Network News

X My Profile
View More Activity

Apple Slow To Fix Java Flaws

Instructions showing wannabe Mac-hackers a way to remotely take control over OS X systems through an unpatched security hole have been posted online. The researcher who published the blueprints said he did so to nudge Apple into fixing the problem, which the company has known about for more than six months. But Security Fix has found that half a year is about the average time it takes Cupertino to plug these types of holes.

On Tuesday, renowned Apple researcher Landon Fuller published a proof-of-concept exploit for a particularly dangerous bug in Java that Sun Microsystems fixed in a patch released Dec. 3, 2008. However, Apple -- which ships its own version of Sun's Java with OS X -- has yet to push out an update to fix that particular flaw.

"Unfortunately, it seems that many Mac OS X security issues are ignored if the severity of the issue is not adequately demonstrated," Fuller wrote on his blog. "Due to the fact that an exploit for this issue is available in the wild, and the vulnerability has been public knowledge for six months, I have decided to release a my own proof of concept to demonstrate the issue."

Six months may seem like a long time to address a particularly dangerous vulnerability, but it's about par for the course with Apple and its record on patching Java flaws. I have reviewed the last three Java updates that Apple shipped during the past 18 months, and found that Apple patched Java flaws on average about 166 days after Sun had shipped its own patch to fix the same vulnerabilities.

I put together a rudimentary chart comparing Sun and Apple's Java patch times for the last three Java for Mac releases, available here:

HTML Version

Microsoft Excel version

Fuller's blog includes some workarounds that Mac users can take to mitigate any threat from this vulnerability, until Apple issues a patch. Researcher Julien Tinnes also has an extended discussion about the dangers of this vulnerability, and a decent back-and-forth between readers, over at at his blog.

Please join me today at 11 a.m. ET for Security Fix Live, where I will endeavor to answer your questions on all things security, tech and privacy related. Drop by then, or send me a question in advance. Curious what we've discussed in previous chats? Check out the Security Fix Live archives. See you then!

By Brian Krebs  |  May 22, 2009; 7:15 AM ET
Categories:  From the Bunker , Safety Tips  | Tags: apple, java, landon fuller, time to patch  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Report: IRS Created Dumpster-Diver Swimming Holes
Next: The Scrap Value of a Hacked PC


You are making too much of this. Apple is not Microsoft; it never had truly awful security for a decade like Microsoft did, nor does Apple have hundreds of thousands of active malware, virus and worms in existence. So, Apple doesn't have to panic. It can take a measured course.

Apple periodically upgrades its security. If anything looks like an immediate problem, then it gets a security upgrade. If the problem seems academic or theoretical, then Apple waits for the next major software release. This appears to be its pattern for java vulnerabilities.

So far, this process has worked. Only anti-virus venders and their loosely connected media have problems with Apple's system. Neither the Mac users nor the Malware writers are actively involved.

Sure, there are vulnerabilities, but they are very difficult to duplicate or mass promote like on Windows now. There are reasons why Apple is not making a major push. The next version of Mac OSX will be Snow Leopard 10.6 which is expected to be released in two to five months.

Apple wants to push us into buying it, so getting improved security upgrades may be part of its plans. Unlike Windows uses, we Mac users tend to buy upgrades. Mac OSX 10.5 was issued on October 2007 and is on its seventh update. 93% of Mac users are on this version, 19 month later. Vista, issued nine months earlier, is at about ten percent.

Snow Leopard will have a 64 bit Kernel which completely re-does Apple's Security. We don't have much information about it, because Apple tends to not tells us what is in the works, because that gives away clues on how to get around its procedures. We do know that Apple has hired an expert on "Sand-boxing software in the OLTC computer." This likely means that applications will be increasingly limited in what actions they can do and what ports they can use. We know that the 64 bit security will be much tougher than 32 bit security is currently.

Macintosh users are not having any security problems which were not of their own making, such as when some people downloaded a pirated copy of iWorks through BitTorrent and found a Trojan Horse inside. That bit of malware was very easy to fix in Terminal mode. Very few Apple users are thieves, so it never was a big problem. But, boy, was it talked about among the anti-Apple pundits.

Consequently, we will need to reevaluate Apple's security when Snow Leopard comes out. In the mean time, there no great urgency, so there is no cause for alarming articles such as this one. Things are in process. There is no need for panic.

Posted by: wheelerLouis | May 22, 2009 11:42 AM | Report abuse

A reader who had trouble signing in forwarded this via e-mail, which the reader said was in response to the comment from WheelerLouis:

My first computer was a Mac SE30, which I still have. However, in my chosen profession, due to industry software application requirements, a Mac is not really an option anymore. The only Apple product I use is these days, is the totally elegant iPod Nano 4th Gen so, perhaps I'm not supremely "qualified" to comment on the potential for malware exploits on the Mac OS platform.

However, as the designated in-house assistant to our contract IT person, for our Windows-based LAN, I follow the security news on a daily basis and, I appreciate ALL security advisories, and take them seriously. WAPO Security Fix is not the only site posting advisories regarding Apple and Java--SANS Internet Storm Center and US-CERT are two I frequent.

In my experience, being dismissive of potential security threats is precisely the vigilant-lax attitude that gets many folks in trouble. More than once, I have had the unplea$ant ta$k of attempting to clean up the me$$e$ an elitist "it'll never happen to me" attitude has generated, in personal and business machines. Just because one has not been attacked, does not mean one never will be. Always vigilant is my motto.

So, I would query anyone who feels, due to their platform choice, they are reasonably well-insulated from exploits: Are you personally prepared to take full responsibility for any and all damage to your system(s), and the systems of others who relaxed their guard on the strength of your "recommendation" if indeed, a potential exploit proves to be worth "making too much" of, after all?

Posted by: BTKrebs | May 22, 2009 1:25 PM | Report abuse

@Wheeler: Interesting comment. The point of my blog post was to state the fact that six months is actually NOT unusual (i.e., to add some perspective here).

Posted by: BTKrebs | May 22, 2009 1:28 PM | Report abuse

It's important to note an important inaccuracy in the article.

I have not posted source code or instructions on how to exploit the vulnerability, and while awareness of the issue may encourage "wannabe hackers" to take advantage of the situation, the issue was already trivial to exploit and the information necessary to do so was already publicly available.

My only hope is that awareness of this long-standing, critical issue will allow users to protect themselves by disabling Java, and will also encourage Apple to produce a patch and protect their users -- which includes myself and my family.

As of today, Apple appears to have a patch for this issue available for developer testing.

Posted by: LandonFuller | May 22, 2009 1:32 PM | Report abuse

Landon -- As I replied to you in an email, the story didn't say you had posted source code or instructions. I also reference a blog post by Mr. Tinnes, who does go into quite a bit more detail about how this might be exploited.

Sounds like we agree in the importance of raising awareness about this issue, and the fact that it is trivially exploitable, as you say.

Posted by: BTKrebs | May 22, 2009 1:42 PM | Report abuse

Gee. Apple take security matters with the greatest nonchalance, someone points this out, and the fanboys come out of the woodwork. Wheeler: try to get this. When it comes to security, nothing is too much to ask. Six months is a scandal and Apple are behind at least six months here (if not more). And they continue to get hacked to bits (and humiliated) because they can't keep their open source modules up to date. If you want more people who share your K-A way of thinking then hang out at the R-D forums.

Posted by: Rixstep | May 22, 2009 5:41 PM | Report abuse

Do you have any information how long it takes to update these issues in the OS compilers/libs? For example,

* dev-java/apple-java-extensions-bin
Latest version available: 1.2-r1
Latest version installed: [ Not Installed ]
Size of files: 3 kB
Description: A pluggable jar of stub classes representing the new Apple eAWT and eIO APIs for Java 1.4 on Mac OS X.
License: Apple

Might introduce the same security hole.

Posted by: lembark | May 24, 2009 10:28 AM | Report abuse

Louis Wheeler wins this bout for taking the high road; BTK came off sounding like someone who is transposing his frustration with the PC world's lack of security & support onto the Macintosh world without any objective appreciation of how elegantly Apple handles the issues. I doubt s/he has as much brand loyalty to a single computer manufacturer like Apple enjoys - and they earned that mountain of good will by doing things this way consistently for a long time, all while the PC world continued to try and replicate the features and performance Apple has always enjoyed but took 10+ years to do without improving the basic security of the platform.

