Computer Security Articles

Yesterday, five weeks after shipping Firefox 4, the Mozilla project published the new browser’s first-ever security update. The Firefox version number bumps up to 4.0.1.

The update fixes 50-odd bugs in total, amusingly including three fixes listed as specific to OS/2. Ironically, the latest official release of the OS/2 port of Firefox, dubbed Warpzilla, hasn’t yet reached version 4 – it’s still back at version 3.6.8.

The release notes for Firefox 4.0.1 are hard to find from the main Mozilla.com page. (Browsing to Firefox.com doesn’t help, as this just redirects to the Mozilla page.) But if you know where to look, you’ll find that two critical security advisories are fixed in the 4.0.1 release.

MFSA2011-12 deals with memory corruption bugs in the browser engine itself; Mozilla experts officially opined that “with enough effort at least some of these could be exploited to run arbitrary code”. MFSA2011-17 deals with “two crashes that could potentially be exploited to run malicious code” in a graphics library called WebGLES, used by Firefox.

Because the 4.0.1 update addresses vulnerabilities that are considered remotely exploitable, we advise you to apply this update without delay.

The previous version, Firefox 3.6, also gets an update, moving to 3.6.17. This update also squashes some critical bugs, including the MFSA2011-12 memory corruption vulnerability affecting Firefox 4.

Two other critical vulnerabilities which don’t affect version 4 are fixed.

MFSA2011-13 deals with various “dangling pointer” bugs (a dangling pointer is a programming mistake in which a memory reference remains in use after the memory it points to has been returned to the operating system for re-use). MFSA2011-15 deals with a privilege escalation bug in the Java Embedding Plugin.

The MFSA2011-15 vulnerability is specific to the Mac OS X version of Firefox. Apple users who imagine themselves invulnerable simply by virtue of their choice of operating system, please take note!

There’s an update to Mozilla’s Thunderbird email client as well. Thunderbird moves to version 3.1.10.

Somewhat confusingly, the Thunderbird release notes don’t list any critical vulnerabilities fixed in this version, but the MFSA2011-12 advisory specifically states that the bugs it covers are “fixed in Thunderbird 3.0.10″.

If you’re a Thunderbird user, we advise you, too, to update as soon as you can.

Who would have thought it? A free anti-virus program for Apple Macs being named best anti-malware solution ahead of those security products for boring old Windows.

Well, that’s exactly what happened at the SC Magazine Awards Europe 2011, held last week at the London Hilton on Park Lane.

Over 530 of the industry’s top companies saw Sophos Anti-Virus for Mac Home Edition successfully beat rivals including products from McAfee, Kaspersky and Symantec to win the coveted title of Best Anti-Malware Solution, at the glittering awards dinner.

Naked Security’s own Carole Theriault was on hand to receive the award, flanked by Qualys CEO Philippe Courtot and dead-pan comedian Stewart Francis.

Carole was uncharacteristically lost for words when I asked her how she felt, but I think what has surprised all of us is just how open Mac users are becoming to the idea of security their computers with anti-malware software.

Although the number of malware threats targeting Mac OS X is much much less than Windows, that doesn’t mean that they are non-existent. And Sophos’s free anti-virus for Mac home users has opened many eyes to the fact that security doesn’t have to be an unpleasant experience.

Sophos Anti-Virus for Mac Home Edition’s success at the awards wasn’t the end of the night as far as Sophos was concerned. The company was also named Information Security Vendor of the Year.

A tremendous result in such a competitive marketplace. Our thanks go to SC Magazine’s judging panel for recognising the hard work done by everyone at Sophos in the last year, and for our users and readers for supporting us!

And if you’re still dithering about whether you should run an anti-virus on your Mac at home, then do read the reviews… and then download our free Mac anti-virus.

Forensic researcher Alex Levinson has discovered a way to map out where an iPhone has been. The information comes from a location cache file found on an iPhone (Library/Caches/locationd/consolidated.db).

In practice, this file contains your travel history.



