Apple's tardy Java update arrives

Stephen Withers
Tuesday, 16 June 2009 09:19

Business IT - Security

Apple has finally got around to updating the Mac OS X version of Java, fixing a worrying vulnerability that's been lingering for months.

Late last year, Sun addressed a vulnerability in Java that allowed applets in web pages to escape the Java sandbox and ultimately run with whatever privileges an attacker wants.

When Mac OS X 10.5.7 arrived last month without a corresponding update, Julien Tinnes, a colleague of the original discoverer went public on the issue.

The vulnerability was especially significant as a reliable exploit could be written in Java to work on any hardware, operating system or browser. "This is close to the holy grail of client-side vulnerabilities," said Tinnes.

Now Apple has released Java for Mac OS X 10.5 Update 4 and Java for Mac OS X 10.4 Update 9 which address this and other vulnerabilities. A substantial proportion of the issues have been known since 2008.

The updater for 10.4 addresses 52 vulnerabilities, 28 in Java 1.5 and 24 in Java 1.4. It updates to Java 1.5.0_19 and 1.4.2_21.

The 10.5 updater addresses an overlapping set of 53 vulnerabilities in Java 1.4 and 1.5, 28 in Java 1.6, plus another set that are specific to Java 1.5 on Mac OS X 10.5.

That last group relates to Aqua Look and Feel for Java, and may allow an applet to gain elevated privileges. The fix works by denying access to internal details of Aqua Look and Feel by untrusted applets.

Apple's Java Preferences utility allows a user to specify which of the installed Java Virtual Machines will be loaded. This allows the use of applets and applications that require an older JVM.