Apple closes vulnerabilities in Java

Apple has released Java for Mac OS X 10.4 Release 9 and Java for Mac OS X 10.5 Update 4 to fix several well-known security vulnerabilities in Java. In mid-May, security specialist Landon Fuller published an exploit for Mac OS X to demonstrate how easy it was to exploit the Java vulnerability. Since then Apple has been criticised for leaving it's users unprotected for far to long. Independent security specialist Rich Mogull has called for the introduction of a "Secure Software Development" program for Apples most important products and the appointment of a Chief Security Officer (CSO) to be a driving and coordinating force so that Apple can react quickly to security issues.

The Apple updates include fixes to several critical vulnerabilities in Java 1.6, 1.5 and 1.4. A fourth vulnerability that wasn't reported by Fuller has been patched on Mac OS X 10.5 that could have allowed untrusted Java applets to obtain elevated privileges and execute arbitrary code when a victim visited a page that contained a maliciously crafted Java applet. Apple users, however, are still not completely up to date: Java 6 Update 13 was included in the Apple updates, but Update 14 was released at the end of May. According to Sun, Java 6 Update 14 didn't close any vulnerabilities, but it did add a new blacklist feature. With it, the Java Plug-in and Web Start check a blacklist for signed jar files and refuse to load any class or resource that's on the list.

See also:

• About the security content of Java for Mac OS X 10.4 Release 9, security advisory from Apple.
• About the security content of Java for Mac OS X 10.5 Update 4, security advisory from Apple.
• Expert says Apple needs to increase its security efforts, a report from The H.
• Exploit for unpatched vulnerability in Mac OS X, a report from The H.

(crve)