Apple has pushed out the fixes for the Java remote code vulnerabilities Oracle patched earlier this month, including a “serious” flaw that allowed Java applet code to escape from the sandbox and run as if it were a local, trusted program.
Apple pushed out a Mac OS X update patching 11 Java vulnerabilities. Oracle fixed these bugs 20 days ago.
The Java for Mac OS X update fixed various vulnerabilities in Mac OS X, Apple said in its knowledgebase article June 28. The update addresses the long list of Java vulnerabilities Oracle patched for all other systems as Java SE 6 1.6.0_26 on June 8.
The Mac update patched several remotely exploitable vulnerabilities that can be triggered while browsing to launch drive-by attacks. In this particular attack, cyber-criminals can trick browsers and PDF readers into downloading and running malicious code without notifying the user or popping up any warning messages. The most “serious” vulnerability addressed in this update allowed Java applet code to escape from the sandbox and run as if it were a local, trusted program with the privileges of the current user, Apple said.
“That’s never supposed to happen, and it’s always bad,” Paul Ducklin, head of technology at Sophos, wrote on theNakedSecurity blog.
Java uses sandboxes to isolate scripts and applications so that they cannot influence each other or the operating system. A program breaking out of the sandbox and running locally is a serious security risk.
The 11 vulnerabilities covered a range of Java capabilities, including Swing, networking and sound. Almost all of them were remotely exploitable. Mac OS X users are strongly urged to install the latest update, since the vulnerabilities are well-known and can be exploited.
The fixes are available for OS X 10.6.6 “Snow Leopard” and later as well as for OS X 10.5.8 “Leopard.” The Snow Leopard update is a 75.45MB download, while the Leopard update weighs 120.33MB. Users must quit any Web browsers and Java applications before installing the updates.
Apple on June 23 released a huge set of security updates and enhancements to Snow Leopard via OS X 10.6.8 to “prepare” for Mac OS X 10.7, code-named “Lion,” which is expected sometime next month.
Apple packages the JDK (Java Development Kit) with the OS X operating system and, as such, updates Java through its own software update process, instead of leaving it up to Oracle, which currently manages updates for Windows, Linux and Solaris systems.
“You can download the latest updates for Linux, Solaris and Windows-and even for the esoteric Itanium processor-but there’s no offering for OS X users of any stripe,” Ducklin said.
Apple announced last year that it will “deprecate” Java, which currently ships with Mac OS X. Apple will no longer maintain Java on future versions of Mac OS X, the company wrote in the release notes back in October. Oracle is expected to start supporting Java for the Mac once it releases Java 7 instead of relying on Apple to release fixes through Software Update. Apple is expected to maintain Java SE 6 for Mac OS X Snow Leopard for the time being.
Apple also blocks Java applications from its Mac App Store because it uses “deprecated or optionally installed technologies,” according to the store’s guidelines.