ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Apple patches critical Java for Mac, Mac OS X security holes

By | June 28, 2011, 1:43pm PDT

Summary: Apple has shipped a high-priority Java for Mac update to cover multiple security vulnerabilities that expose Mac OS X users to hacking attacks.

Apple has shipped a high-priority Java for Mac update to cover multiple security vulnerabilities that expose Mac OS X users to hacking attacks.

According to warnings from Apple, the vulnerabilities could allow an untrusted Java applet to execute arbitrary code outside the Java sandbox.

The risks:

Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.

The updates are available for Mac OS X v10.6.6 and Mac OS X v10.5.8.follow Ryan Naraine on twitter

The Java for Mac patches follows the weekend release of a major Mac OS X security update to cover major security holes.

Some of the Mac OS X security holes could lead to remote code execution via rigged fonts or PDF files. The components affected by critical vulnerabilities include ATS, ColorSync, CoreFoundation, CoreGraphics, ImageIO.

Apple also warned about security flaws in MobileMe, MySQL, OpenSSL, QuickLook and QuickTime.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Apple Macintosh, Patch Management, Apple Inc., Desktops, Apple Mac OS X, Programming Languages, Java, Security, Hardware, Operating Systems, Software, Apple Mac OS, Software Development, Software/Web Development, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

35
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Apple patches critical Java for Mac, Mac OS X security holes
HugoM 29th Jun
Doncha just love it? Forget the confusing stuff about computers and technology, i only read zdnet for the mud slinging (please don't stop, i'm serious happy
View in thread
0 Votes
+ -
may lead to arbitrary code execution with the privileges of the current use
honeymonster Updated - 28th Jun
"Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user."

But I have been told by a very knowledgeable commentator on this very site, that OS X always require social engineering for an exploit to work?

How can this then be? Isn't the magical, secret component and the awesome Unix heritage protecting OS X through the RDF shield?
0 Votes
+ -
Links are useful when accusing others
Richard Flude 28th Jun
I'd question the knowledge of the commentator if the claim is true.

Given the few (if any) sites still using Java applets I disable Java in Safari and "open safe files" on all my Macs.

OK it doesn't solve all problems, but these two attack vectors have been exposed in a large number of documented vulnerabilities in Mac OS X. I'd like to see Apple adopt this as the default.
0 Votes
+ -
RE: Apple patches critical Java for Mac, Mac OS X security holes
DannyO_0x98 28th Jun
@Richard Flude
Exactly right. Java in the browser offers no benefit* and opens a gaping hole.

For those who feel compelled to misquote the informed and quote the misinformed, have your jollies. Give it about an hour, maybe two, then double check that your java and .net on Windows are also up to date.

Because when java is identified as a problem, it is a problem on Windows, Linux, *BSD, and any other platform where a jvm is found.

.net gets its share of updates as well.

*Oh yes, $#%%%#%@% GoToMeeting browser-version required me to activate java the last time I used it. The irony was, it was a demonstration of app-building software that now could be used ? Ta Da? for iOS apps. They demonstrated how darn quickly they could build an UGLY app. I asked the marketing textbot about good looking apps, and as I was awaiting my reply (Oh, yeah, you can do it if you want) the presenter commented on how they didn't feel beholden to the gui hegemony of Steve Jobs. Okay, next. But, my big hint to development environment product sellers? The quickness to deliver a good interface is where you have to compete with the free XCode. But I digress while the java update downloads.
0 Votes
+ -
One right here
honeymonster Updated - 28th Jun
@Richard Flude
I'd question the knowledge of the commentator if the claim is true.

Look no further. You have several in play right here in this thread. Defend the hive! Defend the hive!

Given the few (if any) sites still using Java applets I disable Java in Safari and "open safe files" on all my Macs.

Two problems:

Firstly, Java applets are not used much on the "public" Internet, but unfortunately they are being used on private and "partner" nets for things like authentication and advanced access to hardware, e.g. sensors, printers etc. Which means that a lot of users still depend on them in certain situations. And in Safari you cannot switch Java on just for certain sites . It is on or off. In IE at least you can use the zones to switch Java off for anything but specifically trusted sites or the corporate intranet zone. I mainly use Chrome, but this is one thing IE got right.

Secondly, the two most used browsers on OS X, Safari and Firefox, still don't have sandboxing. Chrome runs in a sandbox. Internet Explorer runs in a sandbox. Firefox doesn't. Safari doesn't. When a browser is exploited through a vulnerability, there nothing stopping the attacker from compromising the user account. With Chrome and IE the attacker still has to break out of the sandbox. Which has proven really hard.
0 Votes
+ -
RE: Apple patches critical Java for Mac, Mac OS X security holes
bannedagain 28th Jun
@honeymonster

How do you get people to visit your "maliciously crafted untrusted Java applet" containing webpage?

