Apple pushes out critical Java security update for OS X users

Filed Under: Apple, Featured, Java, Malware, Oracle, OS X, Vulnerability

Are you a Mac user who's ever gone looking online for what Oracle calls the Java Platform - either the JRE (runtime environment) or the JDK (development kit)?

You'll have noticed what seems at first to be a glaring omission:

You can download the latest updates for Linux, Solaris and Windows - and even for the esoteric Itanic processor - but there's no offering for OS X users of any stripe.

That's because Apple packages the JDK with the OS X operating system distribution, and updates the OS X version of the Java Platform through its own Software Update process.

Oracle published its latest update to the Java Platform in the second week of June, pushing out the impressively-named Java SE 6 1.6.0_26.

Apple has now caught up, and OS X users are strongly advised to apply this latest update.

This update fixes at least two remotely exploitable vulnerabilities that can be triggered whilst you're browsing. This sort of exploit lets cybercriminals perform what's known as a drive-by install, a drive-by execution or just a drive-by. That's a strong metaphor, but it's an appropriate one.

A drive-by can trick software - such as your browser, PDF reader or other online content viewer - into downloading and running malicious code without producing any of the "are you sure" warnings or the "do you want to save" dialogs you would usually expect.

In particular, the vulnerabilities fixed in this update allow Java applet code to escape from Java's much-vaunted protective sandbox.

Escape from the sandbox means that remotely-served, untrusted applets can trick the system into letting them behave like locally-installed, trusted applications. That's never supposed to happen, and it's always bad.

To update, just invoke the Software Update... option under the Apple menu and apply the Java SE update. It's about 80MBytes to download and doesn't require a reboot.

For the technically curious, the update patches against these vulnerabilities, amongst other things: CVE-2011-0802, CVE-2011-0814, CVE-2011-0862, CVE-2011-0863, CVE-2011-0864, CVE-2011-0865, CVE-2011-0867, CVE-2011-0868, CVE-2011-0869, CVE-2011-0871 and CVE-2011-0873.

Apple's writeups about the update can be found in knowledgebase articles HT4593, HT1222 and HT4739.

, , , , , , , , , ,

You might like

2 Responses to Apple pushes out critical Java security update for OS X users

  1. Kelly · 1566 days ago

    You guys are the best. You are my most useful Facebook "Like" to date. Thanks for keeping me up to date on the latest online security threats.

  2. Michelle · 1566 days ago

    Thanks again Sophos!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog