The Inquirer-Home

Apple Mac OS X patch for Java finally arrives

Users were left open to Java flaw for over six weeks
Wed Apr 04 2012, 12:07

AFTER MAC USERS were left open to attack for "more than six weeks", Apple has finally patched a Java flaw in Mac OS X 10.6 and 10.7.

The Ithing maker released a Knowledge Base article yesterday advising users of Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.3 and OS X Lion Server v10.7.3 to update their Java software.

Apple said that the fix addressed "multiple vulnerabilities" in Java 1.6.0_29, the most serious of which could allow an untrusted Java applet to execute arbitrary code outside the Java sandbox.

"Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating to Java version 1.6.0_31," Apple warned.

However, Apple's advisory and update comes after Oracle warned of the security issues and pushed out the Java 31 updates for Windows, Linux and Unix in the middle of last month. This delay has drawn criticism from security experts.

"Today's release updates Java to version 6 update 31 which Oracle released for Windows, Linux and Unix on February 14th," security company Sophos said on its blog.

"This does make you wonder whether Apple takes security as seriously as it should. Perhaps its public facing image of being invulnerable is the prevailing attitude within the company. Why Apple did not deploy these fixes before Mac users were victimized by criminals is unclear. Fortunately, once it became a problem the company responded quickly."

Sophos went on to point out that the Apple release comes hard on the heels of an in-the-wild exploit actively targeting Mac users, in one of the first drive-by exploits the company has seen for OS X. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Microsoft's Windows 10 Preview has permission to watch your every move

Does Microsoft have the right to keylog users of its Windows 10 Technical Preview?