The emergence of the Flashback Trojan – which exploited a vulnerability in Mac OS X’s version of Java – earlier this year led to a lot of flak for both Oracle and Apple. The vulnerability was known about and fixed in the Windows and Linux versions of Java, but remained exposed in OS X for several more weeks. The fact that Apple is ultimately responsible for maintaining Java on OS X saw Apple’s ability to protect its users questioned.
But while Apple’s policy of not discussing security vulnerabilities in public was part of the problem, conflicts between the release schedule of OS X and Java versions and Java’s increasing popularity as a target for cybercriminals also come into the equation.
While criticism of Apple for not releasing security patches for Java quickly is fair, it should also be noted that Oracle doesn’t exactly have a blameless record when it comes to security. In the past week it has emerged that a critical patch update that fixed 88 vulnerabilities in its database product line issued in April had problems.
Specifically, one of the fixes for its TNS Listener service had stability issues – issues that Oracle does not intend to fix until its next round of updates. To make matters worse, the vulnerability this specific fix was for was first reported in 2008. All current versions are still vulnerable for now, a state of affairs that one security researcher described as “reckless”.
Chester Wisniewski of Sophos said: “Oracle isn’t exactly known for getting security right, but this is downright reckless. Taking four years to fix a serious vulnerability and even then only committing that future releases, to be named, will fix it?”
This rather shocking state of affairs provides a sobering backdrop to the news that Oracle will provide Java fixes to Mac users at the same time as Windows, Linux and Solaris.
“From this point on, every release of Oracle JDK 7 and JavaFX 2.1 (and later) will be available on Mac at the same time as for Linux, Windows and Solaris,” Oracle’s Henrik Stahl said last week with the release of Java SE 7 Update 4 JDK.
Sophos’ Wisniewski points out, though, this does not include the Java Plugin/Java web Start components that integrate with the browser to enable you to launch Java applets. It’ll only work with 64 bit versions of Lion and is intended for development purposes. But, he concedes, it hopefully points to a more secure future for Mac users.
“This might be an indication that Oracle intends to supply their own JRE/Java Plugin/web Start for Mac users in the future, which would make it easier for OS X users to stay current without relying on Apple,” Wisniewski said.
You can download the Java SE 7 Update 4 JDK here as long as you are running Mac OS X Lion. Once installed, Java will be updated automatically.
Oracle has since issued a critical patch for the vulnerability in the TNS listener in its database products, but the fact that Oracle will now be taking responsibility for maintaining Java for Mac might not be as good news as it would first appear.
But it is likely a better way forward than to leave support for Java in Apple’s hands – Steve Jobs lost interest in Java as long ago as 2007, when he described it as a “ball and chain” not worth building in to OS X. It wasn’t until 2010 that Apple dropped Java from OS X, having largely persuaded developers to use other alternatives that were more under its control. It didn’t drop out of favour entirely, though and Apple’s neglect for Java and Oracle’s initial unwillingness to take responsibility for updating it left a gaping hole that cybercriminals managed to exploit so effectively.