Apple patched 27 Java vulnerabilities in its latest update to close security flaws that allowed malicious Java applets to execute outside the browser.
Apple shipped a security update that closed Java vulnerabilities in Mac OS X 10.5 (Leopard) and Mac OS X 10.6 (Snow Leopard) on March. 8. Some of the bugs could be exploited to “execute arbitrary code” outside the Java sandbox, according to Apple’s release notes. “Visiting a Web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user,” Apple wrote in the notes.
The bugs were all part of a group of “unspecified” vulnerabilities identified in the Java run time that affected various local and networking components, according to details posted on the National Vulnerability Database. One of the security flaws allowed untrusted Java applets to create domain name resolution cache entries, which would result in DNS (Domain Name System) cache poisoning, according to an Ubuntu security advisory issued for these bugs.
Others included not properly setting up environment variables to invoke the correct libraries, giving remote attackers user privileges when loading a badly formed class file and allowing the Swing library to bypass SecurityManager checks, the Ubuntu advisory said. These issues would have allowed malicious hackers to run external code on the computer. Another bug would have allowed a remote attacker to execute a denial of service attack, according to Ubuntu.
Apple patched 16 vulnerabilities in Java SE 6 and 11 in Java SE 5 for the Leopard operating system, and 16 bugs in Java SE6 for Snow Leopard. The Java updates, which range between 75MB and 120MB in size, can be downloaded and installed from the Apple site or using the integrated update service on Mac OS X.
This was Apple’s first Java update since Oct. 19, 2010, when it announced it wouldn’t include Java in future versions of Mac OS X, starting with 10.7 Lion, expected this summer. Instead of having the Java run time bundled into the operating system from the onset, OS X will go to the Oracle Website and download the latest version of the run time only if the user tries to run a Java application.
The Mac version of Java SE 7 will be based on Oracle’s OpenJDK, and Apple will provide “most of the key components, tools and technology required for a Java SE 7 implementation on Mac OS X,” the company said.
In the past, Apple has faced a lot of criticism for being a few months behind Oracle and other platforms with its Java updates. In fact, Oracle previously patched the same bugs in Java SE 6 as part of its 1.6.0_24 update on Feb. 15. Oracle also patched the holes in Java SE 5 with its 1.5.0_28 update.
The lag time often exposed Mac users who remained unprotected after the vulnerabilities were publicized and other platforms had already fixed the issues, according to Dino Dai Zovi, a security consultant with Independent Security Evaluators and co-author of The Mac Hacker’s Handbook.