/>
X
Business

Apple plugs gaping holes in Java for Mac

Apple today released Java for Mac OS X 10.5 Update 2 with patches for a total of 25 documented security flaws that could expose Mac users to malicious code execution attacks.
Written by Ryan Naraine, Contributor on
Apple today released Java for Mac OS X 10.5 Update 2 with patches for a total of 25 documented security flaws that could expose Mac users to malicious code execution attacks.

Two of the 25 flaws are specific to Apple and could be exploited to launch drive-by attacks if a Mac user is tricked into visiting a maliciously rigged Web page.

The two bugs affect Mac OS X v10.5.4 and Mac OS X Server v10.5.4 and address:

  • CVE-2008-3638: The Java plug-in does not block applets from launching file:// URLs. Visiting a website containing a maliciously crafted Java applet may allow a remote attacker to launch local files, which may lead to arbitrary code execution. This update addresses the issue through improved handling of URLs. This is an Apple-specific issue. Credit to Nitesh Dhanjani and Billy Rios for reporting this issue.
  • CVE-2008-3637: An error checking issue leading to the use of an uninitialized variable exists in the Hash-based Message Authentication Code (HMAC) provider used for generating MD5 and SHA-1 hashes. Visiting a website containing a maliciously crafted Java applet may lead to arbitrary code execution. This update addresses the issue through improved error handling. This is an Apple-specific issue. Credit to Radim Marek for reporting this issue.

The mega update also addresses multiple serious vulnerabilities in Java 1.4.2_16, Java 1.5.0_13 and Java 1.6.0_05.

Editorial standards

Related

These are my 5 must-have devices for work travel now
ipad-mini-firewalla-purple-macbook-air

These are my 5 must-have devices for work travel now

What is ChatGPT and why does it matter? Here's what you need to know
chat bot

What is ChatGPT and why does it matter? Here's what you need to know

Stack Overflow temporarily bans answers from OpenAI's ChatGPT chatbot
Developers discussing something on a laptop

Stack Overflow temporarily bans answers from OpenAI's ChatGPT chatbot