Apple fixes old Java for Mac security holes

Apple has released a Java for Mac update to fix about 30 documented vulnerabilities, including some that exposes Mac users to remote code execution attacks.

The Java for Mac patch batch, available forMac OS X 10.5 and Mac OS X 10.6, includes a fix for a vulnerability that's more than a year old.

Here's the skinny from an Apple advisory:

• Multiple vulnerabilities exist in Java 1.6.0_17, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.
• Multiple vulnerabilities exist in Java 1.5.0_22, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.
• An out of bounds memory access issue exists in the handling of mediaLibImage objects. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to an unexpected application termination or arbitrary code execution with the privileges of the current user. This issue only affects the Mac OS X implementation of Java.
• A signedness issue exists in the handling of window drawing. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to an unexpected application termination or arbitrary code execution with the privileges of the current user.

The Java for Mac updates are available via the Software Update pane in System Preferences or from Apple's Software Downloads site.