Apple finally issued 16 Java fixes for Leopard and Snow Leopard versions of Mac OS X. Oracle patched the vulnerabilities almost a month ago.
Apple patched 27 Java
vulnerabilities in its latest update to close security flaws that allowed
malicious Java applets to execute outside the browser.
Apple shipped a security
update that closed Java vulnerabilities in Mac OS X 10.5 (Leopard) and Mac OS X
10.6 (Snow Leopard) on March. 8. Some of the bugs could be exploited to
"execute arbitrary code" outside the Java sandbox, according to Apple's release notes
. "Visiting a Web
page containing a maliciously crafted untrusted Java applet may lead to
arbitrary code execution with the privileges of the current user," Apple wrote
in the notes.
The bugs were all part of a
group of "unspecified" vulnerabilities identified in the Java run time that
affected various local and networking components, according to details posted
on the National
. One of the security flaws allowed untrusted Java
applets to create domain name resolution cache entries, which would result in
DNS (Domain Name System) cache poisoning, according to an Ubuntu security advisory
for these bugs.
Others included not properly
setting up environment variables to invoke the correct libraries, giving remote
attackers user privileges when loading a badly formed class file and allowing
the Swing library to bypass SecurityManager checks, the Ubuntu advisory said.
These issues would have allowed malicious hackers to run external code on the
computer. Another bug would have allowed a remote attacker to execute a denial
of service attack, according to Ubuntu.
Apple patched 16
vulnerabilities in Java SE 6 and 11 in Java SE 5
for the Leopard
operating system, and 16 bugs in Java SE6 for Snow Leopard. The Java updates,
which range between 75MB and 120MB in size, can be downloaded and installed
from the Apple site or using the integrated update service on Mac OS X.
This was Apple's first Java
update since Oct. 19, 2010, when it announced it wouldn't include Java in
future versions of Mac OS X, starting with 10.7 Lion, expected this summer.
Instead of having the Java run time bundled into the operating system from the
onset, OS X will go to the Oracle Website and download the latest version of
the run time only if the user tries to run a Java application.
The Mac version of Java SE 7
will be based on Oracle's
, and Apple will provide "most of the key components, tools and
technology required for a Java SE 7 implementation on Mac OS X," the
In the past, Apple has faced
a lot of criticism for being a few months behind Oracle and other platforms
with its Java updates. In fact, Oracle previously patched the same bugs in Java
SE 6 as part of its 1.6.0_24 update on Feb. 15. Oracle also patched the holes
in Java SE 5 with its 1.5.0_28 update.
The lag time often exposed
Mac users who remained unprotected after the vulnerabilities were publicized
and other platforms had already fixed the issues, according to Dino Dai Zovi, a
security consultant with Independent Security Evaluators and co-author of The
Mac Hacker's Handbook.