Apple security lags (again) with critical Java patches

Ridiculous

Wow, where to begin? This article is so one-sided that I’ve decided to finally give in and create an account to respond.

Let’s start with the title. Since “security lags” doesn’t mean much without context I’m left no choice but to believe that the title was chosen simply for shock value. Pity.

Now onto the arguments. The first one states that Macs are safer because few malware programs target them. This is true. Unfortunately the article veers off course from here by assuming that this is because of OSX’s lesser market share.

The most obvious problem with this argument is that is is unprovable. It assumes the intentions and motivations of malware authors. Unless The Register spoke with every malware author on the planet there is no way to know with absolute certainty why these authors target Windows OS’s.

Sure, we can guess (though I would assert that an article titled to suggest being factual isn’t the place for it) but I find it curious that when left to do so The Register chose market share over simple vulnerability counts. My sensibilities tell me that the sheer number of remotely exploitable vulerabilities found for Windows versus those for OSX might be a more likely reason for Windows to be the more common target. But I would never state that as fact because I simply can’t know the truth.

Although we can set aside this argument on the basis of its unprovability alone, I’ll offer another in the form of an example: Apache vs. IIS.

Apache has roughly twice the market share of IIS (and it used to have much more) yet as far as I can recall there has never been a devsatating Apache exploit. Need I mention some of the immeasurable damage done to servers across the world as a result of IIS exploits? I’m sure you’ve heard of them but if not just Google “code red.”

Before I move on, one more small point about market share: OS 8, 9 etc had even less market share yet they had their share of malware. If Mac-based OS’s are a fruitless target why would these versions have any at all? That’s right, it’s because they had inferior architectures.

Next, the article states:

Frankly, an operating system can lack all of Windows’ security features and still be more secure. Do you really think, Mr. Miller, that the ways Microsoft devised to plug up the holes in its software are the only way to secure an operating system? I can confirm that they are not.

This is like making a safe out of cardboard, lining the inside with glass, then disparaging metal safes because they don’t have a layer of glass.

I’m not saying that ASLR isn’t a good thing to have anyway but without any currently known remote exploit (and barely any of any other kind) it’s hardly reason to go around planting seeds of distrust is it?

Apple has been writing graphical operating systems for longer than Microsoft, and Windows has always had more malware. I don’t see any “disconnect in their marketing department” either - marketing tells us that OSX is more secure than Windows and that is true.

I could go on but this is too lenghty as it is. I’d be glad to discuss it further though if you care to respond.

Snow Leopard removes 1.4.2 & 5.0

Upgrading from Leopard to Snow Leopard removes the previous Java 1.4.2 and 5.0 installations in /System/Library/Frameworks/JavaVM.framework, and replaces them with links to the Java 6 installation.

I doesn't matter though.

As ebveryone knows there ghave never been any exploits written for anty Mac ever and they never crash.

Java? big deal

How many times have you downloaded a rogue jar file and double clicked on it?

How often do you see Java applets on websites? facebook's photo uploader is about the only one I can think of.

Other operating systems aren't automatically updated with Java patches anyway. Apple supplies their own Java SDK as they tweak the look of Swing/AWT to look like a native application.

Many products supply old JVMs and don't automatically update. Oracle being one of them. Eclipse IDE and so on...