Skip the navigation

Does Apple's Java move mean a less secure Mac?

Security experts take sides over Java patching

November 15, 2010 02:11 PM ET

Computerworld - Security experts are split over whether Apple's decision to hand over Java to an Oracle-backed open-source project is a good deal for Mac users.

On Friday, Apple announced it would join Oracle's OpenJDK and contribute "most of the key components, tools and technology required for a Java SE 7 implementation on Mac OS X."

The move followed Apple's earlier decision to "deprecate" Java -- in other words, to stop bundling the software with Mac OS X -- in future versions of the operating system.

On Friday, Apple committed to continue shipping Java SE 6 with Mac OS X 10.6, aka Snow Leopard, and in the next edition, Mac OS X 10.7, known as Lion. The latter is set to launch in the third quarter of 2011. Apple will also patch Java SE 6 in those operating systems.

But Java SE 7, and all later versions of the software for Mac OS X, will come from Oracle, not Apple.

One security researcher thinks that would make Mac users less secure in the long run.

"Instead of having to worry about one thing being updated -- the operating system -- users will now have to worry about three things being kept up to date: the OS, Java and Flash," said Charlie Miller, an analyst with Baltimore-based Independent Security Evaluators (ISE) and co-author of The Mac Hacker's Handbook.

"This is what people on Windows have done, and I think history shows that people aren't very good at keeping these up to date," said Miller in an e-mail reply to questions about Apple deprecating Java. "Until now, out of the box, the browser could handle just about anything since Java and Flash were installed. Just updating the OS kept these up to date. [In the future], the browser won't handle many popular sites and if you download the plug-in, you have to worry about it getting out to date."

Apple has also decided to ditch Adobe's Flash Player, which like Java has been pre-installed on Macs. Apple has provided patches for Flash Player as part of its normal security updates, but may discontinue that practice as well.

Dino Dai Zovi disagreed with his The Mac Hacker's Handbook co-author.

"If Apple can't release patches at the same time that Oracle does, they should let Oracle do it," said Dai Zovi, a New York-based security consultant.

Apple has been repeatedly knocked for taking months to patch Java and Flash vulnerabilities that Oracle and Adobe had fixed long before.



Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!