Apple has shipped a long-overdue Java runtime update to plug at least
30 18 vulnerabilities that expose Mac OS X users to remote code execution attacks.
The Java Release 6 for Mac OS X 10.4 patches multiple critical holes in Java, Java 1.4 and J2SE 5.0, and includes a well-known issue that was left unpatched by Apple for more than a year.
That issue, first discovered by Google's security team in October 2006, was the catalyst for a third-party patch by developer Landon Fuller.
In all, Apple documents 30 vulnerabilities in this mega-update and warns that the most serious bug may lead to arbitrary code execution and privilege escalation.
Inexplicably, on the Mac's software update utility, there is no mention of the security implications of this patch. On my MacBook (see screenshot), it refers to "improved reliability and compatibility" but no explicit mention of the
30 18 high-risk flaws.
This is not the first time that Apple has tried to get away with not being upfront about security fixes. Back in September, the company issued an iTunes update that made no mention whatsoever of CVE-2007-3752, a buffer overflow vulnerability that puts both Mac and Windows users at risk of arbitrary code execution attacks.
This is a significant (oversight?) because users routinely skip product updates that doesn't contain prominent security warnings. Apple really needs to clean up its act when it comes to upfront disclosure.