Apple pushes Java updates for Mac OS X

Stephen Withers
Friday, 26 September 2008 03:46

Opinion and Analysis

Both updates plug a hole that allowed malicious applets to execute arbitrary code by exploiting an uninitialised variable in the routine used to generate MD5 and SHA-1 hashes.

The version of the Java plug-in previously provided for Leopard allowed applets to launch file: URLs, meaning a malicious applet could run another program. It might be harder than ever to sneak files onto a Mac and hopefully users are stopping and thinking when the authorisation dialog pops up, but eliminating a method for remotely running a program has to be worthwhile.

And for Mac OS X 10.5 Server, a change in the default jurisdiction policy allows the use of cryptographic keys that are longer than 128 bits. The longer the key, the more secure the encryption.

The other issues - over 20 of them - are addressed in this update by installing newer versions of the various versions of Java. Java 1.4 is updated to 1.4.2_18,  Java 1.5 to 1.5.0_16, and Java 1.6 to 1.6.0_07.

In each case, Apple skipped at least one build. For example, the previous version of Java 1.5 provided by Apple was 1.5.0_13. While Sun only documents security issues with the Windows, Linux and Solaris versions of Java, it seems that at least one of the skipped versions included security fixes as well as other changes that appear relevant to the Mac OS X implementations.

Anyway, once you've installed Apple's latest updates you'll be running Sun's most recent versions of Java.

As usual, Software Update is the easiest way of updating a single Mac, but if you have two or more computers to take care of you can save bandwidth by downloading the installers from Apple Downloads.