Microsoft doesn't trust their own customers to judge for themselves anymore (as if they ever did); they had to fool their hapless TV Windows users into thinking that Vista was actually the "next generation" of Windows. The sad part about it is that those TV commercials customers’ “deer in the headlights” reaction, accepting the ruse without indignation because they know deep inside that they have no control of what comes out of Redmond. It is also sad that their current anti-Apple commercials are patent lies about the cost/benefit equation by completely ignoring the cost of software for the shoppers’ intended use and an extra 2 GB of RAM only costs $40. It reeks of desperation and lacks any sense of entertainment value as the Macintosh commercials’ humor demonstrates so well. What exactly happened when the young lady who wants to edit video realized that she had no money leftover for software?

The most practical thing for PC users is to both ignore their frustrations with Microsoft and accept the fact that Apple’s customers are happy for very good reasons and stop comparing Apples to Lemons, or better yet, convert to the other side and experience the Utopian world that is Macintosh. I hate to be cruel, but after so many years, Microsoft still doesn’t get it. Why else would a software company (Microsoft) spend millions on TV commercials trying to convince consumers to not buy hardware from someone who isn’t really a competitor? They would rather spend money trying to convince their customers that they made the right decision rather than produce better software that speaks for itself.

The implausible alternative is to convince Microsoft to change the ideals driving their software design, which should have been done way back when OS-X first became a reality. I equate the latest Mac & PC TV ads (“Customer Care” with the PC guy ripping his hair out) as the latest example of truth in advertising.

Posted by: WorldNet | May 24, 2009 5:52 PM | Report abuse

Speaking as a Mac user myself, I think Wheeler and WorldNet are dead wrong. What in the world do Microsoft's failings have to do with Apple being behind Sun in security patches? I for one remember Sun's Java patch coming out last year and I foolishly assumed the same patch was included in one of the Apple updates since that time.

I'd like to thank Mr. Fuller and Mr Krebs for drawing attention to this issue. Keep up the Mac stories.

Posted by: Hopeful9 | May 24, 2009 11:10 PM | Report abuse

To Rixstep - it is misinformation like the crap you have posted above the hurts the entire market, especially when it purports that MSFT is somehow treating customers right and that Apple is oh so flawed and dangerous - NOT. MSFT is known for building buggy software with security holes all through it. (Apple is known for being just the opposite, in fact, and not in someone's dreams.) To say that Apple is getting "hacked to death" is just patently false. MSFT, with their market dominance, has continuously produced products that frustrate their users, cost significantly more, not just on their base price, but the total cost of ownership is out in the stratosphere when you calculate "un-usability" - time spent fixing problems, downtime, support infrastructure time and cost, time spent dealing with bloatware, additional software needs like antivirus and antispyware software, paying for their next release that merely fixes bugs and piles on more features that 99.999% of users neither want nor need, upgrading of hardware to handle the next release of a bloated resource hog, and on and on and on.... should we just take a look at customer satisfaction levels for hardware, software and customer service and support to make you look even more foolish?

Posted by: FreeRange1 | May 26, 2009 2:14 AM | Report abuse

@FreeRange1: "MSFT is known for building buggy software with security holes all through it. (Apple is known for being just the opposite, in fact, and not in someone's dreams.)"

I have just one word for you if you think Apple is known for reliable software: QuickTime (ha)

Posted by: moike | May 26, 2009 8:31 AM | Report abuse

I see what I always see when ever someone comes out and points out anything negitive about Apple, a bunch of fan boys telling us how terrable Microsoft is. It's so rare to see anything in the tech news negitive about Apple, I have to give kudos to Mr, Krebs for even bringing this up. Interesting that because Microsoft was forced to drop their own version of Java because of fears of monopoly, Their OS is OK since it get's it's updates right from Sun. Yet because Apple is "Open Source" they can have their own version, so they need to update it. I guess I can just download the Mac OS, since it's "Open Source". NOT! To all of the Microsoft haters out there, you might take note how much more you pay for your required hardware upgrades as well as OS upgrades, and tell me how this is a value. Not to mention the fact the without running or emulating the Windows OS you can run 90% of the software that is avalable...

Posted by: daveKnows3 | May 26, 2009 9:22 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company