Apple fixes 18 flaws in Tiger's Java
Sun patched some of the bugs nearly a year ago; Apple only now issues a fix
Apple's newest operating system, dubbed Leopard, does not need to be patched because it includes the updated Java components.
According to the accompanying advisory, Tiger's Java, Java 1.4 and Java 2 Standard Edition 5.0 contain flaws that in some cases could lead to what Apple called "arbitrary code execution," which means that attackers may be able to insert their own malware during an exploit and/or gain complete control of the machine. Unlike rivals such as Microsoft Corp., Apple does not rank or rate its security updates to give users an idea of the severity of the bugs.
Among the 18 vulnerabilities is one discovered by 3com Corp.'s TippingPoint unit in June 2006 and another reported to Sun in October 2006 by a member of Google Inc.'s security team. TippingPoint's flaw was fixed in January 2007, and the Google-reported bug was patched by Sun in May 2007. In both instances, updates were made available at the time for the Java components used by Windows, Linux and Solaris. But because Apple crafts the Java runtime for Mac OS X, its users were left unprotected an additional 11 and seven months, respectively.
However, no exploits using either bug were reported during that time.
The 80MB update, dubbed "Java for Mac OS X 10.4, Release 6," was not marked as a security update on Apple's download site, nor were the vulnerabilities or their patches mentioned in the description that appeared when users received notice by Mac OS X's Software Update tool. The phrasing Apple used said only that Release 6 improves "reliability and compatibility" for Java.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts