December 19, 2014

Apple releases Java update for OS X including Snow Leopard

(LiveHacking.Com) – There has been a flurry of activity over the last few weeks, both by hackers and by the Java engineers at Oracle, around a series of critical vulnerabilities in Java 7 which has allowed hackers to run arbitrary code on a victim’s computer. Oracle recently released a patch for the flaws in Java 7 but they also released an update to Java 6 (update 35) at the same time. Now Apple has released the update to Java 6 for OS X Snow Leopard and OS X Lion. The Java 6 update addresses a related flaw CVE-2012-0547.

Apple’s advisory reads as follows “This update configures web browsers to not automatically run Java applets. Re-enable Java applets by clicking the region labeled “Inactive plug-in” on a webpage. If no applets have been run for an extended period of time, the Java web plug-in will deactivate.”

According to Oracle, update 35 addresses CVE-2012-4681 and two other vulnerabilities affecting Java running in web browsers on desktops. These vulnerabilities are not applicable to Java running on servers or standalone Java desktop applications. The vulnerabilities may be remotely exploitable without authentication if an unsuspecting user visits a malicious web page that leverages this vulnerability. However there is some confusion as CVE-2012-4681 only affects Java 7.

It seems that the confusion is spreading as Brian Krebs, the renowned and respected security expert, didn’t quite understand Apple’s somewhat hazy advisory either. In an update to his blog post he confirms that the OS X update addresses CVE-2012-0547. “Upon closer inspection, it looks like this patch applies just to CVE-2012-0547,” wrote Krebs.

OS X 10.8 Mountain Lion isn’t affected as Apple no longer ship Java by default with OS X, however there are Oracle builds available for the platform. However this update is Apple’s first patch for OS X Snow Leopard since June 12. Apple seems to have abandon the older OS, with out any notifications or end of lifetime announcements which is typical of Apple. The odd thing is that OS X Snow Leopard still powers around a third of all Macs.

Java 6 version 35 can be downloaded from Apple’s website for OS X Snow Leopard and Lion.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks