Apple has posted Java for Mac OS 10.6 Update 3 and Java for Mac OS X 10.5 Update 8. The updates address several security issues.
The Java for Mac OS X 10.6 Update 3 addresses the following:
Java CVE-ID: CVE-2009-3555, CVE-2010-1321 Available for: Mac OS X v10.6.4, Mac OS X Server v10.6.4 Impact: Multiple vulnerabilities in Java 1.6.0_20 Description: Multiple vulnerabilities exist in Java 1.6.0_20, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating to Java version 1.6.0_22. Further information is available via the Java website at http://java.sun.com/javase/6/webnotes/ReleaseNotes.html Java CVE-ID: CVE-2010-1826 Available for: Mac OS X v10.6.4, Mac OS X Server v10.6.4 Impact: A local user may be able to execute arbitrary code with the privileges of another user who runs a Java application Description: A command injection issue exists in updateSharingD's handling of Mach RPC messages. A local user may be able to execute arbitrary code with the privileges of another user who runs a Java application. This issue is addressed by implementing a per-user Java shared archive. This issue only affects the Mac OS X implementation of Java. Credit to Dino Dai Zovi for reporting this issue. Java CVE-ID: CVE-2010-1827 Available for: Mac OS X v10.6.4, Mac OS X Server v10.6.4 Impact: Visiting a web page containing a maliciously crafted Java applet tag may lead to an unexpected application termination or arbitrary code execution with the privileges of the current user Description: A memory corruption issue exists in Java's handling of applet window bounds. Visiting a web page containing a maliciously crafted Java applet tag may lead to an unexpected application termination or arbitrary code execution with the privileges of the current user. This issue is addressed through improved validation of window bounds. This issue only affects the Mac OS X implementation of Java.
See Apple’s KB article HT4297 for more general information about the update and HT1222 for security details on this update as well as previous updates. The update is available in System Preferences -> Software Update or from Apple’s support site. Those users still on Mac OS X 10.5.8 will use Java for Mac OS X 10.5 Update 8