Apple patches critical Java bugs, but leaves Leopard users vulnerable
Syncs Mac OS X 10.5 with Sun's early August fixes, but remains an update behind; Snow Leopard in same boat
Computerworld - Apple today patched 15 vulnerabilities in three versions of Java used by Mac OS X 10.5, or Leopard, bringing the operating system up to par with fixes that Sun issued a month ago.
Today's Leopard updates take that OS to the same edition of Java 6 included with Snow Leopard, which Apple shipped last week. At the same time, however, the update doesn't include the very latest Java fixes, which Sun delivered Aug. 11.
According to Apple's advisory, the upgrade patches 15 distinct vulnerabilities in Java, and updates Java 6 to version 1.6.0_15, Java 5 to version 1.5.0_20 and Java 4 to version 1.4.2_22. Sun issued those updates on Aug. 4.
All the vulnerabilities could allow for "arbitrary code execution," Apple-speak for the type of bug attackers can use to plant malicious code on a computer. Although other major software makers, like Microsoft and Oracle, assign threat rankings to their bug fixes, Apple does not. For example, Microsoft dubs the same kind of flaws as "critical."
"Visiting a Web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user," Apple said in its advisory, explaining how an attack might work.
The Java update applies only to the client and server editions of Mac OS X 10.5, which are currently at v. 10.5.8. Users still running Mac OS X 10.4, aka Tiger, remain stuck on older versions of Java. Tiger's Java components were last updated by Apple on June 15, when it bumped up Java 5 to 1.5.0_19 and Java 4 to 1.4.2_21.
Although the June update -- which also affected Leopard -- plugged holes that Sun had filled six months earlier, today's update came harder on the heels of Sun's fixes for Windows and Linux. "That's not too bad for Apple, actually," said Andrew Storms, director of security operations at nCircle Network Security, in an instant message.
Apple maintains its own versions of Java and is responsible for delivering patches to users. Typically, Apple is slow to patch the problems that Sun fixes, with a six-month lag not unusual. When Apple refreshed Java in September 2008, for example, it fixed more than two-dozen vulnerabilities, some of which had been patched in updates for Java for Windows, Linux and Solaris as far back as March 2008.
Apple has come under fire for its sluggish pace. Last May, for instance, a security researcher angered by the delays posted attack code that exploited one of the then-unfixed Java bugs.
Even with today's updates, however, Leopard still doesn't have the most up-to-date version of Java 6, which is 1.6.0_16. Sun shipped that update Aug. 11.
Snow Leopard, which caught flak this week for shipping a vulnerable version of Flash, also isn't in sync with Sun's latest Java. Computerworld today confirmed that Snow Leopard installs Java 1.6.0_15 during its upgrade, making it on par with today's Leopard update but still one version behind Sun's newest.
The Java security updates, identified as Java for Mac OS X 10.5 Update 5, can be downloaded manually from Apple, or installed using Mac OS X's integrated update service.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts