14 DAY TRIAL // Apple has released Java security updates for Mac OS X v10.6.6 and Mac OS X v10.5.8 in order to address multiple vulnerabilities that could be exploited to execute arbitrary code.
The new updates patch vulnerabilities in Java 1.6.0_22 and Java 1.5.0_26 by updating the runtime's version to 1.6.0_24 or 1.5.0_28, respectively.
Oracle has released updated versions of the software back in February and Apple has skipped over 1.6.0_23 and 1.5.0_26 because they didn't fix any security vulnerabilities.
The Mac maker notes in its advisory that the new updates address vulnerabilities that may allow an untrusted Java applet to execute arbitrary code outside of the Java sandbox.
"Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user," the company writes.
There are a total of sixteen patched vulnerabilities, seven of which have the highest base score (10.0) on the Common Vulnerability Scoring System (CVSS) scale.
Updating is highly recommended as Java exploits are commonly used in drive-by download attacks to install malware on computers.
Not only that, but a Java-based cross-platform trojan that also infects Macs was discovered in November last year, clearly showing that Apple's operating system is not free from attacks.
According to statistics from antivirus vendor BitDefender, one of the most common detections in December was that of a Java trojan downloader that uses the OpenConnection method to download malware.
Since Java-based threats are so prevalent and there's few legit Java content left on the Web due to AJAX and other modern technologies, security researchers recommend disabling the Java plug-in from browsers entirely in order to remove the attack vector.
Of course, removing the runtime entirely from the system might not be practical because there is still a lot of desktop software that depends on it.