December 14th, 2007
Finally, a 'critical' Java runtime update from Apple
Apple has shipped a long-overdue Java runtime update to plug at least 30 18 vulnerabilities that expose Mac OS X users to remote code execution attacks.
The Java Release 6 for Mac OS X 10.4 patches multiple critical holes in Java, Java 1.4 and J2SE 5.0, and includes a well-known issue that was left unpatched by Apple for more than a year.
That issue, first discovered by Google’s security team in October 2006, was the catalyst for a third-party patch by developer Landon Fuller.
[ SEE: Mac users waiting months for ‘critical’ Java runtime update ]
In all, Apple documents 30 vulnerabilities in this mega-update and warns that the most serious bug may lead to arbitrary code execution and privilege escalation.
Inexplicably, on the Mac’s software update utility, there is no mention of the security implications of this patch. On my MacBook (see screenshot), it refers to “improved reliability and compatibility” but no explicit mention of the 30 18 high-risk flaws.
This is not the first time that Apple has tried to get away with not being upfront about security fixes. Back in September, the company issued an iTunes update that made no mention whatsoever of CVE-2007-3752, a buffer overflow vulnerability that puts both Mac and Windows users at risk of arbitrary code execution attacks.
This is a significant (oversight?) because users routinely skip product updates that doesn’t contain prominent security warnings. Apple really needs to clean up its act when it comes to upfront disclosure.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
| 12/14/07
