Apple Java update, MS advisory and SSCC 10

Cup of Java that reads RTFM

Apple has released an update today for OS X 10.5 and 10.6. Java 1.6 update 18 patches more than 28 vulnerabilities in the Oracle (Man that sounds weird) Java runtime environment. In this case Apple only took five months to patch Java after critical vulnerabilities were patched by Oracle, unlike the six months it took last time. The patches also include fixes for Java 1.5. The current version of Oracle Java is 1.6 update 20 which was released within the last month. It is unclear why Apple has not released the current revision.

Aside from the standard advice to ensure you have updated all of your Macs this raises another interesting point I discussed with Sean Richmond during our Sophos Security Chet Chat this week. While it is nice that Apple includes things like Flash and Java in it’s standard OS updating mechanism, you are still at their mercy to actually test and deliver the fixes. I have been protected against these Java flaws on my Windows and Linux boxes since January, but my Mac stands alone. I cannot patch Java as it is only available after Apple makes it available.Note: Please see update at bottom, some of this information is incorrect

If Apple and Microsoft’s Windows Update service could help me patch these common components that would be great. As Graham pointed out Mozilla is now checking for out of date plugins, even for other browsers. The important thing is to be timely, which Apple seems to be struggling with. Is it that hard or is security simply not a priority at Apple?

Speaking of Microsoft, they released an advisory today about a flaw that could affect Windows 7 64 bit edition. At issue is a flaw in the canonical display driver used in Windows 7’s swanky new Aero user interface. This can also affect Windows 2008 R2, but only if you have enabled the Aero GUI.

The good news? New security functions in Windows 7 like ASLR make this attack very difficult to execute. It has not been seen in the wild and Microsoft is working on a fix. If you are uber-paranoid you can disable the Aero interface to mitigate against any possible attacks. The strange thing is that Windows Vista is not vulnerable despite including the Aero interface.

Sean Richmond one of our threat analysts from Sophos Australia joined me this week for Sophos Security Chet Chat episode 10. Sean and I discussed things that won’t go away like Internet Explorer 6 and Shockwave in addition to Google’s Wi-Fi debacle and Facebook.

If you enjoy this podcast you can download many more via iTunes or directly from our website.

Creative Commons image courtesy of richardmasoner’s Flickr photostream

Update: 19-May-2010 One of my readers Ian Whalley brought a mistake to my attention. I misread Apple’s advisory last night and they did in fact update Java to 1.6 update 20. This doesn’t change the fact that critical vulnerabilities in the previous release (update 17 for 1.6) have been patched since January, but it is good news that Apple has brought Java to its most secure current version. Lets hope Apple updates more quickly after Oracle’s scheduled July release.