By magic or social engineering?

The fatal flaw in your failure of a post.
0 Votes
+ -
The same way you get them to do so with Windows.
ye Updated - 28th Jun
@bannedagain: How do you get people to visit your "maliciously crafted untrusted Java applet" containing webpage?

You're welcome.
0 Votes
+ -
And how is that, ye?
ScorpioBlue 28th Jun
Why are Windows users so stupid? Why aren't they as 'smart' as you?

wink
0 Votes
+ -
So drive-by exploits doesn't count!
honeymonster 28th Jun
@bannedagain
Right, the user has to visit a page with the applet. So drive-by exploits are not that serious. I guess that we can just forget about browser exploits then, because they all require the user to visit a specially crafted page. All of them.

But tell me, is it this way only on Apple systems or do you also consider IE vulnerabilities non-existing because they require the user to visit the web page for an exploit to be launched? I'm really interesting in knowing how this looks from inside the RDF.

BTW, have you ever heard about Google/index/image poisoning? The way attackers can overwhelm certain search terms to point to their maliciously crafted web pages? Or does that also only work on non-Apple systems?
0 Votes
+ -
RE: Apple patches critical Java for Mac, Mac OS X security holes
honeymonster 28th Jun
@bannedagain
I'm starting to think that you are a troll. Was I just had?
0 Votes
+ -
Stupidity is not limited to Windows users.
ye Updated - 29th Jun
@ScorpioBlue: Why are Windows users so stupid?

Just take a look at your own posts as proof.
0 Votes
+ -
RE: Apple patches critical Java for Mac, Mac OS X security holes
snoop0x7b 29th Jun
@bannedagain XSS exploit to redirect a user from something like Facebook or a blog to your malicious site. Or compromising web forums and blogs across the internet with a PHP worm. This may sound far fetched, but it's really not... That's how many websites end up hosting Windows malware.

I think I win now because I just explained exactly how to get people to visit a malicious site with no social engineering. Now would you shut up about how social engineering is the only vector for that sort of attack? It's demonstrably false and attacks of this type have occurred in recent memory. I don't know why, in spite of the fact that I've told you how this works multiple times you continue to espouse this.
0 Votes
+ -
RE: Apple patches critical Java for Mac, Mac OS X security holes
ScorpioBlue 29th Jun
Just take a look at your own posts as proof

But I use Linux most of the time so that doesn't apply.

So answer the question, pal.
0 Votes
+ -
RE: Apple patches critical Java for Mac, Mac OS X security holes
Str0b0 Updated - 29th Jun
@bannedagain As if the social engineering aspect is that difficult. I can post a link in Yahoo chat and have every goober in the chat room eyeballing it in seconds. I don't even have to send a phishing email or mock up a false front end for a popular website. Nope just got to say,"Hey check out this stupid cat." and then post my link and bam instant exploit. The machine can be as safe and secure as can be but, if the person behind it is an idiot what are you going to do? I'll tell you what. You patch the vulnerability so that the idiot on the other side of the keyboard doesn't get nailed by a malicious exploit.

I think the only difference is if you are targeting a malicious code execution then who do you target? OSX? No because OSX doesn't make up a significant portion of the market. Why bother writing up a malicious page for less than 10% of the installed OS base? If you want to get right down to it that is OSX's strongest security asset, the fact that it isn't heavily used. If the market was split more evenly you can believe that OSX would be just as exploited as Windows. The talent is out there but, the motivation isn't.
0 Votes
+ -
Just to clarify, this one doesn't count
woulddie4apple Updated - 28th Jun
Apple didn't write Java so it doesn't count.

Just to clarify though, all Adobe and Java vulnerabilities on IE (Windows) do count because IE is embedded in the kernel and can't be uninstalled.
0 Votes
+ -
RE: Apple patches critical Java for Mac, Mac OS X security holes
facebook@... 28th Jun
@woulddie4apple IE is embedded in the kernel? that's news to me. News to the folks at Microsoft and anyone else too.
0 Votes
+ -
I've heard that a million times on ZDNet
woulddie4apple 28th Jun
@facebook@...
It must be true. There is no way that a lie could be repeated a million times on ZDNet.
0 Votes
+ -
RE: Apple patches critical Java for Mac, Mac OS X security holes
ScorpioBlue Updated - 28th Jun
@woulddie4apple

I believe that up until IE8, it was embedded in the OS.

