Apple Patches Security Flaws with Java Updates

| News

Apple rolled out Java security updates for Mac OS X 10.4 and 10.5 late Monday afternoon. Java for Mac OS X 10.4 Update 9 and Java for Mac OS X 10.5 Update 4 patch a series of flaws that could let a remote attacker gain elevated privileges or execute arbitrary code on the victim's computer.

The security updates address issues in Mac OS X 10.4.11 and 10.5.7 where attackers could use untrusted Java applets to gain elevated privileges on a victim's computer, or where visiting a Web site containing a maliciously crafted Java applet could let an attacker run arbitrary code with the victim's current privileges.

The updates are free and available via the Software Update application, or as downloadable installers for Mac OS X 10.4.11 and 10.5.7 at the Apple Support Web site.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.


Don Sakers

The last Security Update killed my venerable iMac G$ so thoroughly that even reinstalling OSX hasn’t brought it back to full functionality.

And now Apple wants us to install another Security Update? Anyone who does so is taking a terrible chance. Me, I’ll never install another Apple Security Update until I know that no one else’s machine has been hosed by it.


Not a bad precaution, especially with an older system.

FWIW I’ve installed it on two systems so far, a silver and a white MacBook, running 10.5.7 and it was fine. Like you, I’m waiting to do my G5.


The last Security Update killed my venerable iMac G$ so thoroughly that even reinstalling OSX hasn?t brought it back to full functionality.

Ummm, yeah. So wiping the previous install (including the security update) and reinstalling the OS doesn’t bring it back? And how does that work, exactly?

I put absolutely no faith in anecdotal “evidence” from unregistered guests. Especially when it makes no sense whatsoever.


I’ve installed all of these updates without a hitch on G5 systems running 10.5.7. Either the first poster is flat out lying, or there is something seriously wrong with that machine.


While in general it may be a good idea to wait a few days in order to check if someone else may have had some problems with the update, this particular patch is extremely critical. Safari was wide open to serious drive-by java attacks and, in addition to the proof-of-concept site that demonstrated how simple the attack was (absolutely no action by user required to get root privileges after visiting the malicious URL), malicious sites were being reported out there. The worst part is, you just don’t even know you’ve been had by the attacker!

As for these installation problems, if you have a mission-critical machine and are anxious about updating, just do a full back-up (carbon copy cloner or similar) and update. If it’s hosed, reformat, restore and all is well.


Safari was wide open to serious drive-by java attacks

Only if you haven’t turned off Java in your preferences, which, seriously, everyone should have done if they were continuing to use Safari after the exploit was announced. Probably still a good idea to only turn it on if you have a specific need and then only when necessary.

Log-in to comment