Apple issues Java update to tackle zero day

Apple issues Java update to tackle zero day

Summary: Apple has begun protecting its users against the recent Java zero-day vulnerabilities by rolling out its own patches.

SHARE:
4

Apple has now released its own patches for OS X users, in order to tackle the Java zero-day vulnerabilities that were discovered at the end of last month.

The security updates are available for Mac OS X Snow Leopard, Lion and Mountain Lion systems, due to there now being "an opportunity for security-in-depth hardening". In Apple's security bulletin, the company refers to Oracle's own security alert for CVE-2012-4681, and recommends users apply either the Java for Mac OS X 10.6 Update 10 or Java for OS X 2012-005, depending on the user's operating system. These patches will update Java to version 1.6.0_35, the equivalent of the latest version of Java 6.

Java 7 is only available on Macs if users have downloaded it directly from Oracle, rather than using Apple's software updater. Users running the latest version of Java 6 on OS X are not vulnerable to the alleged sandbox bypass vulnerability that was discovered in the most recent Java 7 Update 7 patch.

Apple has stated that it will provide further information on the patch on its Apple security updates page, but at the time of writing, this had not been updated.

Topics: Apple, Malware, Oracle, Security

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • Should be noted, though . . .

    "Users still running Java 6 on OS X are not vulnerable to the alleged sandbox bypass vulnerability that was discovered in the most recent Java 7 Update 7 patch."

    Should be noted, though, that vulnerabilities fixed in Java 7 remain in 6. You're just exchanging one set of vulnerabilities for another.
    CobraA1
    • Thanks for that!

      I've cleaned up the language a bit to make things a little clearer. If you're running the -latest- version of Java 6, you should be fine as the latest vulnerability in Java 7 Update 7 doesn't affect Java 6.

      Of course, if you don't need Java, uninstall it!
      Michael Lee (Mukimu)
      • Still confusing

        The article is still confusing to me. It suggests that the update would "tackle [a] zero-day." But there is no zero-day exploit affecting Java 6. The CVE addressed was actually CVE-2012-0547, which is a "defense-in-depth" hardening fix.
        Drspringfield
  • Snow Leopard? Excellent!

    Does this imply a change in Apple's support policy? Well, I guess not given I've never seen one published. But it's certainly welcome they're providing a security update for current - 2.
    ye