Does Apple's Java move mean a less secure Mac?
Security experts take sides over Java patching
Computerworld - Security experts are split over whether Apple's decision to hand over Java to an Oracle-backed open-source project is a good deal for Mac users.
On Friday, Apple announced it would join Oracle's OpenJDK and contribute "most of the key components, tools and technology required for a Java SE 7 implementation on Mac OS X."
The move followed Apple's earlier decision to "deprecate" Java -- in other words, to stop bundling the software with Mac OS X -- in future versions of the operating system.
On Friday, Apple committed to continue shipping Java SE 6 with Mac OS X 10.6, aka Snow Leopard, and in the next edition, Mac OS X 10.7, known as Lion. The latter is set to launch in the third quarter of 2011. Apple will also patch Java SE 6 in those operating systems.
But Java SE 7, and all later versions of the software for Mac OS X, will come from Oracle, not Apple.
One security researcher thinks that would make Mac users less secure in the long run.
"Instead of having to worry about one thing being updated -- the operating system -- users will now have to worry about three things being kept up to date: the OS, Java and Flash," said Charlie Miller, an analyst with Baltimore-based Independent Security Evaluators (ISE) and co-author of The Mac Hacker's Handbook.
"This is what people on Windows have done, and I think history shows that people aren't very good at keeping these up to date," said Miller in an e-mail reply to questions about Apple deprecating Java. "Until now, out of the box, the browser could handle just about anything since Java and Flash were installed. Just updating the OS kept these up to date. [In the future], the browser won't handle many popular sites and if you download the plug-in, you have to worry about it getting out to date."
Apple has also decided to ditch Adobe's Flash Player, which like Java has been pre-installed on Macs. Apple has provided patches for Flash Player as part of its normal security updates, but may discontinue that practice as well.
Dino Dai Zovi disagreed with his The Mac Hacker's Handbook co-author.
"If Apple can't release patches at the same time that Oracle does, they should let Oracle do it," said Dai Zovi, a New York-based security consultant.
- Apple has bigger plans than just song ID with Shazam deal
- Mac Pro shortage sets record as worst Mac production debacle
- Apple slates WWDC for June 2-6, sets up ticket lottery
- Apple patches Safari's Pwn2Own vulnerability, two-dozen other critical bugs
- Microsoft's free OneNote vaults to top of Mac App Store chart
- Apple discounts iPhone 5C 8%-9% in five markets via storage cuts
- Apple hands stock worth $12.1M to top execs in retention deal
- Hands on: Apple's Mac Pro is the fastest Mac ever
- Apple CFO to retire in September after he cashes in $53M stock award
- Apple's CarPlay to spark mobile apps war in your car
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts