14 DAY TRIAL // As reported earlier today, Apple has issued two separate Java updates for Mac OS X users, addressing not only bugs, but also a range of security issues on both Mac OS X 10.5 Leopard, and Mac OS X 10.6 Snow Leopard. For users of the latter, two vulnerabilities have been patched. On Leopard, four such holes are plugged.
Detailing the security content of Java for Mac OS X 10.6 Update 1, Support document HT3969 reveals that there are two issues in need of patching on Mac OS X v10.6.2 and later, as well as on Mac OS X Server v10.6.2 and later.
“Multiple vulnerabilities exist in Java 1.6.0_15, the most serious of which may allow an untrusted Java applet to obtain elevated privileges,” Apple explains, referring to the first vulnerability found. “Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating to Java version 1.6.0_17.” Crediting Kevin Finisterre of Netragard for reporting the issue to Apple, the Mac maker encourages those who wish to learn more to visit the Sun Java website, here.
Affecting both the Client and Server side of Snow Leopard is also an expired certificate for a Java applet treated as valid. According to the company headquartered in Cupertino, California, “This issue is addressed through improved handling of expired certificates. Credit to Simon Heimlicher of ETH Zurich for reporting this issue.”
The security content of Java for Mac OS X 10.5 Update 6 is a bit heftier, with two extra vulnerabilities found on Java versions of Mac OS X Leopard. Besides the two holes described above, Apple has found these two security issues:
“Multiple vulnerabilities exist in Java 1.5.0_20, the most serious of which may allow an untrusted Java applet to obtain elevated privileges,” Apple reveals, noting that this particular issue affects Mac OS X v10.5.8 and Mac OS X Server v10.5.8. “Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user,” the description goes. “These issues are addressed by updating to Java version 1.5.0_22.” More information is available here, Apple says.
Affecting the same OS versions is another vulnerability, which may allow an untrusted Java applet to obtain elevated privileges. Available in Java 1.4.2_22, “Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user,” the bug’s description reads. “These issues are addressed by disabling Java version 1.4.2,” Apple confirms.