Apple + Software & Apps

Apple Drops Java in Latest OS X Security Release

Posted on October 23rd, 2012 by

Apple takes security very seriously, we all know that. Macs have long been advertised as being immune to viruses, immensely secure for browsing the web, and even resistant to attackers with direct access to the machine. While some of these claims have since been discredited, it certainly is true that Apple is very conscious of user security and data protection. We’ve seen Apple go even further in recent releases of File Vault (File Vault 2 was released with OS X 10.7 Lion, and enhanced security over the previous version, locking encryption to the Home Folder level) and other core aspects of both the Mac operating system and iOS (iOS 6 is the most secure release to date, and includes an almost hermetic level of protection against hackers). To that end, Apple has recently pulled Java from OS X in an effort to close some of the loopholes that potential attackers could use to compromise a Mac.

To truly understand Apple’s relationship with Java, and why this most recent action should come as no surprise, we must look at a brief history of OS X and Java and how they have grown together. Apple takes security so seriously, in fact, that for the last several years it maintained its own builds of Java which were deployed across the Mac platform. This means that Apple engineers had to constantly maintain the code of another company (Oracle) to keep a competitive level of parity with Windows and LInux platforms.

Almost to the day, two years ago, Apple announced that they would no longer be supporting Java on the Mac (following the release of Java SE 6 1.6.0_22), and since then, Java releases on the Mac have slightly lagged behind Oracle’s general releases. Oracle acquired Sun Microsystems in April 2009, and with it, gained the rights to Java, an immensely popular language that ran across almost every platform, and guaranteed that developers could write code once and deploy it across a variety of devices. When Apple released the iPhone in 2007, it shunned Java and made Cocoa Touch the only available method for deploying native apps to their platform.

Apple has moved away from Java gradually for a variety of reasons, but most recently, it has done so because *it can*. Having gained its critical mass of 15-20% market share in late 2009, Apple no longer needed to fight for the attention of developers, and could set more stringent requirements on apps (the latest edition of this walled garden showing up in the Mac App Store requirements on Sandboxing and API restrictions). Java has always been a bit of a back door for hackers and Apple is over it. Their message last week was loud and clear: if you want to be vulnerable, it’s your choice, but Apple will no longer support a language and platform that leaves their users at risk.

Apple’s messaging was quite terse. It seems they are driving the point home to Oracle, as they did with Adobe, that they have no interest in providing compatibility with other closed software systems simply because it’s expected of them, if those systems are not going to provide a compelling case for their users. Java’s time may be running out with the Mac community.

As with most things, you can always go download Java as a standalone product and continue to browse the web as you have always done, but if Apple was able to condemn Flash to the edges of the web in only a few short years, we may see a repeat performance with Java. Java developers take note: Android may soon be your last stronghold of relevance. Only time will tell.

  • Brian Ring

    “Apple takes security very seriously, we all know that.”

    You lost me already – I didn’t even bother reading the rest of this article. Ask Charlie Miller how seriously they take security.

    Apple’s security (lack of) response is legendary in its history of fail.

    • Kathy Artic

      An exploit to bypass the improvements to ASLR and other runtime security mitigations in Windows 8 and IE 10 was available less than a week after the day of the release of the new Windows OS.

      The team that disclosed the exploit is the same group that defeated IE 9 running on Windows 7 at the last pwn2own targeting browsers.

      Safari running on Lion was not compromised at that event. No methods to bypass the runtime security mitigations in Lion/ML have been disclosed.

      The mitigations in OS X are derived from runtime security mitigation found in Linux. No methods to bypass the mitigations in Linux with only remote access have been demonstrated as well.

      The major difference in mitigations between these Unix based operating systems and Windows is position independent executables (PIE). DLLs in Windows are pre-mapped at boot and the offset between the different DLLs is known. The beginning load address for the DLLs is random but the order is not. This isn’t the case in Mac OS X and Linux due to PIE; both the location and order are random.

      So, the layout of DLLs is revealed via a memory disclosure exploit. Knowing this layout allows ROP payloads to be produced that facilitate bypassing other runtime security mitigations, such as DEP.

      Also, Windows provides two vectors to achieve arbitrary code execution once runtime security mitigations have been defeated. These vectors being return address and structured exception handler (SEH) overwrites. OS X and Linux don’t have SEH and, therefore, don’t provide that vector. Having two vectors to achieve arbitrary code execution increases the number of vulnerabilities that are exploitable.

      Mitigations, such as SEHOP, are in place to prevent SEH overwrites but these mitigations are bypassed via essentially the same methods used to bypass the mitigations (ASLR & DEP) used to prevent return address overwrites.

      Until Windows includes PIE, attackers will be able to produce reliable remote exploits against Windows.

  • Jeffrey Goldberg

    When I first saw that Apple was no longer maintaining Java browser plugins, I had the opposite reaction that you’ve argued for here. (Though I am coming around to your position.) Let me first outline what I thought was going on, then then discuss why I was probably wrong and you are probably right.

    Apple knows that the malware threat on OS X is increasing, but one (of several) reasons why OS X has not been hit as badly as I’d predicted over the years (you see, I already have a terrible track record in predicting these things, so I’m probably just adding to it) is that compared to Windows users Apple users are better at keeping their software up to date. Part of this is because it is simply simpler for people who just need to know that Apple is where their whole “system” comes from. Windows users have things split between their hardware vendor (and the crapware they install) and Microsoft. It’s not as clear to them where they go for updates and support.

    Anyway, I’ve argued that Apple has been building on this strength, particularly in introducing the Mac App Store. This dramatically increases the ease of people keeping their system and software up to date. And keeping system and software up to date is probably the single biggest thing people can do for their security.

    In this light, I’d seen Apple providing Java as part of having a single source for important updates. If Apple pushed out Java plug-in updates people would be more likely to have fully patched Java in their browsers. We all know that Apple spectacularly dropped the ball on this a year ago, and as a result Flashback found a way to spread and infect more than half a million Macs.

    Apple does learn from its mistakes and as I saw it, they forced to do one of two things. They would need to expand their Java team to be able to be very quick at getting fixes to users or they would have to wash their hands of maintaining Java for users. I saw their decision as the latter. But by washing their hands of Java updates, they left people to their own devices to keep this important software up to date. I saw that as a retreat from the “we will make it as easy as possible for you to keep your system up to date”.

    I wasn’t blaming them for this decision. I see why it had to be made, but I none-the-less saw it as a retreat and a disservice to customers.

    Your article gives me a bit of a different perspective and a different context for looking at the move. My anger at Apple’s Java updating failure last year may have been coloring my view of things.

    A lot of what I say about different update habits draws on my perspective of the Mac malware landscape, which I wrote about in a somewhat rambling post here last May:


    Jeffrey Goldberg
    Chief Defender Against the Dark Arts @ AgileBits

  • James Katt

    Without JAVA, there will be fewer Android programmers coming from the community of Apple customers.

  • LysaMyers

    These are some incredibly insightful comments. Thank you all for sharing! Good food for thought.