Apple Ships Java Patches, Says It May Drop Java From Future OS X Releases

Apple has shipped security fixes for a number of bugs in its Java implementation, and the company also said that it has deprecated its Java implementation in OS X and may remove it from future release of the operating system.

Apple's patch release on Wednesday included several fixes for vulnerabilities in both Java for Mac OS X 10.5.8 and OS X 10.6.4, a few of which allow a remote attacker to execute arbitrary code on vulnerable machines. The most serious of the bugs in OS X 10.6.4 enables an attacker to break out of the Java sandbox with a malicious Java applet. There is also another remote code execution bug in OS X 10.6.4's Java implementation, as well as a local flaw.

The Java patches from Apple also fix six bugs in the Java implementation on Mac OS X 10.5.8, including several that allow remote code execution.

The more surprising news than the big patch release, though, was Apple's announcement that it has deprecated its Java implementation in OS X, meaning that it may well not include Java in future versions of the OS.

"As of the release of Java for Mac OS X 10.6 Update 3, the version of Java that is ported by Apple, and that ships with Mac OS X, is deprecated," the company said in the notes for the OS X updates released Wednesday.

"This means that the Apple-produced runtime will not be maintained at the same level, and may be removed from future versions of Mac OS X. The Java runtime shipping in Mac OS X 10.6 Snow Leopard, and Mac OS X 10.5 Leopard, will continue to be supported and maintained through the standard support cycles of those products."

Java has become a favorite target of attackers and Java bugs have become such a problem that Microsoft recently issued a warning about the extent of the Java security issues. The company's Malware Protection Center researched the relative number of exploits targeting various widely deployed technologies.

"What I discovered was that some of our exploit "malware" families were telling a scary story - an unprecedented wave of Java exploitation.  In fact, by the beginning of this year, the number of Java exploits (and by that I mean attacks on vulnerable Java code, not attacks using JavaScript) had well surpassed the total number of Adobe-related exploits we monitored," Microsoft's Holly Stewart said.

"I have a theory about why almost no one has noticed this sharp rise in attacks on Java.  IDS/IPS vendors, who are typically the folks that speak out first about new types of exploitation, have challenges with parsing Java code.  Documents, multimedia, JavaScript - getting protection for these issues is challenging to get right.  Now, think about incorporating a Java interpreter into an IPS engine?  The performance impact on a network IPS could be crippling.  So, the people that we expect to notice increases in exploitation might have a hard time seeing this particular spectrum of light. Call it Java-blindness," Stewart said.

Commenting on this Article is closed.