It should be noted that this file can’t be accessed by third-party apps on an iPhone, as you need root rights to reach it. However, the file is copied to your PC or Mac during standard iPhone sync operations and is accessible from there.

Yesterday, security researchers Pete Warden and Alasdair Allan released an application that can take such a file and show your movements on a map.

Now, this sounds bad from a privacy viewpoint. For example, authorities could gain a court order to do a forensic examination on your phone to figure out where you’ve been.

But why is Apple collecting this information to begin with? We don’t know for sure. But we’re guessing it’s likely related to Apple’s global location database.

Like Google, Apple maintains a global database of the locations of Wi-Fi networks. They use this to get an estimate of your location without using GPS. For example, if your handset sees three hotspots which have MAC addresses that Apple knows are within a certain city block in London, it’s a fair bet you’re in that city block.

We know how Google collected their location database: they recorded them world-wide while they had their Google Maps Street View cars driving around the globe.

Where did Apple get their location database? They used to license it from a company called Skyhook. How did Skyhook obtain this information? Well, they had their own cars drive around the world, just like Google.

However, the Skyhook database is expensive. So beginning with iPhone OS 3.2 released in April 2010, Apple started replacing the Skyhook location database with their own location database.

And the real question is: How did Apple create their own location database? They did not have cars driving around the world. They didn’t need to. They had existing iPhone owners around the world do the work for them.

If you run a modern iPhone, it will send your location history to Apple twice a day. This is the default operation of the device.



How can they do this? By asking for your permission first. There is an opt-in process during initial iTunes installation, but the prompt is highly misleading:



The iTunes prompt talks about helping Apple with Diagnostics information. It says nothing about recording your locations. If you take the time to read Apple’s Privacy Policy, it does explain what they are doing:

   To provide location-based services on Apple products, Apple and our partners
   and licensees may collect, use, and share precise location data, including the
   real-time geographic location of your Apple computer or device.
   This location data is collected anonymously in a form that does not personally
   identify you and is used by Apple and our partners and licensees to provide and
   improve location-based products and services.

We believe the new secret location database found on the devices is connected to this functionality. Apparently iPhones always collect your location information, even if it’s not getting sent to Apple.

If you are are owner of an iPhone or a 3G iPad, you’ll probably want to know that your location – along with a timestamp – is at all times recorded by the device and stored into a file called “consolidated.db,” which is then copied on the computer to which you synchronize the device.

The file and its contents were discovered by Alasdair Allan and Pete Warden, two researchers that were collaborating on some data visualization projects and were curious whether they could do a visualization of mobile data.

During their search for it, they discovered the aforementioned file and analyzed it. It turns out that the data it contained allowed them to make a rather detailed visualization of how the phone – or rather his owner – moved about during a great period of time.

The file containing the data is found only on the device and on the computer with which it is synchronized, and there is no evidence that Apple is syphoning the data remotely. But why is this information collected and stored in the first place?

The researchers that it’s unclear, but that their best guess is that Apple has some new features in mind for the future, and that they will be needing the data to work properly. “The fact that it’s transferred across devices when you restore or migrate is evidence the data-gathering isn’t accidental,” they commented.

But the biggest problem at the moment is that this file and its counterpart on the computer are not encrypted and are, thus, easily readable by third parties. “By passively logging your location without your permission, Apple have made it possible for anyone – from a jealous spouse to a private investigator – to get a detailed picture of your movements,” they said. And that’s without needing a court order.

According to their research, the data begun to be collected and stored in June 2010, with the release of iOS 4. The researchers said they contacted Apple’s Product Security team to ask them about the collected data, but received no response so far.

In the meantime, they developed an open source application that maps the information present in the file on the mobile device or on the computer. In order to demonstrate their point, but foil potential snoopers, they artificially reduced the spacial and temporal accuracy of the data.

“You can only animate week-by-week even though the data is timed to the second, and if you zoom in you?ll see the points are constrained to a grid, so your exact location is not revealed. The underlying database has no such constraints, unfortunately.”

On that whole SQL injection thing, here’s an interesting one I found while stumbling around researching today.

Hmm…What’s that all about? Any more pages like this? Let’s see!

Well, yeah. There’s err, a few.

I found a some more, and it doesn’t seem like a huge amount, but something that Apple should certainly clean up.

itunes.apple.com/us/podcast/turkish/id161320202
itunes.apple.com/pl/podcast/cuneyt/id152442304
itunes.apple.com/kr/podcast/belgesel-title-script-src/id206817953

These pages have live malware on them…

(There may be more but it’s Saturday evening and I have a life.)

Alex Eckelberry

This month, Apple published seven security updates resolving around 250 issues. The last patch is arrived yesterday; it addressed Mac OS X 10.6.7.

Adding the CVE IDs (for Common Vulnerabilities and Exposures) listed in each patch does not give us accurate view of the number of vulnerabilities involved. Several appear in more than one patch: For example, CVE-2011-0191 and CVE-2011-0192 are listed in five patches (Apple TV 4.2, iOS 4.3, iTunes 10.2, Mac OS X v10.6.7/Security Update 2011-001, and Safari 5.0.4).

After eliminating multiple entries, we discover that the 256 March issues are linked to 123 CVE references. Taking a look at 2010, we see 468 CVE covering the whole year. And I have not forgotten the one in January 2011.

CVE-2006-7243 is the oldest vulnerability covered by the 2011 patches. All others are from 2010 and 2011. Here’s what we’ve seen in the last 15 months:

• 1 CVE from 2003 (CVE-2003-0063)
• 2 CVE from 2006 (1 in Q1 2011)
• 11 CVE from 2008
• 68 CVE from 2009
• 428 CVE from 2010 (41 in Q1 2011)
• 82 CVE from 2011 (all covered in 2011)

 
Is it possible to make a comparison between Apple and Microsoft?

During the same period (from January 2010 to March 2011), Microsoft published 123 security bulletins and patched 298 software flaws (CVE).

We can quickly compare by the level of criticality. On the Apple side for 2011, only one vulnerability has a low rating. All the others (123) were named as critical (by Vupen) or highly critical (by Secunia). On the Microsoft side one vulnerability was labeled moderate, 20 important, and eight critical.

Thus in the last 15 months Apple has corrected twice the number of flaws as Microsoft.

AP – A crafty crime ring honed a very 21st-century scheme, authorities say: gleaning stolen credit-card numbers online from data thieves, deploying the numbers for a million-dollar, cross-country Apple store shopping spree and using social media to boast about it all.

Full story: Yahoo! News: Security News

Don’t just read the latest computer security news – watch it in 90 seconds!

The lessons this month: “Anonymous” hacktivists aren’t as anonymous as they might have hoped, applications in Apple’s brand new OS X App Store not so safe after all, Vodafone Australia data leakage stirs the privacy waters, and Facebook backs down for once.

Watch and enjoy:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like.)

Or listen to the podcast:

03 February 2011, duration 2:16 minutes, size 2.2MBytes

Full story: Naked Security – Sophos

AP – Dozens of people have been charged with forming a prolific identity theft ring that used thousands of stolen credit card numbers to shop at Apple stores around the country, according to a court document and a law enforcement official.

Full story: Yahoo! News: Security News

It’s not common for Apple to patch a single bug, so the one they patched today must be serious.

The vulnerability patched today in the PackageKit module of OS X 10.6 and later (earlier versions are not affected) could lead to man-in-the-middle attacks. The attacks could result in system crash or arbitrary code execution.

The problem has to do with PackageKit’s handling of distribution scripts. An attacker sitting between Apple’s update server and a user could make changes in the scripts to abuse a format string in the script. PackageKit appears to be the program which interprets this script and is victimized by the attack.

Apple says improved validation of distribution scripts in the update fixes the issue.

This update (as I see it) raises some questions: Aren’t they distributing these scripts via SSL/TLS? If so, how is the man-in-the-middle attack accomplished? If not, well why not?

Full story: Security Watch

Did you have trouble getting up on New Year’s Morning?

Seems that Apple iPhone users did, even if they hadn’t been out partying the night before, when a bug in iPhone’s clock software prevented the alarm from going off.

According to the New York Times, Apple admitted the bug – though of course they didn’t use the dreaded B-word – and claimed that the problem would sort itself out by Monday 03 January 2011:

Apple did not offer an explanation, but a spokeswoman, Natalie Harrison, acknowledged that the company was "aware of an issue related to nonrepeating alarms set for January 1 or 2." She said all iPhone alarms would begin to work normally on Monday.

But the internet remains abuzz with complaints about failed alarms continuing past the weekend, suggesting either that the bug is not properly understood by Apple, or that iPhone users have adopted the Y2.011K bug as appealingly hi-tech explanation for a late arrival at work on Monday.

After all, unexplained software failure despite use of leading-edge technology is a slicker excuse, with much stronger circumstantial support from Twitter, than old faithfuls such as dodgy kebab and dog ate bus ticket. HR departments, take note.

This isn’t the first time in recent years that a Y(2+x/1000)K bug has shown up for small positive integer values of x.

For x=9 (or, more precisely, on New Year’s Eve for x=8), some woeful code in Microsoft’s Zune music player actually caused the device to hang completely when turned on. Removing the battery until the clock forgot the time was the only fix.

For x=10, a whole raft of application woes hit home. SpamAssassin rejected all emails sent in 2010, thinking they were spam; Symantec rejected its own anti-virus updates for the first couple of weeks of the year; and point-of-sale devices in some parts of the world rejected payment cards, thinking that it was already 2016 and thus that every card was long past its expiry date.

And Apple had a different time-related iPhone bug in October 2010. This bug apparently failed to take into account local timezone changes caused by daylight savings (DST). Ironically, the DST bug affected only recurring alarms, whilst the Y.2011K bug affects only non-recurring alarms.

It certainly sounds as though the outrageously large sacks of money thrown at the Y2K problem in the late 1990s were, indeed, wasted.

The Y2K problem was merely a single, specific, example of the many things that can go wrong in software which is responsible for dealing with dates and times. Yet we invested almost entirely in looking for Y2K-specific problems, even where they were already known not to be an issue, instead of improving our overall collective skills in handling internet dates and times across arbitrary time boundaries.

So far, Apple still doesn’t seem to have an explanation for the Y2.011K problem. It’s never a good sign when a vendor can’t explain a bug – after all, if they don’t understand it, how can they reliably fix it?

For now, Apple iPhone users can either remember to set recurring alarms, or invest in an apparently-forgotten technological marvel – an alarm clock!

Full story: Naked Security – Sophos

Security firm McAfee expects malicious activity in 2011 to target smartphones, URL shorteners, geolocation services like Foursquare, and Apple…

Full story: Computer Crime Research News

Macworld – Last week, blogger and insatiable hacker Erica Sadun turned your Mac into an AirPlay receiver with AirPlayer. Now she’s turned the tables with AirFlick, a companion utility that lets your Mac stream content to an Apple TV from apps besides iTunes. – on Yahoo! News: Security News

Apple on Tuesday patched 15 vulnerabilities in its QuickTime media player for Windows and Mac OS X 10.5, aka Leopard. – on Computerworld Security News

A new version of Apple QuickTime fixes 15 vulnerabilities, nearly all critical.

All 15 fixes affect the Windows versions of QuickTime. 13 of them affect the Mac version as well.

14 vulnerabilities come from failure to handle maliciously-crafted input, either particular image types or movie files. These bugs could lead to remote code execution. A single Windows-only problem comes from improper permissions set on a QuickTime directory and can lead to unauthorized access of sensitive information.

Remember, if you run iTunes it is likely integrated with QuickTime. You may need to update that as well. Make sure to run Apple Software Update to check.

– on Security Watch

Don’t just read the latest computer security news – watch it in just 90 seconds!

This month: Apple has all sorts of fun; Facebook decides its users are “inauthentic”; Adobe gets a sandbox to play in; and Firesheep puts you on notice.

Watch and enjoy:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Or listen to the podcast:

02 December 2010, duration 2:05 minutes, size 2.0MBytes

There’s been a lot of discussion in the media recently about the threat that malware poses on the Mac OS X platform. It’s clearly an emotive subject, with strongly held views on both sides.

To help some of the discussions, here’s a brief overview of some of the malware we have seen infecting Apple computers. From the early 1980s, right up until the present day, here are some of the highlights in the history of Apple Mac malware.

Mac virus timeline

1982
The first virus to affect Apple computers wasn’t written for the Macintosh (that iconic computer wasn’t set to appear until 1984) but is of historic interest none the less.

In 1982, 15-year-old student Rich Skrenta wrote the Elk Cloner virus, capable of infecting the boot sector of Apple II computers.

On every 50th boot the Elk Cloner virus would display a short poem:

Elk Cloner: The program with a personality

It will get on all your disks
It will infiltrate your chips
Yes, it's Cloner!

It will stick to you like glue
It will modify RAM too
Send in the Cloner!

What may surprise some Apple fans is that the Elk Cloner boot sector virus predates IBM PC viruses by some years.

1987
The nVIR virus began to infect Macs, spreading mainly by floppy disk. Source code was later made available, causing a rash of variants.

1988
HyperCard viruses emerged that could run on versions of Apple’s Mac OS 9. One version showed the message “Dukakis for President” before self-destructing.

1990
The MDEF virus (aka Garfield) emerged, infecting application and system files on the Mac.

1995
Microsoft accidentally shipped the first ever Word macro virus, Concept, on CD ROM. It infected both Macs and PCs. Thousands of macro viruses followed, many affecting Microsoft Office for Mac.

1996
Laroux, the first Excel virus, was released. Mac users were unaffected by this new strain of macro virus until the release of Excel 98 for Mac meant they could become victims.

1998
Sevendust, also known as 666, infected applications on Apple Mac computers.

2004
The Renepo script worm attempted to disable Mac OS X security, downloaded hacking tools to affected computers, and gave criminals admin rights to the Apple Macintosh. Hackers also wrote a proof-of-concept program called Amphimix which demonstrated how executable code could be disguised as an MP3 music file on an Apple Mac.

2006
Leap-A, the first ever virus for Mac OS X was discovered. Leap-A can spread via iChat.

The Inqtana worm and proof-of-concept virus soon followed.

A buggy proof-of-concept virus called Macarena appeared, written in Xcode. Every infected file contained the phrases

"MachoMan - roy g biv"

and

"26/10/06"

2007
Sophos discovered an OpenOffice multi-platform macro worm capable of running on Windows, Linux and Mac computers.

The BadBunny worm dropped Ruby script viruses on Mac OS X systems, and displayed an indecent JPEG image of a man wearing a rabbit costume.

The first financial malware for Mac was discovered. The gang behind the attacks developed both Windows and Mac versions of their OSX/RSPlug-A Trojan horse.

The Trojan posed as a codec to help users view pornographic videos, but in fact changes DNS server entries to direct surfers unwittingly to other websites.

2008
Cybercriminals targeted Mac and PC users in equal measure, by planting poisoned adverts on TV-related websites. If accessed via an Apple Mac, surfers would be attacked by a piece of Macintosh scareware called MacSweeper.

In June, the OSX/Hovdy-A Trojan horse was discovered that could steal passwords from Mac OS X users, open the firewall to give access to hackers, and disable security settings.

Troj/RKOSX-A was discovered – a Mac OS X tool to assist hackers create backdoor Trojans, which can give them access and control over your Apple Mac computer.

In November, Sophos warned of the Jahlav Trojan. Like in other malware campaigns, cybercriminals created a bogus webpage claiming to contain a video. Visiting the site produces a message saying that you don’t have the correct codec installed to watch the video – whereupon the site offers you an EXE if you run Windows, and a DMG (Disk Image) file if you are using an Apple Mac.

Controversially, Apple issued a support advisory urging customers to run anti-virus software – but after media interest, rapidly deleted the page from their website.

2009
In January 2009, hackers began to distribute the OSX/iWorkS-A Trojan horse via BitTorrent inside pirated versions of Apple’s iWork ’09 software suite.

In the same month, a new variant of the Trojan was distributed in a pirated version of Adobe Photoshop CS4.

In March, Sophos reported on how hackers were planting versions of the RSPlug Trojan horse on websites, posing as an HDTV program called MacCinema.

In June, SophosLabs discovered a new version of the Tored email worm for Mac OS X, and hackers planted a version of the Jahlav Mac Trojan horse on a website posing as a portal for hardcore porn videos.

Shortly afterwards, the Twitter account of celebrity blogger Guy Kawasaki had a malicious link posted onto it, claiming to point to a sex video of Gossip Girl actress Leighton Meester. In reality, however, the link lead unsuspecting users to malware which could infect Mac users.

Meanwhile, Apple finally began to introduce some rudimentary anti-malware protection into Mac OS X.

Although it wasn’t really equivalent to a true anti-virus product (it only protected against a handful of Mac malware, doesn’t defend you if you try to copy an infected file from a USB stick for instance, and doesn’t offer clean-up facilities), it was still encouraging to see some attempt to offer more protection for Mac users.

2010
The OSX/Pinhead Trojan (also known as HellRTS) emerged.

The backdoor Trojan horse can allow hackers to gain remote control over your treasured iMac or MacBook.

Once again, the malware was distributed disguised as a legitimate application – in this case, iPhoto, the photo application which ships on modern Macs.

More recently, the Boonana cross-platform worm appeared, using a Java applet to target not just Windows computers for infection, but Mac OS X and Linux too.

Sophos detects various components of the attack as Troj/Boonana-A, Troj/KoobStrt-A, Troj/KoobInst-A, Troj/KoobCls-A, Troj/Agent-PDY, Troj/DwnLdr-IOX, and Troj/DwnLdr-IOY. In addition, Sophos’s web protection blocks access to the malicious webpages.

Also in 2010, Sophos issued a free home user version of its anti-virus for Macs. We have been protecting business customers who have Macs for years, and now there was a chance for home Mac users to protect themselves against the threat too.

Early reports indicate that there are plenty of Mac users with malware on their computers – some of it is Windows malware, some Mac OS X, and some cross-platform.

There’s no doubt that the Windows malware problem is much larger than the Mac threat – but that doesn’t mean that the danger of malware infection on Mac OS X is non-existent.

Just when you think they can’t pull another one off, Apple does it again. No, we’re not talking about killer consumer electronics products, we’re talking about security updates of record-setting girth.

Only 45 of the 85 vulnerability fixes described in Apple’s latest iOS security advisory apply to the new iOS 4.2 version. iOS 3.2 through 3.2.2 for iPad incorporates another 40 fixes on top of those. 8 of the vulnerability fixes for iOS also affect Apple TV and are fixed in the new version 4.1 of that product.

It’s always fun to look for the oldest vulnerability listed by Apple and this update is no exception. CVE-2009-1707, revealed to the public on 6/10/2009 and just fixed today, describes an error which could allow a user with physical access to the device to view stored web site passwords. It’s not the most serious bug, but 17 months+ is a long time.

But many of the other vulnerabilities are classic critical bugs where reading a file can lead to remote code execution. Normal users run in a less privileged mode, but combined with CVE-2010-3830 (“Malicious code may gain system privileges“), a more severe compromise is possible.

Time to go to iTunes and apply updates.

– on Security Watch

Apple released today an update to OS X of possibly unprecedented proportions, addressing 131 separate vulnerabilities, one over 2 years old.

