On CBS.com: Get More On Amazing Race Eliminated Team
BNET Business Network:
BNET
TechRepublic
ZDNet

June 15th, 2009

Apple finally patches musty old Java for Mac vulnerabilities

Posted by Ryan Naraine @ 2:05 pm

Categories: Apple, Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Malware, Open source, Passwords, Patch Watch, Pen testing, Vulnerability research, Web Applications, Zero-day attacks

Tags: Apple Macintosh, Vulnerability, Patch Management, Apple Inc., Programming Languages, Java, Software Development, Software/Web Development, Ryan Naraine

Apple has finally released a Java for Mac update to fix multiple security flaws that were patched upstream more than six months ago.

The fix comes three weeks after developers released proof-of-concept code to demonstrate the severity of the flaw and to nudge embarrass Apple into shipping the patch.

Today’s patch covers the following:

[ SEE: Mac OS X vulnerable to 6-month old Java flaw ]

  • Multiple vulnerabilities exist in Java 1.5.0_16, the most serious of which may allow an untrusted Java applet to obtain elevated privileges. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating Java 1.5 to version 1.5.0_19.
  • Multiple vulnerabilities exist in Java 1.4.2_18, the most serious of which may allow an untrusted Java applet to obtain elevated privileges. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating Java 1.4 to version 1.4.2_21. Further information is available via the Sun Java website.

Because of licensing and other hiccups, Apple will always be late with its Java for Mac updates.   Perhaps it’s time for Sun to merge the Mac Runtime for Java with the standard Java codebase and ship Java for Mac themselves.

Thoughts?

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 29 Talkback(s)
Uh, no.
.NET is a virtual machine (not virtualization) just like Java.
.NET and Java are platform independent frameworks with development environments and runtime environments. The end result is an... (Read the rest)
Posted by: 914four Posted on: 06/26/09 You are currently: a Guest | | Terms of Use
Disgusting behaviour by Apple  jorjitop | 06/15/09
Unacceptable response time!  Telix | 06/15/09
Unacceptable response time!  Telix | 06/15/09
OpenJDK  Richard Flude | 06/15/09
Correct.  phatkat | 06/16/09
More Scare Tactics  jbelkin | 06/15/09
Just in time for what?  ye | 06/16/09
Exactly  vikingnyc@... | 06/16/09
Apple is perfect!!  kurt.westerlund@... | 06/16/09
No...  dclhacker | 06/16/09
On drugs.  phatkat | 06/16/09
Oh sure, why worry until it's too late?  mechBgon | 06/16/09
So?  zkiwi | 06/16/09
If you lived in community where people didn't ...  snberk341 | 06/19/09
Can anyone post any evidence that it has been used /caused any havoc?  gennx30 | 06/17/09
It's a non-issue, here's why  comp_indiana | 06/17/09
Warnings do not solve the problem  dlweinreb | 06/21/09
Fail  honeymonster | 06/23/09
Well 6 months is certainly enough time for me  Laraine Anne Barker | 06/18/09
RE: Apple finally patches musty old Java for Mac vulnerabilities  jfreedle2@... | 06/22/09
So...  zkiwi | 06/22/09
Hey, it could be worse.  914four | 06/23/09
Hey, they could have done a lot worse than that  honeymonster | 06/23/09
Oh really? [nt]  zkiwi | 06/23/09
.NET doesn't need vulnerabilities...  914four | 06/23/09
Do you make it up as you go?  honeymonster | 06/24/09
Uh, no.  914four | 06/26/09
RE: Apple finally patches musty old Java for Mac vulnerabilities  powershaker | 06/22/09
it's about time!  ep-man | 06/24/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

  • Smart Tech Expert advice on innovations in healthcare and the green technologies that make it happen. Find out more
  • Smart Business Discussion and advice on management issues that revolve around making your world smarter and more useful. More Smart Advice
  • Smart People The best and worst moves in the management and strategy trenches. Learn More