Apple pushes out critical Java security update for OS X users

Are you a Mac user who’s ever gone looking online for what Oracle calls the Java Platform – either the JRE (runtime environment) or the JDK (development kit)?

You’ll have noticed what seems at first to be a glaring omission:

You can download the latest updates for Linux, Solaris and Windows – and even for the esoteric Itanic processor – but there’s no offering for OS X users of any stripe.

That’s because Apple packages the JDK with the OS X operating system distribution, and updates the OS X version of the Java Platform through its own Software Update process.

Oracle published its latest update to the Java Platform in the second week of June, pushing out the impressively-named Java SE 6 1.6.0_26.

Apple has now caught up, and OS X users are strongly advised to apply this latest update.

This update fixes at least two remotely exploitable vulnerabilities that can be triggered whilst you’re browsing. This sort of exploit lets cybercriminals perform what’s known as a drive-by install, a drive-by execution or just a drive-by. That’s a strong metaphor, but it’s an appropriate one.

A drive-by can trick software – such as your browser, PDF reader or other online content viewer – into downloading and running malicious code without producing any of the “are you sure” warnings or the “do you want to save” dialogs you would usually expect.

In particular, the vulnerabilities fixed in this update allow Java applet code to escape from Java’s much-vaunted protective sandbox.

Escape from the sandbox means that remotely-served, untrusted applets can trick the system into letting them behave like locally-installed, trusted applications. That’s never supposed to happen, and it’s always bad.

To update, just invoke the Software Update… option under the Apple menu and apply the Java SE update. It’s about 80MBytes to download and doesn’t require a reboot.

For the technically curious, the update patches against these vulnerabilities, amongst other things: CVE-2011-0802, CVE-2011-0814, CVE-2011-0862, CVE-2011-0863, CVE-2011-0864, CVE-2011-0865, CVE-2011-0867, CVE-2011-0868, CVE-2011-0869, CVE-2011-0871 and CVE-2011-0873.

Apple’s writeups about the update can be found in knowledgebase articles HT4593, HT1222 and HT4739.