Does Apple's Java move mean a less secure Mac?
- 16 November, 2010 06:22
Security experts are split over whether Apple's decision to hand over Java to an Oracle-backed open-source project is a good deal for Mac users.
On Friday, Apple announced it would join Oracle's OpenJDK and contribute "most of the key components, tools and technology required for a Java SE 7 implementation on Mac OS X."
The move followed Apple's earlier decision to "deprecate" Java -- in other words, to stop bundling the software with Mac OS X -- in future versions of the operating system.
On Friday, Apple committed to continue shipping Java SE 6 with Mac OS X 10.6, aka Snow Leopard, and in the next edition, Mac OS X 10.7, known as Lion. The latter is set to launch in the third quarter of 2011. Apple will also patch Java SE 6 in those operating systems.
But Java SE 7, and all later versions of the software for Mac OS X, will come from Oracle, not Apple.
One security researcher thinks that would make Mac users less secure in the long run.
"Instead of having to worry about one thing being updated -- the operating system -- users will now have to worry about three things being kept up to date: the OS, Java and Flash," said Charlie Miller, an analyst with Baltimore-based Independent Security Evaluators (ISE) and co-author of The Mac Hacker's Handbook .
"This is what people on Windows have done, and I think history shows that people aren't very good at keeping these up to date," said Miller in an e-mail reply to questions about Apple deprecating Java. "Until now, out of the box, the browser could handle just about anything since Java and Flash were installed. Just updating the OS kept these up to date. [In the future], the browser won't handle many popular sites and if you download the plug-in, you have to worry about it getting out to date."
Apple has also decided to ditch Adobe's Flash Player , which like Java has been pre-installed on Macs. Apple has provided patches for Flash Player as part of its normal security updates, but may discontinue that practice as well.
Dino Dai Zovi disagreed with his The Mac Hacker's Handbook co-author.
"If Apple can't release patches at the same time that Oracle does, they should let Oracle do it," said Dai Zovi, a New York-based security consultant.
Dai Zovi pointed out that of the three most-exploited Java vulnerabilities in Windows, two could be used by attackers against Mac OS X with little modification. "In both cases, Apple released a patch for their Java in three to four weeks," he said. "This is after the vulnerability is public and penetration testing frameworks may release working exploits for them."
According to a manager at Microsoft's Malware Protection Center (MMPC), attempts to exploit Java bugs have skyrocketed in the past nine months, climbing from less than half a million in the first quarter of 2010 to more than 6 million in the third quarter.
A few days later, Wolfgang Kandek, the CTO of Qualys, said his company's data showed that 40 per cent of the people running Java were using an outdated version . Kandek called on Oracle to work with Microsoft to distribute Java patches using the latter's Windows Update service.
Mac users should just say good riddance to Java, Dai Zovi added.
"Most Mac users do not need or even use Java, and this will make them safer than having large window of vulnerability in a plug-in that is being actively attacked through exploits that can easily be adapted to target Mac OS X," Dai Zovi said.
In an e-mail late last month, Dai Zovi called the Apple and Oracle deal weeks before Friday's announcement.
"I expect Oracle to completely neglect the Mac OS X port of Java and perhaps rely on the community-supported OpenJDK to serve these users for them," Dai Zovi said on Oct. 27 in response to Computerworld's questions about Java. "I hope that Oracle would manage a Mac OS X port as a first-class citizen, but I'm not holding my breath."