Apple plugs Java hole, shifts away from plug-in

By turning off Java by default, Apple is making customers choose whether to take the risk in using the troubled browser software

Apple has released a fix for a critical Java vulnerability, while also taking further steps to distance itself from the technology, which has become a major security risk in Web browsers.

 Apple released the fix Wednesday for Mac OS X Snow Leopard, Lion and Mountain Lion. The patches, Java for Mac OS X 10.6 Update 10 and Java for OS X 2012-005, shipped a week after Java-steward Oracle released an emergency patch.  

As as of this week, more than a quarter-million computers on the Web have been infected with malware exploiting the vulnerabilities, said Atif Mushtaq, a security researcher at FireEye.

The bugs were in the Java plug-in used in all the major Web browsers, including Google Chrome, Microsoft Internet Explorer, Apple Safari and Mozilla Firefox. The flaws were rated critical because cybercriminals could use them to install malware capable of commandeering a computer.

Apple's patches automatically deactivated the Java plug-ins in browsers, leaving it up to Mac users to turn them back on. Until a few months ago, Apple had handled the release of all Java updates. Now, customers can download and install fixes directly from Oracle.

[Bill Brenner in Salted Hash: 4 Flaws - Fun with iPhone, Java, Dropbox and the brain]

"Apple is trying to distance itself from Java in general," said Marcus Carey, a security researcher at Rapid7. "Over the last six months, Java has been a headache for everyone in the industry."

By turning off Java by default, Apple is making customers choose whether to take the risk in running the browser plug-in. "People who need Java are going to be on their own," Carey said.

The recent outbreak has led many security vendors to advise people to disable Java in browsers, because the technology is not used on the majority of Web sites. Over the last few years, Java applets have been replaced with more modern Web technologies, such as HTML 5, XML and JavaScript.

"In my opinion, most Apple users should just turn Java off," Andrew Storm, director of security operations for nCircle, said by email. "Apple doesn't ship it pre-installed anymore and most Java applets are slow and clunky. It's always good security practice to turn off anything you don't really need."

While Apple moves away from the technology, Java remains a headache for Oracle. Many security experts have criticized the business software maker for the amount of time it takes to release a patch for known Java vulnerabilities.

In the latest incident, Polish company Security Explorations said it told Oracle about the flaws in April. Oracle has not commented on why it took four months to release a patch.

"Why talking to your customers about security is so difficult is beyond my comprehension," Storm said. "All software has bugs, customers know that. We don't ask for a lot of information; the minimum requirements include an estimate of when a fix will be available and some mitigation advice. How hard is that?"

For years, Apple faced the same criticism for taking months to release to its customers Java updates already available through Oracle. In June, Apple appeared to change, releasing a Java patch the same day as Oracle for the first time. Apple doesn't comment on product security.

"Overall, Apple has been very fast in coming out with new versions of Java, which is a great security improvement over the past," Wolfgang Kandek, chief technology officer for Qualys, said by email.

Apple's response to Java vulnerabilities changed in April when 650,000 Macs worldwide were infected with the Flashback malware that exploited a Java flaw. Apple did not release a fix for six weeks after Oracle, giving cybercriminals plenty of time to build exploits and launch attacks.

Copyright © 2012 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline