Apple hustles, patches Java bugs same day as Oracle
First-time move tries to make up for allowing Flashback malware disaster earlier this year
Computerworld - Breaking with an oft-criticized tradition, Apple on Monday released a Java update for OS X on the same day that Oracle patched the vulnerabilities for Windows and other operating systems.
Apple issued separate updates for OS X 10.7, aka Lion, and OS X 10.6, or Snow Leopard, that quashed 11 bugs in each edition. Oracle, which maintains Java for Windows, Linux and Solaris, shipped its update to patch 14 vulnerabilities.
Of the three bugs that Oracle fixed but Apple did not, two applied solely to non-Apple operating systems, Solaris and Linux. It was unclear why the third was not included in Apple's version.
The same-day patching was unprecedented: Apple, still responsible for Java security updates for Lion and Snow Leopard, typically lags behind Oracle by weeks or even months.
That practice turned disastrous earlier this year when Apple's Java update lagged behind Oracle's by seven weeks. Hackers jumped at the opportunity, and quickly infected an estimated 600,000 Macs with the Flashback malware by exploiting a Java bug that Oracle had patched but Apple had not.
Not surprisingly, security experts blamed Apple's lethargy for the outbreak.
To some experts, Apple's move Monday was its response to that criticism.
"It's simple, really," said Andrew Storms, director of security operations at nCircle, of Apple's hustling this Java update to users. "Apple's lack of process was directly related to Flashback infecting 600,000-plus Macs. For a company that says that their systems don't get malware, well, guess what? They got a lot of people infected because they couldn't deliver the Java update in a timely manner."
Storms and other security professionals have hammered at Apple for years about its lack of urgency to patch Java and other third-party code it either once included, like Adobe's Flash Player, or that it still does.
"It was a total process fail [earlier this year], and something we've been chiming about for years," said Storms. "If Apple wants to distribute third-party apps in their OS, then they need to be responsible and keep them up-to-date. Or if you can't do the job, then it's time to step aside."
That's exactly what Apple has done with Java.
- Mac Pro shortage sets record as worst Mac production debacle
- Apple slates WWDC for June 2-6, sets up ticket lottery
- Apple patches Safari's Pwn2Own vulnerability, two-dozen other critical bugs
- Microsoft's free OneNote vaults to top of Mac App Store chart
- Apple discounts iPhone 5C 8%-9% in five markets via storage cuts
- Apple hands stock worth $12.1M to top execs in retention deal
- Hands on: Apple's Mac Pro is the fastest Mac ever
- Apple CFO to retire in September after he cashes in $53M stock award
- Apple's CarPlay to spark mobile apps war in your car
- Apple retires Snow Leopard from support, leaves 1 in 5 Macs vulnerable to attacks
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast Best Practices: How to Improve Business Continuity with Virtualization VMware solutions include a range of business continuity capabilities to help ensure availability for applications across your virtualized environment. Learn More>>
- Live Webcast
Transforming Finance, Procurement and Supply Chain Effectiveness with Cross-Functional Analytics
Date: May 6th, 2014
Time: 1 PM EDT
Attend this Webcast to find out how Oracle's packaged analytic applications enable line-of-business managers to examine all...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts