3 Comments

Summary:

Apple recently introduced software updates and a removal tool for the “Flashback” threat on Macs. Users of Apple’s current desktop OS, Lion 10.7.3, and the previous Snow Leopard 10.6.8, Apple’s got you covered. For anything older, Apple’s recommendation is disabling Java. That’s wrong, and here’s why.

leopard

Apple recently introduced multiple software updates and a removal tool for the “Flashback” threat that takes advantage of an exploit in Java on Macs. For users of the current version of Apple’s desktop OS, Lion 10.7.3, and the previous OS, Snow Leopard 10.6.8, Apple’s got you covered. For anything older than that Apple’s current recommendation is to disable Java. That’s wrong, and here’s why.

Apple’s “solution” of disabling Java on versions prior to Snow Leopard isn’t realistic for users that still intend to keep their Mac on the Internet, since web-based Java is still popular, especially for proprietary corporate applications. If you are on a Leopard (10.5) or older system, Apple’s solution means that you could try to enable Java only while you are using websites that require it and then immediately turn it off afterward (a common example of usage is for remote control programs such as GotoMyPC and Logmein). To be fully secure though, the better solution is to upgrade your OS. However, upgrading your Mac’s OS could introduce incompatibilities with existing software that will require further costs to upgrade. Plus, if a user hasn’t upgraded to Snow Leopard — an admittedly old OS — yet, they may have a good reason for doing so.

Apple updates its operating system at a much faster pace than Microsoft. Leopard was superseded by Snow Leopard in August 2009 and Windows XP was superseded by Vista in November 2006, yet Microsoft is still providing critical security updates for XP until April 2014. Microsoft is providing more security updates for more versions of their operating system while Apple is starting to abandon users after less than three years.

To be fair, a majority of Mac users have already moved to either Snow Leopard or Lion, according to estimates from Net Market Share so most Mac users will be protected from this security flaw after installing Apple’s latest updates. Windows XP, meanwhile, is still on a majority of PCs according to that same study, even though its successor, Windows 7, was released in July 2009. Microsoft is doing this right by continuing to provide security updates for its older operating systems, which sort of makes sense given Microsoft’s constant battle with malware over the years. But Apple isn’t.

With Apple’s accelerated OS release cycle, leaving Leopard’s Java security unsupported after less than three years is unfair to users and a potential class action lawsuit waiting to happen since Apple’s extended warranty (AppleCare) is designed to support the Mac for three years. That MacBook you bought in May 2009 has a problem that Apple knows about, and Apple’s solution is to simply disable portions of the OS provided by Apple for your computer.

At the very least, Apple should be required to either patch a security flaw in any computer still under AppleCare or provide a free update to a currently supported version like they are doing for MobileMe users. Two years is simply too short of an upgrade cycle to expect users to keep up with in order to maintain the security of their systems.

If Apple continues this “current and previous version” approach towards security, Snow Leopard users are going to miss out on security updates when Mountain Lion 10.8 comes out this summer, only two years after they upgraded to Snow Leopard. Apple needs to step up to the plate and provide security updates for at least three years — otherwise Mac users could be more secure wiping an older Mac OS on that Intel-based Mac and installing Windows XP instead! At least then they’ll have until April 2014 before their computer turns into an unsecured ticking time bomb.

  1. Good article Dave. Hopefully vulnerabilities such as this and recent trojans such as Flashback will help people get past the myth that their system is 100% secure simply because they are using a Mac. It is only after the user community pressures Apple, that Apple will take these risks seriously and unfortunately in order for the user community to take notice, there are going to have to be some high-publicity malware attacks. Flashback likely will only be the first of these.

    As you noted, Microsoft learned these lessons years ago and this was simply in response to the wide-spread perception that Microsoft products are not secure (a well-earned perception at the time, mind you).

    Users can no longer rest assured that their systems and information are not at risk simply because they are not using a Microsoft product. This will make standard security practices such as OS patching (when available), software patching, AntiVirus, and safe web browsing habits that much more necessary for MacOS users.

    Share
  2. Jars and classes can be easily be filtered by the corporate proxy, and you can choose not to tell the proxy location to java webstart on the mac thereby limiting its view to the corporate intranet. In general nobody is using applets in the browser, even diehard java dudes, it is so nineties!

    Share
  3. While I am not a fan of government overreach, this is an issue which has been bothering me for more than a decade. It is time for the electronics industry (not just the computer industry) to be required to provide both hardware and software support for a minimum of 10 years after a product is discontinued. This is similar to the automobile industry which offers a minimum 10 year support life. This will reduce the amount of electronic “trash” generated every year as consumers will be able to keep their systems operational for a longer period of time.

    Share

Comments have been disabled for this post