Mac users urged to patch Java security holes

by Graham Cluley on September 4, 2009 | Comments Off

Filed Under: Apple, Vulnerability

Java icon
If you have Macs in your company it may be time to roll out a new bunch of patches - this time related to your Java installation. The new set of patches, issued by Apple, protect against 15 documented security vulnerabilities on your Java installation that could be exploited by hackers to run unauthorised code on your Mac computers.

According to a security advisory issued by Apple, Java for Mac OS X 10.5 Update 5 fixes multiple vulnerabilities that could allow cybercriminals to run code (such as a Trojan horse) on a visiting computer by embedding a malicious untrusted Java applet on a webpage.

The patches are available from the downloads area of Apple's website or via automatic updates.

By the way, none of the vulnerabilities affect users who have upgraded to Apple's latest version of Mac OS X, known as Snow Leopard.

For reasons which are as much of a mystery to me as the success of Ben Affleck, Java on the Mac comes from Apple, whereas Java on Windows, Linux and Solaris comes from Sun. That's not a problem, of course, if all the different flavours of Java are updated in unison.

Unfortunately, as ComputerWorld reports, Apple has been slow in the past issuing updates for Java, making it out of sync with the versions available for different operating systems (via Sun).

Even Snow Leopard doesn't escape criticism in this regard, as it installs Java 6 version 1.6.0_15 whereas the most up-to-date version (issued by Sun on August 11th) is Java 1.5.0_16. Poor old Tiger (Mac OS X 10.4) users are left even more in the lurch - they haven't received an update for their Java since June 15th.

[Correction: Thanks to @Codepope who has informed me that there was no security-related content in Java 1.6.0_16 compared to _15.]

As always, our advice is for users to take prompt action and roll out these patches at the earliest opportunity. Companies like Apple and Microsoft do not announce security vulnerabilities for the fun of it - they issue advisories and patches in order to better protect their users from internet and hacker attacks.

Don't be a dummy - get your computers patched as a matter of priority. If you're still confused as to which version of Java you are running on your computer visit this great website by Michael Horowitz: www.javatester.org.

Tags:

About the author

Graham Cluley is senior technology consultant at Sophos. The readers of Computer Weekly voted him security blogger of the year in 2009 and 2010, and he pipped Stephen Fry to the title of "Twitter user of the year" too. Which was nice. He was also named "Best Security Blogger" by the readers of SC Magazine in 2011. You can subscribe to Graham's updates on Facebook, follow him on Twitter and circle him on Google Plus for regular updates.