14 DAY TRIAL // Apple has rolled out Java for Mac OS X 10.6 Update 3 and Java for Mac OS X 10.5 Update 8, addressing several security issues in the Sun Microsystems-developed platform.
“Java for Mac OS X 10.6 Update 3 delivers improved compatibility, security, and reliability by updating Java SE 6 to 1.6.0_22,” Apple says.
On the Leopard side, “Java for Mac OS X 10.5 Update 8 delivers improved compatibility, security, and reliability by updating J2SE 5.0 to 1.5.0_26, and updating Java SE 6 to 1.6.0_22 for 64-bit capable Intel-based Macs.”
Apple notes that “J2SE 1.4.2 is no longer being updated to fix bugs or security issues and remains disabled by default in this update.”
A couple of Support documents are offered to explain exactly what security flaws the two updates address.
Affecting both the Client and the Server editions of Mac OS X 10.6.4, multiple vulnerabilities exist in Java 1.6.0_20, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox.
According to Apple, “Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.”
Java for Mac OS X 10.6 Update 3 addresses these issues by updating to Java version 1.6.0_22.
Apple also signals that a command injection issue exists in updateSharingD's handling of Mach RPC messages.
Because of this, “a local user may be able to execute arbitrary code with the privileges of another user who runs a Java application.”
To address this, Apple implemented a per-user Java shared archive, after being notified of this problem by a person identified as Dino Dai Zovi.
Additionally, the Mac maker notes that this particular issue only affects the Mac OS X implementation of Java.
Softpedia will have a closer look at al the vulnerabilities addressed in Java for Mac OS X in a separate article.