Finally, a 'critical' Java runtime update from Apple

Summary:Apple has shipped a long-overdue Java runtime update to plug at least 30 vulnerabilities that expose Mac OS X users to remote code execution attacks.

Finally, a ‘critical’ Java runtime update from Apple
Apple has shipped a long-overdue Java runtime update to plug at least 30 18 vulnerabilities that expose Mac OS X users to remote code execution attacks.

The Java Release 6 for Mac OS X 10.4 patches multiple critical holes in Java, Java 1.4 and J2SE 5.0, and includes a well-known issue that was left unpatched by Apple for more than a year.

That issue, first discovered by Google's security team in October 2006, was the catalyst for a third-party patch by developer Landon Fuller.

[ SEE: Mac users waiting months for ‘critical’ Java runtime update ]

In all, Apple documents 30 vulnerabilities in this mega-update and warns that the most serious bug may lead to arbitrary code execution and privilege escalation.

Inexplicably, on the Mac's software update utility, there is no mention of the security implications of this patch.  On my MacBook (see screenshot), it refers to "improved reliability and compatibility" but no explicit mention of the 30 18 high-risk flaws.

Finally, a ‘critical’ Java runtime update from Apple

This is not the first time that Apple has tried to get away with not being upfront about security fixes. Back in September, the company issued an iTunes update that made no mention whatsoever of CVE-2007-3752, a buffer overflow vulnerability that puts both Mac and Windows users at risk of arbitrary code execution attacks.

This is a significant (oversight?) because users routinely skip product updates that doesn't contain prominent security warnings.  Apple really needs to clean up its act when it comes to upfront disclosure.

Topics: Security, Apple, Hardware, Open Source, Software Development

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.