Apple has pushed out the fixes for the Java remote code vulnerabilities Oracle patched earlier this month, including a "serious" flaw that allowed Java applet code to escape from the sandbox and run as if it were a local, trusted program.
Apple has pushed out the
fixes for the Java remote code vulnerabilities Oracle patched earlier this
month, including a "serious" flaw that allowed Java applet code to escape from
the sandbox and run as if it were a local, trusted program.
Apple pushed out a Mac OS X
update patching 11 Java vulnerabilities. Oracle fixed these bugs 20 days ago.
The Java for Mac OS X update
fixed various vulnerabilities in Mac OS X, Apple said in its
knowledgebase article June 28.
The update addresses the long list of Java vulnerabilities Oracle patched for
all other systems as Java SE 6 1.6.0_26 on June 8.
The Mac update patched
several remotely exploitable vulnerabilities that can be triggered while
browsing to launch drive-by attacks. In this particular attack, cyber-criminals
can trick browsers and PDF readers into downloading and running malicious code
without notifying the user or popping up any warning messages. The most
"serious" vulnerability addressed in this update allowed Java applet
code to escape from the sandbox and run as if it were a local, trusted program
with the privileges of the current user, Apple said.
"That's never supposed
to happen, and it's always bad," Paul Ducklin, head of technology at
Sophos, wrote on the
NakedSecurity blog.
Java uses sandboxes to
isolate scripts and applications so that they cannot influence each other or
the operating system. A program breaking out of the sandbox and running locally
is a serious security risk.
The 11 vulnerabilities
covered a range of Java capabilities, including Swing, networking and sound.
Almost all of them were remotely exploitable. Mac OS X users are strongly urged
to install the latest update, since the vulnerabilities are well-known and can
be exploited.
The fixes are available for
OS X 10.6.6 "Snow Leopard"
and later as well as for
OS X
10.5.8 "Leopard." The Snow Leopard update is a 75.45MB download,
while the Leopard update weighs 120.33MB. Users must quit any Web browsers and
Java applications before installing the updates.
Apple on June 23 released a
huge set of security updates and enhancements to Snow Leopard via OS X 10.6.8
to "prepare" for Mac OS X 10.7, code-named "Lion," which is
expected sometime next month.
Apple packages the JDK (Java
Development Kit) with the OS X operating system and, as such, updates Java
through its own software update process, instead of leaving it up to Oracle,
which currently manages updates for Windows, Linux and Solaris systems.
"You can download the
latest updates for Linux, Solaris and Windows-and even for the esoteric Itanium
processor-but there's no offering for OS X users of any stripe," Ducklin
said.
Apple announced last year
that it will "deprecate" Java, which currently ships with Mac OS X.
Apple will no longer maintain Java on future versions of Mac OS X, the company
wrote in the release notes back in October. Oracle is expected to start
supporting Java for the Mac once it releases Java 7 instead of relying on Apple
to release fixes through Software Update. Apple is expected to maintain Java SE
6 for Mac OS X Snow Leopard for the time being.
Apple also blocks Java applications
from its Mac App Store because it uses "deprecated or optionally installed
technologies," according to the store's guidelines.
Email
Print
