Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple plugs critical Java security hole affecting Tiger, Leopard

Apple on Monday finally got around to patching a widely-publicized security flaw in the version of Java shipping with Mac OS X, which could leave a Mac open to attack while browsing the web.

The Mac maker came under criticism from a pair of security firms last month for failing to patch the exploit, which it has reportedly been aware of since January.

The vulnerability, which theoretically exists on all platforms supporting Java, could allow a remote user to run code, delete files, and execute applications on a Mac through a maliciously crafted Java applet.

When executed together with a privilege escalation vulnerability, hackers could remotely run any system-level process and get total access to a Mac. This could leave users open to “drive-by attacks," according to security firm Intego, which had recommended that users disable Java until a fix was made available.

On Monday, Apple released Java for Mac OS X 10.5 Update 4 (158MB download) and Java for Mac OS X 10.4, Release 9 (80.11MB), which address the problem on its Leopard and Tiger operating systems but updating Java versions 1.4, 1.5, and 1.6 to new versions.

Apple also noted that there were multiple vulnerabilities in its "Aqua Look and Feel for Java" implementation for Java 1.5 affecting only Mac OS X 10.5.7 and later. The update for Leopard addresses this issue as well by denying access to internal details of Aqua Look and Feel for untrusted Java applets.

Once the updates have been applied, it should be safe for Mac users who disabled Java on their Mac to re-enable it in Safari by choosing Safari > Preferences, clicking the Security tab, and then checking "Enable Java."



43 Comments

virgil-tb2 16 Years · 1416 comments

Quote:
Originally Posted by AppleInsider

Apple on Monday finally got around to patching a widely-publicized security flaw in the version of Java shipping with Mac OS X, which could leave a Mac open to attack while browsing the web. ...

Great news.

But after going for so long with Java turned off and seeing absolutely no effect on my browsing at all, I'm gonna leave it off.

It really should be the default setting at this point. No one who really needs and uses java applets is really likely to be on a Mac anyway.

clickmyface 18 Years · 79 comments

Quote:
Originally Posted by AppleInsider Once the updates have been applied, it should be safe for Mac users who disabled Java on their Mac to re-enable it

LOL. So, probably not even the guys at the security firm who found the vulnerability.

ltcommander.data 16 Years · 327 comments

Better late than never I guess.

In terms of versioning, Java 1.6 is actually up to Update 14 now, while Apple is only supplying Update 13 in this release. I can't really blame them since there probably wasn't enough turn-around time to incorporate Update 14 and the security patch available in Update 13 was more important anyways.

On the flip side, Apple actually incorporated Java 1.4.2 Update 21, which is considerate of them. Sun has EOL'd Java 1.4.2 for consumers and businesses still wanting support for versions greater than Update 19 have to pay Sun. It seems that Apple is paying Sun for continued support for Java 1.4.2 for all Mac users without charging us for the individual updates. Can't really complain about that although it is really Apple's obligation since Apple ships Java 1.4.2 as an integrated component of Tiger and Leopard so they really need to continue supporting for the OSs' lifecycle.

mactripper 15 Years · 1307 comments

Apple should be ashamed of themselves.

This exploit has been in the wild for 6 months before going public.

Then it took Apple months to fix it after the latest OS X update when it did finally go public and the Mac community screamed bloody murder warning everyone to turn off Java.

"God knows how many have been exposed." - Alien 2

This is not the first time Apple has ignored a vital security threat.

The serious Metadata exploit (still not fixed completely) was submitted by many folks, including myself, with back and forth emails to Apple Security folks and then it went unfixed for YEARS!!

It's still technically unfixed, only a warning now that your downloading app/first time running a app. A work around basically.

I started to think, why did Apple take so long to fix this latest Java exploit? Was it so people would download Safari 4 with it's sandboxing of plug-ins?

Pump up the download numbers a little for marketing dept? Along with a forced upgrade on the Windows side?

Why is Apple so slow in fixing the open source parts of OS X? It's a security risk with them not paying enough attention too.

Perhaps it's so many eyes finding the flaws in open source that Apple can't handle it?

Geting like Microsoft slow, Apple is - yoda

javacowboy 20 Years · 664 comments

I was very critical of Apple for leaving this vulnerability unpatched. Now, I want to congratulate them for doing the right thing. Better late than never!

But there's more good news. Apple has updated Java *to the most recent version put out by Sun*, which is Java 6 Update 14.

Since Apple is always well behind Sun on Java versions, this is a very pleasant surprise.