Finally, a 'critical' Java runtime update from Apple

Finally, a 'critical' Java runtime update from Apple

Summary: Apple has shipped a long-overdue Java runtime update to plug at least 30 vulnerabilities that expose Mac OS X users to remote code execution attacks.


Finally, a ‘critical’ Java runtime update from AppleApple has shipped a long-overdue Java runtime update to plug at least 30 18 vulnerabilities that expose Mac OS X users to remote code execution attacks.

The Java Release 6 for Mac OS X 10.4 patches multiple critical holes in Java, Java 1.4 and J2SE 5.0, and includes a well-known issue that was left unpatched by Apple for more than a year.

That issue, first discovered by Google's security team in October 2006, was the catalyst for a third-party patch by developer Landon Fuller.

[ SEE: Mac users waiting months for ‘critical’ Java runtime update ]

In all, Apple documents 30 vulnerabilities in this mega-update and warns that the most serious bug may lead to arbitrary code execution and privilege escalation.

Inexplicably, on the Mac's software update utility, there is no mention of the security implications of this patch.  On my MacBook (see screenshot), it refers to "improved reliability and compatibility" but no explicit mention of the 30 18 high-risk flaws.

Finally, a ‘critical’ Java runtime update from Apple

This is not the first time that Apple has tried to get away with not being upfront about security fixes. Back in September, the company issued an iTunes update that made no mention whatsoever of CVE-2007-3752, a buffer overflow vulnerability that puts both Mac and Windows users at risk of arbitrary code execution attacks.

This is a significant (oversight?) because users routinely skip product updates that doesn't contain prominent security warnings.  Apple really needs to clean up its act when it comes to upfront disclosure.

Topics: Security, Apple, Hardware, Open Source, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Why do you hate Apple so much?

    Seriously, this is 2 blogs in 1 day that have had an anti-Apple slant to them. Why don't you report more on all the holes in IE? I'm getting sick and tired of all the Apple bashing that goes on here. Please Ryan, focus on the important security threats, like all the ones that can be found in Micro$ux products. I'm not saying OS X is perfect but I also don't think this Java thingy should count as a flaw. That's a fact!
    • I'm allowed

      I'm allowed. I'm typing this on a Macbook, listening to an iPod, hearing my iPhone alarm go off. All bought with my hard-earned cash.

      Ryan Naraine
      • Ryan, Ryan, Ryan...

        Please don't feed the trolls, especially not the ones commenting on your own blog!

        Jack-Booted EULA
        • You must be an M$ $hill

          All I'm doing is proclaiming my love for Apple and my hatred for Micro$ux. The only reason you could have to call me a troll is if you are a Micro$ux hired astro turfer. That's okay, I don't care. OS X is going to have a 30% marketshare in 90 days and soon after that, 100% marketshare. Then all you Micro$ux astroturfers will become totally irrelevant. That's a fact!
          • Love for a company???

            "All I'm doing is proclaiming my love for Apple"

            Hmmm. No girlfriend? Seriously though, a company (any company) is not something to love. Find some humans to love and stop taking all this so seriously!
          • wrong as usual

            MS can bite my pasty white rump. Familiarity breeds contempt, and all that.

            Keep it up and we'll have to start calling you No_Acks.....

            Jack-Booted EULA
          • Then I'm only supporting you

            I admire the way you think! I wish more people hated Micro$ux like you and I do. That's a fact!
          • It's not "hatred" per se,

            rather, an intense dislike. And not so much MS in particular, but The Corporation in general.

            Jack-Booted EULA
          • Okay, just to clarify then

            When you say that:
            [i]MS can bite my pasty white rump. Familiarity breeds contempt, and all that.[/i]

            you aren't being a troll but when I say that I hate Micro$ux, I'm being a troll? I guess I just need to learn the rules here, they are so confusing!
          • I think it's the flip flop of your message

            that gave some (additional) indication.

            And whether I am or not (your decision mileage may vary), for the record, I have *never* denied being a troll myself.

            Jack-Booted EULA
          • Get A Life...

            You are pathetic.

            You really have no life do you?
          • NZ is just looking for attention

            thank you for providing it.
          • So you too disagree with me?

            I hate Micro$ux and love Apple. Which of those 2 emotions do you disagree with? Thanks!
          • NZ, Axey, Lovey, et al. all pretty much the same

            I come for the entertainment.

            An excellent value, as it's free.

            Jack-Booted EULA
        • In your book

          Anyone that doesn't like an Apple is a troll. Right?
          Forgive me, after 14 years on a Graphics Mac for a large printing company...I HATE THEM! Ok? Guess I'm a troll.
      • I intensely dislike LIARS and BS ARTISTS...

        ...and hype, negative hype...and that's what I see His Steveness and Apple dishing out, MOST of the time....sorry, but I have to own my own feelings.
        Feldwebel Wolfenstool
    • It goes both ways

      I am sure you didn't cry when similar posts were made concerning MS, right. Right?

      Apple is seriously making some security blunders and you think it should not be brought to light? Just like every MS related security issue always gets its own headline, no matter how small it is?

      This is not about being "unfair" or "bashing" Apple. It is simply about treating them the same as the media has always treated MS.

      If you want Apple to play in the grown ups' OS world, then you need to deal with grown up security issues and consequences. We realize it is important to maintain the illusion that Apple creates secure software, but sometimes you need to take off your Apple Kool-Aid colored glasses and look at, you know, the real world.

      Apple has certainly shown recently that they are anything but able to create secure software. Being on an OS platform that has a pathetic 3-7% marketshare will no longer shield them from having to deal with real world scrutiny. Especially when they want to put any of their software on grown up OSes, like Windows that does not have the luxury of security through obscurity.

      Welcome to the Real World.
    • I'm LOL, and "That's a fact!" (NT)

    • That's NOT a fact!

      OS X is so perfect and you are just a M$ shill if you think otherwise. I watched a WHOLE movie on OS X using QuickTime and I had NO malicious attacks during that time. The proof is in the pudding, buster.
      Michael Kelly
    • Oh and by the way...

      Guess you must have missed Ryan's "bashing" of HP: