobe's Flash Player , which like Java has been pre-installed on Macs. Apple has provided patches for Flash Player as part of its normal security updates, but may discontinue that practice as well.

Dino Dai Zovi disagreed with his The Mac Hacker's Handbook co-author.

"If Apple can't release patches at the same time that Oracle does, they should let Oracle do it," said Dai Zovi, a New York-based security consultant.

Apple has been repeatedly knocked for taking months to patch Java and Flash vulnerabilities that Oracle and Adobe had fixed long before.

Dai Zovi pointed out that of the three most-exploited Java vulnerabilities in Windows, two could be used by attackers against Mac OS X with little modification. "In both cases, Apple released a patch for their Java in three to four weeks," he said. "This is after the vulnerability is public and penetration testing frameworks may release working exploits for them."

Last month, Microsoft 's malware center said it has tracked an "unprecedented wave" of exploits targeting Java bugs in the first nine months of the year.

According to a manager at Microsoft's Malware Protection Center (MMPC), attempts to exploit Java bugs have skyrocketed in the past nine months, climbing from less than half a million in the first quarter of 2010 to more than 6 million in the third quarter.

A few days later, Wolfgang Kandek, the CTO of Qualys, said his company's data showed that 40 per cent of the people running Java were using an outdated version . Kandek called on Oracle to work with Microsoft to distribute Java patches using the latter's Windows Update service.

Mac users should just say good riddance to Java, Dai Zovi added.

"Most Mac users do not need or even use Java, and this will make them safer than having large window of vulnerability in a plug-in that is being actively attacked through exploits that can easily be adapted to target Mac OS X," Dai Zovi said.

In an e-mail late last month, Dai Zovi called the Apple and Oracle deal weeks before Friday's announcement.

"I expect Oracle to completely neglect the Mac OS X port of Java and perhaps rely on the community-supported OpenJDK to serve these users for them," Dai Zovi said on Oct. 27 in response to Computerworld's questions about Java. "I hope that Oracle would manage a Mac OS X port as a first-class citizen, but I'm not holding my breath."

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleMac OSapplicationssecuritysoftwareoperating systemsIndependent Security EvaluatorsOracle

More about Adobe SystemsAppleApple.BaltimoreMacsMicrosoftMPCOracleQualys

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts