Mac Hacker’s Handbook Author Says Apple Dropping In-House Java Makes The Mac Less Secure



When Steve Jobs was asked why Apple was deprecating in-house Java development for OS X, he explained: “Sun (now Oracle) supplies Java for all other platforms. They have their own release schedules, which are almost always different than ours, so the Java we ship is always a version behind. This may not be the best way to do it.”

Yesterday, Apple announced how it planned on passing the Java torch back to Oracle: they would be partnering together for the OpenJDK project to make sure that both Oracle and the open source dev community had the tools they needed to keep Java on the Mac alive past Java SE6.

Ostensibly, Apple’s move to deprecate Java would be good for Mac security, in that users will no longer be forced to wait for Apple to update their home-baked Java when Oracle fixes some security vulnerabilities in their build.

According to Charlie Miller, co-author of The Mac Hacker’s Handbook, though, this may make the Mac even less secure than it was before.

“This is what people on Windows have done, and I think history shows that people aren’t very good at keeping these up to date,” said Miller in an e-mail reply to questions about Apple deprecating Java. “Until now, out of the box, the browser could handle just about anything since Java and Flash were installed. Just updating the OS kept these up to date. [In the future], the browser won’t handle many popular sites and if you download the plug-in, you have to worry about it getting out to date.”

I hear his point. Ultimately, the most secure solution here would for Apple to release Java security fixes at the same time as Oracle. He’s right: users aren’t good at updating their machines. That said, Java isn’t Apple’s product, and it’s understandable that they are unwilling to continue throwing resources at keeping their own build up-to-date.

The bottom line is that Apple’s move to deprecate Java will make Macs more secure… but only if the user of that Mac is security-minded and keeps Java up-to-date. Whether that will make the Mac ecosystem secure as a whole has a lot to do with how good people are about making sure they stay on top of the updates.