Apple closes 27 security holes in Java
Apple has closed numerous security holes with the release of Java for Mac OS X 10.5 Update 2. Several of these holes are critical because they allow attackers to inject and execute code but successful exploitation of these holes requires users to visit a specially crafted web page with a Java-enabled browser.
The vulnerabilities are generally the same as those Sun Microsystems reported and fixed in JDK and JRE 6 Update 7, JDK and JRE 5.0 Update 16, and SDK and JRE 1.4.2_18 more than two months ago.
There are also two critical, previously undisclosed holes which are specific to Apple. These are a flaw when processing Hash-based Message Authentication Code (HMAC) for MD5 and SHA-1 hashes, and the possibility for applets to launch local files via