Apple fixes old Java for Mac security holes

The Java for Mac patch batch, available for Mac OS X 10.5 and Mac OS X 10.6, includes a fix for a vulnerability that's more than a year old.

Apple has released a Java for Mac update to fix about 30 documented vulnerabilities, including some that exposes Mac users to remote code execution attacks.

The Java for Mac patch batch, available for Mac OS X 10.5 and Mac OS X 10.6, includes a fix for a vulnerability that's more than a year old.

Here's the skinny from an Apple advisory:

  • Multiple vulnerabilities exist in Java 1.6.0_17, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.
  • follow Ryan Naraine on twitter
  • Multiple vulnerabilities exist in Java 1.5.0_22, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.
  • An out of bounds memory access issue exists in the handling of mediaLibImage objects. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to an unexpected application termination or arbitrary code execution with the privileges of the current user. This issue only affects the Mac OS X implementation of Java.
  • A signedness issue exists in the handling of window drawing. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to an unexpected application termination or arbitrary code execution with the privileges of the current user.

The Java for Mac updates are available via the Software Update pane in System Preferences or from Apple's Software Downloads site.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All