View full post on PCMag.com Security Coverage

Apple this week patched a record 134 Mac OS X vulnerabilities, easily topping the previous record of fixing 90 flaws in March.

View full post on Computerworld Security News

Apple released today an update to OS X of possibly unprecedented proportions, addressing 131 separate vulnerabilities, one over 2 years old.

55 of the vulnerabilities, including the one first revealed in October 2008, were for the Flash Player plug-in, proving once more that it’s a mistake to wait for Apple for such updates.

The age of some of the vulnerabilities is staggering. In addition to the one from 2008, 7 were first revealed in 2009. A much more recent one (though far from the most recent), CVE-2010-1797, was fixed 3 months ago in iOS, leaving OS X users badly exposed in the meantime.

The update mixes fixes to Apple code with fixes to common UNIX software such as X11, PHP and OpenSSL. For instance CVE-2009-0796, found in February of 2009, is a cross-site scripting bug in the mod_perl Apache module.

The update is designated Security Update 2010-007 for OS X 10.5 and brings 10.6 up to 10.6.5.

View full post on Security Watch

PC World – It was only a matter of time before tinkerers had their way with the hackable Apple TV, with one hacker making a custom weather app. Now, someone else has come along and added Mac media center Plex to the set-top box.

View full post on Yahoo! News: Security News

Apple filed two lawsuits against Motorola and Motorola Mobility late Friday in a US federal court, claiming violations of its patents in multiple Motorola cell phones, including the Droid line.

View full post on Computerworld Security News

2 of the greatest security exploit magnets of recent years will no longer be bundled with Apple’s Mac OS.

Adobe’s Flash has been bundled with OS X for some time and Apple has long had their own distribution of Oracle’s Java, also included with the OS. Apple’s Java is officially history as of Lion, the next release of Mac OS, and indications are that Flash will no longer be included. In fact, this may be a serious problem for all Java client development, not just on the Mac.

The first news of this last week was when someone noticed that Apple announced to developers that the Java included in OS X 10.6 Update 3 would be the end of the road. In industry terms, Java has been “deprecated,” meaning that it will no longer be supplied or supported. They will continue to support the current implementation for as long as they support the OS on which it runs, but “ [D]evelopers should not rely on the Apple-supplied Java runtime being present in future versions of Mac OS X.”

Like many other hardware vendors, Apple has always provided their own implementation of Java, and in fact (as quoted here in his own blog) Father of Java James Gosling says that it’s that way because Apple insisted on it. But now it seems that Apple doesn’t want to bother anymore. From a security standpoint, it’s understandable. Apple was always far behind the standard Oracle Java in terms of new versions and especially security updates.

As for Flash, but an Apple spokes person told Daring Fireball that future Mac products won’t include a Flash player. Users are instructed to get it from Adobe directly (see http://get.adobe.com/flashplayer). Reports are coming in that the newest MacBook Air does not have a Flash player included, so this change has already begun.

So if you’re a Flash developer concerned about your users, this is a problem but not a major one. As with Windows and Linux, you’ll just have to make sure to tell users where to get Flash (repeat: the answer is always http://get.adobe.com/flashplayer).

Better still, tell your users to switch to Google Chrome and to keep it updated. They will always have the most recent copy of Flash. Apple just made Chrome the clearly best choice for browsing on Mac OS.

If you’re a Java developer concerned about your Mac users, you may have a big problem. According to Simon Phipps, the former head of open source at Sun and a current board member with the Open Source Initiative (OSI) as quoted here in The Register, Apple owns their own implementation of Java and isn’t obligated to share it with Oracle. Crucially, Phipps adds that the Apple Java port relies on a great deal of intimate OS X knowledge and that it relies on unpublished APIs. Recreating a quality Java for the Mac would be a difficult task for an outsider. Phipps says that there is a Mac port of the open source OpenJDK, but I can’t find it on the OpenJDK site. In any event, Phipps says it sucks.

I asked Oracle several days ago whether they planned to release their own Java for the Mac. They have not responded to my inquiry.

View full post on Security Watch