appleinsider logo
Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple plugs critical Java security hole affecting Tiger, Leopard

Apple on Monday finally got around to patching a widely-publicized security flaw in the version of Java shipping with Mac OS X, which could leave a Mac open to attack while browsing the web.

The Mac maker came under criticism from a pair of security firms last month for failing to patch the exploit, which it has reportedly been aware of since January.

The vulnerability, which theoretically exists on all platforms supporting Java, could allow a remote user to run code, delete files, and execute applications on a Mac through a maliciously crafted Java applet.

When executed together with a privilege escalation vulnerability, hackers could remotely run any system-level process and get total access to a Mac. This could leave users open to “drive-by attacks," according to security firm Intego, which had recommended that users disable Java until a fix was made available.

On Monday, Apple released Java for Mac OS X 10.5 Update 4 (158MB download) and Java for Mac OS X 10.4, Release 9 (80.11MB), which address the problem on its Leopard and Tiger operating systems but updating Java versions 1.4, 1.5, and 1.6 to new versions.

Apple also noted that there were multiple vulnerabilities in its "Aqua Look and Feel for Java" implementation for Java 1.5 affecting only Mac OS X 10.5.7 and later. The update for Leopard addresses this issue as well by denying access to internal details of Aqua Look and Feel for untrusted Java applets.

Once the updates have been applied, it should be safe for Mac users who disabled Java on their Mac to re-enable it in Safari by choosing Safari > Preferences, clicking the Security tab, and then checking "Enable Java."