Untrusted Java applets prevented from executing arbitrary code outside their sandbox

Oct 17, 2012 08:26 GMT  ·  By

Two new Java releases are available to download from Apple’s Support site as well as through the Mac App Store’s Update section. Java for OS X 2012-005 and Java for Mac OS X 10.6 Update 11 both address multiple security issues in the two respective Mac OS versions.

A Support document describing the purpose of Java for OS X 2012-006 says “This release updates the Apple-provided system Java SE 6 to version 1.6.0_37 and is for OS X versions 10.7 or later.”

Apple notes that said patch uninstalls the Apple-provided Java applet plug-in from all web browsers, advising users to click on the region labeled “Missing plug-in” to download and use applets on a web page.

The Mac maker further mentions that Java for OS X 2012-006 removes the Java Preferences application, which is no longer required to configure settings for applets.

However, the main purpose of the update is not described in knowledge-base article HT5493, but rather in one labeled as HT5549, where the company in Cupertino, California explains the security content of Java for Mac OS X 10.6 Update 11 and Java for OS X 2012-006.

Targeting Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 or later, OS X Lion Server v10.7 or later, and OS X Mountain Lion v10.8 or later, Java for Mac OS X 10.6 Update 11 and Java for OS X 2012-006 patches multiple vulnerabilities in Java 1.6.0_35, according to the Mac makers.

There are over a dozen flaws that said updates will patch, “the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox,” reads Apple’s advisory.

“Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating to Java version 1.6.0_37,” Apple explains.

Customers looking for further information on these patches are directed to Oracle’s Java website.

Download Java for Mac OS X (Free)