2 of the greatest security exploit magnets of recent years will no longer be bundled with Apple’s Mac OS.
Adobe’s Flash has been bundled with OS X for some time and Apple has long had their own distribution of Oracle’s Java, also included with the OS. Apple’s Java is officially history as of Lion, the next release of Mac OS, and indications are that Flash will no longer be included. In fact, this may be a serious problem for all Java client development, not just on the Mac.
The first news of this last week was when someone noticed that Apple announced to developers that the Java included in OS X 10.6 Update 3 would be the end of the road. In industry terms, Java has been “deprecated,” meaning that it will no longer be supplied or supported. They will continue to support the current implementation for as long as they support the OS on which it runs, but “ [D]evelopers should not rely on the Apple-supplied Java runtime being present in future versions of Mac OS X.”
Like many other hardware vendors, Apple has always provided their own implementation of Java, and in fact (as quoted here in his own blog) Father of Java James Gosling says that it’s that way because Apple insisted on it. But now it seems that Apple doesn’t want to bother anymore. From a security standpoint, it’s understandable. Apple was always far behind the standard Oracle Java in terms of new versions and especially security updates.
As for Flash, but an Apple spokes person told Daring Fireball that future Mac products won’t include a Flash player. Users are instructed to get it from Adobe directly (see http://get.adobe.com/flashplayer). Reports are coming in that the newest MacBook Air does not have a Flash player included, so this change has already begun.
So if you’re a Flash developer concerned about your users, this is a problem but not a major one. As with Windows and Linux, you’ll just have to make sure to tell users where to get Flash (repeat: the answer is always http://get.adobe.com/flashplayer).
Better still, tell your users to switch to Google Chrome and to keep it updated. They will always have the most recent copy of Flash. Apple just made Chrome the clearly best choice for browsing on Mac OS.
If you’re a Java developer concerned about your Mac users, you may have a big problem. According to Simon Phipps, the former head of open source at Sun and a current board member with the Open Source Initiative (OSI) as quoted here in The Register, Apple owns their own implementation of Java and isn’t obligated to share it with Oracle. Crucially, Phipps adds that the Apple Java port relies on a great deal of intimate OS X knowledge and that it relies on unpublished APIs. Recreating a quality Java for the Mac would be a difficult task for an outsider. Phipps says that there is a Mac port of the open source OpenJDK, but I can’t find it on the OpenJDK site. In any event, Phipps says it sucks.
I asked Oracle several days ago whether they planned to release their own Java for the Mac. They have not responded to my inquiry.
View full post on Security Watch
