Apple has shipped security fixes for a number of bugs in its Java implementation, and the company also said that it has deprecated its Java implementation in OS X and may remove it from future release of the operating system.
Apple’s patch release on Wednesday included several fixes for vulnerabilities in both Java for Mac OS X 10.5.8 and OS X 10.6.4, a few of which allow a remote attacker to execute arbitrary code on vulnerable machines. The most serious of the bugs in OS X 10.6.4 enables an attacker to break out of the Java sandbox with a malicious Java applet. There is also another remote code execution bug in OS X 10.6.4’s Java implementation, as well as a local flaw.
The Java patches from Apple also fix six bugs in the Java implementation on Mac OS X 10.5.8, including several that allow remote code execution.
The more surprising news than the big patch release, though, was Apple’s announcement that it has deprecated its Java implementation in OS X, meaning that it may well not include Java in future versions of the OS.
“As of the release of Java for Mac OS X 10.6 Update 3, the version of
Java that is ported by Apple, and that ships with Mac OS X, is
deprecated,” the company said in the notes for the OS X updates released Wednesday.
“This means that the Apple-produced runtime will not be
maintained at the same level, and may be removed from future versions
of Mac OS X. The Java runtime shipping in Mac OS X 10.6 Snow Leopard,
and Mac OS X 10.5 Leopard, will continue to be supported and maintained
through the standard support cycles of those products.”
Java has become a favorite target of attackers and Java bugs have become such a problem that Microsoft recently issued a warning about the extent of the Java security issues. The company’s Malware Protection Center researched the relative number of exploits targeting various widely deployed technologies.
“What I discovered was that some of our exploit
“malware” families were telling a scary story – an unprecedented wave of
Java exploitation. In fact, by the beginning of this year, the number
of Java exploits (and by that I mean attacks on vulnerable Java code, not attacks using JavaScript) had well surpassed the total number of Adobe-related exploits we monitored,” Microsoft’s Holly Stewart said.
“I have a theory about why almost no one has noticed this sharp rise in
attacks on Java. IDS/IPS vendors, who are typically the folks that
speak out first about new types of exploitation, have challenges with
parsing Java code. Documents, multimedia, JavaScript – getting
protection for these issues is challenging to get right. Now, think
about incorporating a Java interpreter into an IPS engine? The
performance impact on a network IPS could be crippling. So, the people
that we expect to notice increases in exploitation might have a hard
time seeing this particular spectrum of light. Call it Java-blindness,” Stewart said.