14 DAY TRIAL // Apple has released Java security updates for Mac OS X 10.5 (Leopard) and 10.6 (Snow Leopard), which provide fixes for critical remote code execution vulnerabilities.
The new Java for Mac OS X 10.6 Update 3 addresses two vulnerabilities patched by Oracle in Java SE 6 Update 22 released last week, as well as two Mac-only flaws
The bugs common to Java 6u22 are identified as CVE-2009-3555 and CVE-2010-1321, and have a base score of 6.8 on the CVSS scale.
Both of them possibly allow for remote arbitrary code execution by vising a website set to load a maliciously crafted Java applet.
Another patched vulnerability, identified as CVE-2010-1826, was discovered by security researcher Dino Dai Zovi and was presented at the Summercon hacker convention earlier this year.
It stems from improper handling of Mach RPC messages and can be exploited to execute arbitrary code with the privileges of the current user.
The last flaw addressed in the Mac OS X 10.6 update, CVE-2010-1827, can also be exploited in drive-by download attacks by serving malicious Java applets.
Apple describes this issue as a memory corruption condition triggered when handling certain applet window bounds.
The Java for Mac OS X 10.5 Update 8 contains two additional patches for CVE-2009-3555 and CVE-2010-1321 on the still supported Java 5.x platform.
Security researchers point out that unlike other times, Apple has moved remarkably fast with pushing out this update after Oracle.
"Historically, Apple's inclusion of updates for Flash and Java has been a bit backwards. Last summer when they released Snow Leopard, they actually downgraded your Flash Player as part of the install," writes Chester Wisniewski, a senior security advisor at Sophos.
"But it appears Apple has turned the ship around. If they can continue to release updates soon after they are made available and provide this service as an integral part of their OS this could be a significant advantage," he concludes.