(LiveHacking.Com) – In the past Apple has come under heavy criticism due to the unacceptable amount of time it takes the Cupertino company to release Java updates for its OS X operating system. April and May saw a massive malware breakout on OS X due to a vulnerability in Java. The problem was that Oracle fixed the vulnerability in February but Apple didn’t release a patch until April. In the intervening months over half a million Macs got infected with the Flashback Trojan.
This time around Oracle has patched a number of Critical vulnerabilities in Java and Apple has stepped up its game. On the same day as Oracle, Apple released a Java update for Mac OS X v10.6 Snow Leopard and OS X Lion v10.7 Lion.
The Java update fixes 14 security issues, 12 of these vulnerabilities can be remotely exploitable without authentication. This means that they can be exploited over a network without the need for a username and password. The most serious of the vulnerabilities allows an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.
The OS X update also includes some security hardening measures. First, the Java browser plugin and Java Web Start are deactivated if they are no used for 35 days. By default they are automatically deactivated. Secondly, the Java browser plugin and Java Web Start are deactivated if they do not meet the criteria for minimum safe version. The minimum safe version of Java is updated daily, as needed. To re-enable Java a newer versions needs to be installed.
The update from Oracle affects the following versions of Java:
- JDK and JRE 7 Updates 4 and earlier
- JDK and JRE 6 Update 32 and earlier
- JDK and JRE 5.0 Update 35 and earlier
- SDK and JRE 1.4.2_37 and earlier
- JavaFX 2.1 and earlier