Now that the DoJ is off their backs, I fully expect it will be embedded again.
0 Votes
+ -
RE: Apple patches critical Java for Mac, Mac OS X security holes
snoop0x7b 29th Jun
@ScorpioBlue

Probably not... It was a poor design decision engineering wise, and they know it. Also they still have European regulators on their back... It simplifies how they manage the branches for Windows 7N and Windows 7 to continue doing it how it is now.
0 Votes
+ -
RE: Apple patches critical Java for Mac, Mac OS X security holes
Cylon Centurion 28th Jun
@woulddie4apple

LOL! What a bunch of bull.
0 Votes
+ -
Don't fall for it
use_what_works_4_U 29th Jun
@Cylon Centurion
you're feeding the troll.
0 Votes
+ -
Right.
SonofaSailor 28th Jun
@woulddie4apple

Just like when the article states: "Apple also warned about security flaws in MobileMe, MySQL, OpenSSL, QuickLook and QuickTime."

Because Apple didn't write MobileMe or Quicktime.

oh...wait.
0 Votes
+ -
RE: Apple patches critical Java for Mac, Mac OS X security holes
tonymcs@... 28th Jun
@SonofaSailor

Well they didn't write their OS either, so they're never reponsible wink
0 Votes
+ -
Oh, and just to clarify...
SonofaSailor 28th Jun
@woulddie4apple

Apple does actually write Java for OS X.

take a look:
http://www.cultofmac.com/steve-jobs-explains-was-java-was-deprecated-on-os-x/65324

Jobs? response:

Sun (now Oracle) supplies Java for all other platforms. They have their own release schedules, which are almost always different than ours, so the Java we ship is always a version behind. This may not be the best way to do it.

the sad thing is you're trying to act stupid and troll... most true Apple fanbois don't know much more than you and actually believe in all the BS you spout on here.
0 Votes
+ -
RE: Apple patches critical Java for Mac, Mac OS X security holes
DannyO_0x98 Updated - 28th Jun
@SonofaSailor
Okay guys. Apple probably did write it, but there was an announcement that Oracle will take responsibility for the jvm on OS X. I don't think it has happened yet, but word was that OS X Lion ships without java, making it an optional install. Which sucks for us folks who counted on java as a way to be cross-platform for our utilities.

So, is it an Apple vulnerability? Is it a system vulnerability? If Oracle did take up the jvm maintenance, does it stop being an Apple vulnerability? EEEEEEEEE. Who cares? You use OS X (Leopard and beyond), fix it, disable java in the browser and move on.

And woulddie4apple: no one is asking you to do that. I, personally, would be pleased if you would just write less mindless drivel. And you could do that for yourself, because Apple, brace yourself, doesn't give a hoot about you, other than in a generic we-are-all-brothers-ask-not-for-whom-the-bell-tolls way. Today's post is causing me to develop the theory that you are the strawman some of the Apple haters need to quote.
0 Votes
+ -
RE: Apple patches critical Java for Mac, Mac OS X security holes
msalzberg 28th Jun
@DannyO_0x98

"woulddie4apple" is an anti-Apple zealot who used to troll under a different name. He writes outrageous posts, hoping that people will take him seriously and then say "oh, those Apple fanboys are so foolish." Of course, to those who know his routine, all it does is make the Apple haters like himself look foolish.

I've known 5 year olds who act like that.
0 Votes
+ -
RE: Apple patches critical Java for Mac, Mac OS X security holes
ScorpioBlue 28th Jun
@msalzberg

Could it be our old friend, NonZealot?

lol...
0 Votes
+ -
RE: Apple patches critical Java for Mac, Mac OS X security holes
msalzberg 29th Jun
@ScorpioBlue

You got it.
0 Votes
+ -
James Quinn / msalzberg: Where is your proof?
woulddie4apple 29th Jun
Or are you a liar?

Put up or shut up! happy
  • Flagged
0 Votes
+ -
RE: Apple patches critical Java for Mac, Mac OS X security holes
msalzberg 29th Jun
@NonZealot

Are you stalking me? wink
0 Votes
+ -
Message has been deleted.
woulddie4apple Updated - 30th Jun
  • Flagged
0 Votes
+ -
Umm, NonZealot?
msalzberg 29th Jun
@NonZealot

I don't see anything from Jim here. Perhaps the trolling software you're using to search for our names needs some refinement.
0 Votes
+ -
NonZealot exposed
ScorpioBlue 29th Jun
LOL... grin
0 Votes
+ -
I see you've provided your best proof possible
woulddie4apple 29th Jun
Your best proof is the unsubstantiated claims of 2 liars. How convincing!

And flagging my posts won't take away the sting of you being caught in a lie! happy
  • Flagged
0 Votes
+ -
Sorry, NonZealot...
msalzberg 29th Jun
but you were the one caught in a lie.

Where's Jim's post that proves that he and I are the same person?
0 Votes
+ -
RE: Apple patches critical Java for Mac, Mac OS X security holes
HugoM 29th Jun
Doncha just love it? Forget the confusing stuff about computers and technology, i only read zdnet for the mud slinging (please don't stop, i'm serious happy

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix