Apple lags on Java security fix in OS X
While Apple’s safety record is pretty good—that is to say the actual number of security breaches on the platform is small—it still has some work to do in terms of its reputation for security. The company is often close-mouthed about its process for dealing with security fixes, and though it does issue updates throughout the year, vulnerabilities sometimes go unpatched for months at a time.
Case in point: a Java vulnerability first patched by Sun over six months ago that’s still open in Mac OS X. Despite the recent security fixes in 10.5.7, this issue has still not yet been fixed in OS X.
While Java isn’t one of Apple’s own homegrown systems, it's included by default with OS X, and in such a situation Apple is still responsible for rolling out fixes from third-party vendors when they become available. Java, in particular, is important for several reasons. For one, as stated, it’s installed and active by default in OS X; for another, its cross-platform, near ubiquitous nature makes it a tempting target for hackers; finally, it’s usually accessible via a Web browser, putting even the average user at risk.
The particular vulnerability in question is rather technical—if you’re interested in the details, you can check out this blog post by Sami Kovu, who discovered the flaw. The upshot, however, is that a Java applet loaded in your Web browser could execute arbitrary code with your current permissions. Noted Mac OS X developer Landon Fuller has a proof of concept of the bug on his site; he also offers some steps that Mac users can take to help protect themselves: specifically, disable the “open ‘safe’ files after downloading” in Safari (which is pretty much always a good idea) and turn off Java support in your Web browser.
Of course, this isn’t a great workaround for those who rely on Java for their day-to-day life. Ideally, Apple would roll out the version of Java in which Sun has already fixed this bug, but the larger problem still remains: Apple should be more aggressive on security, rather than resting on the laurels of its safety record. That way, if an attack does come, the company won’t be caught with its virtual pants down.
The recent hiring of Ivan Krstic, former security chief of the One Laptop Per Child, is presumably a step in the right direction. Krstic worked on the Bitfrost security system for OLPC, and given that children were the primary users of OLPCs, Bitfrost was designed to be transparent to the end-user as well as high security. That's just the kind of security that the Mac OS needs.