Apple Swats Old Java Bug
It took a while, but Apple has finally fixed a security flaw in the Java applets that ship with the Mac OS X operating system.
The patch for the vulnerability comes roughly three weeks after proof-of-concept exploit code leaked out in an effort to force Apple into fixing the issue.
The bug, CVE-2008-5353, enables malicious code to escape the Java sandbox and run commands with the permissions of the user. As a result, untrusted Java applets can execute arbitrary code by visiting a Web page hosting the applet.
While the proof-of-concept code appeared only a month ago, the security hole had been an open for much longer. First reported to Sun Microsystems last August, the vulnerability was patched by the company months ago. However the JVMs Apple was shipping with its operating system remained vulnerable to attack.
When reports of proof-of-concept code began circulating, security researchers recommended users consider disabling Java in their Web browsers until a patch was ready.
More information about the patch is available here in the Apple support document.