Apple Posts Java Security Updates

| Product News

Apple has posted Java for Mac OS 10.6 Update 3 and Java for Mac OS X 10.5 Update 8. The updates address several security issues.

The Java for Mac OS X 10.6 Update 3 addresses the following:

 

Java
CVE-ID:  CVE-2009-3555, CVE-2010-1321
Available for:  Mac OS X v10.6.4, Mac OS X Server v10.6.4
Impact:  Multiple vulnerabilities in Java 1.6.0_20
Description:  Multiple vulnerabilities exist in Java 1.6.0_20, the
most serious of which may allow an untrusted Java applet to execute
arbitrary code outside the Java sandbox. Visiting a web page
containing a maliciously crafted untrusted Java applet may lead to
arbitrary code execution with the privileges of the current user.
These issues are addressed by updating to Java version 1.6.0_22.
Further information is available via the Java website at
http://java.sun.com/javase/6/webnotes/ReleaseNotes.html

Java
CVE-ID:  CVE-2010-1826
Available for:  Mac OS X v10.6.4, Mac OS X Server v10.6.4
Impact:  A local user may be able to execute arbitrary code with the
privileges of another user who runs a Java application
Description:  A command injection issue exists in updateSharingD's
handling of Mach RPC messages. A local user may be able to execute
arbitrary code with the privileges of another user who runs a Java
application. This issue is addressed by implementing a per-user Java
shared archive. This issue only affects the Mac OS X implementation
of Java. Credit to Dino Dai Zovi for reporting this issue.

Java
CVE-ID:  CVE-2010-1827
Available for:  Mac OS X v10.6.4, Mac OS X Server v10.6.4
Impact:  Visiting a web page containing a maliciously crafted Java
applet tag may lead to an unexpected application termination or
arbitrary code execution with the privileges of the current user
Description:  A memory corruption issue exists in Java's handling of
applet window bounds. Visiting a web page containing a maliciously
crafted Java applet tag may lead to an unexpected application
termination or arbitrary code execution with the privileges of the
current user. This issue is addressed through improved validation of
window bounds. This issue only affects the Mac OS X implementation of
Java.

See Apple’s KB article HT4297 for more general information about the update and HT1222 for security details on this update as well as previous updates. The update is available in System Preferences -> Software Update or from Apple’s support site. Those users still on Mac OS X 10.5.8 will use Java for Mac OS X 10.5 Update 8

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

No Comments

Log-in to comment