GADGET DESIGNER Apple has issued a security update that patches critical vulnerabilities in the Safari web browser and Java for OS X.
The Safari update addresses bugs in version 6.0.4 for OS X Mountain Lion and Lion and version 5.1.9 for OS X Snow Leopard, bringing stability improvements and adding the ability to enable Java on a website by website basis.
"Java for Mac OS X v10.6 Update 15 delivers improved security, reliability, and compatibility for Java SE 6," Apple said in its release notes.
"This update enables website-by-website control of the Java plug-in within Safari 5.1.9 or later, and supersedes all previous versions of Java for Mac OS X v10.6."
This added functionality is good news for customers that need Java enabled at certain times, for internal applications in businesses for example, as it's not always workable to disable the software completely.
Apple lists 21 specific CVE security vulnerability fixes to address flaws which, if exploited, could allow an attacker to crash the application and remotely execute code on a targeted system without authentication.
However, Oracle lists 39 vulnerabilities in its stand alone patch, meaning that Apple must have fixed only Java bugs in its Mac update that it thinks are relevant to OS X.
As for the Safari update, secutiy firm Qualys' CTO Wolfgang Kandek noted that it addresses a vulnerability in Webkit, the HTML rendering engine in Safari.
"The Webkit vulnerability was also originally found in [Google's] PWN2OWN competition, but in this case in Google's Chrome browser," Kandek said. "Google fixed the vulnerability last month, the day after it was handed to them by the organisers of the competition."
Both Java and Safari updates are available through the Software Update service in OS X that can be accessed from the Apple menu.
"On systems that have not already installed Java for OS X, this update disables the Java SE 6 applet plug-in," Apple advised. "To use applets on a web page, click on the region labeled 'Missing plug-in' to download the latest version of the Java applet plug-in from Oracle." µ
It's time for our regular two-step through the Google news
Bug bounty offer: accepted