Does Apple's Java move mean a less secure Mac?

Security experts take sides over Java patching

1 2 Page 2
Page 2 of 2

Dai Zovi pointed out that of the three most-exploited Java vulnerabilities in Windows, two could be used by attackers against Mac OS X with little modification. "In both cases, Apple released a patch for their Java in three to four weeks," he said. "This is after the vulnerability is public and penetration testing frameworks may release working exploits for them."

Last month, Microsoft's malware center said it has tracked an "unprecedented wave" of exploits targeting Java bugs in the first nine months of the year.

According to a manager at Microsoft's Malware Protection Center (MMPC), attempts to exploit Java bugs have skyrocketed in the past nine months, climbing from less than half a million in the first quarter of 2010 to more than 6 million in the third quarter.

A few days later, Wolfgang Kandek, the CTO of Qualys, said his company's data showed that 40% of the people running Java were using an outdated version. Kandek called on Oracle to work with Microsoft to distribute Java patches using the latter's Windows Update service.

Mac users should just say good riddance to Java, Dai Zovi added.

"Most Mac users do not need or even use Java, and this will make them safer than having large window of vulnerability in a plug-in that is being actively attacked through exploits that can easily be adapted to target Mac OS X," Dai Zovi said.

In an e-mail late last month, Dai Zovi called the Apple and Oracle deal weeks before Friday's announcement.

"I expect Oracle to completely neglect the Mac OS X port of Java and perhaps rely on the community-supported OpenJDK to serve these users for them," Dai Zovi said on Oct. 27 in response to Computerworld's questions about Java. "I hope that Oracle would manage a Mac OS X port as a first-class citizen, but I'm not holding my breath."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com.

Copyright © 2010 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
  
Shop Tech Products at Amazon