14 DAY TRIAL // Apple has released security updates for the Java packages in Mac OS X 10.5 and 10.6 in order to address critical security vulnerabilities patched by Oracle earlier this month.
Oracle released Java SE 1.6.0_26 for Windows, Linux and Solaris on June 7, fixing a total of seventeen vulnerabilities, nine of which carried a maximum score on the CVSS scale.
But the update wasn't available to Mac users, because Apple distributes its own Java package and security updates.
Yesterday, three weeks after the original patches came out, the company released Java for Mac OS X 10.5 Update 10 and Java for Mac OS X 10.6 Update 5 to include them.
Java for Mac OS X 10.5 Update 10 addresses vulnerabilities in both Java 1.6.0_24 and 1.5.0_28, while Java for Mac OS X 10.6 Update 5 only in the former.
Two of the patches, for CVE-2011-0868 and CVE-2011-0869, only apply to Java 1.6.0_24. The rest, for CVE-2011-0802, CVE-2011-0814, CVE-2011-0862, CVE-2011-0864, CVE-2011-0865, CVE-2011-0867, CVE-2011-0871, and CVE-2011-0873 apply to both versions.
Users are urged to deploy these security updates as soon as possible because some of the flaws can be exploited remotely to run arbitrary code. After patching, the Java packages will be updated to versions 1.6.0_26 and 1.5.0_30 respectively.
Hackers can attack outdated Java installations by tricking users into loading maliciously-crafted Java applets. These can be served from legitimate compromised websites. Java is currently the most targeted web technology on Windows, exploits for it being integrated into most drive-by download kits.
There have also been reports of Mac malware being distributed as Java applets. At the end of October 2010 security researchers discovered a Java-based trojan called Boonana which contained payloads for both Windows and Mac.