Apple Patches Java Hole Six Months After Initial Discovery

From DailyTech: With close to 75 million OS X distributions reportedly in the wild, triple the number two years ago, Apple has to start taking security more seriously. Fortunately for Apple users, while security researchers regularly demonstrate OS X exploits, the Black Hat community remains rather apathetic to attacking the Mac community.

The latest highlight in a growing picture that OS X may not be as secure as some think came in May when security firm Intego, which makes security software for Macs, warned users of a JavaScript flaw in the OS X Java distribution which could allow the execution of malicious code. Intego complained, "Apple has been aware of this vulnerability for at least five months, since it was made public, but has neglected to issue a security update to protect against this issue."

Programmer Landon Fuller aired proof-of-concept code of how to use the exploit to attack Apple OS X installs in May. Still, Apple did not release a patch. States Mr. Fuller, "Unfortunately, it seems that many Mac OS X security issues are ignored if the severity of the issue is not adequately demonstrated. Due to the fact that an exploit for this issue is available in the wild, and the vulnerability has been public knowledge for six months, I have decided to release my own proof of concept to demonstrate the issue."

Now a month later Apple has finally released a patch for Java on OS X 10.5 Leopard (the latest version) and 10.4 Tiger. Describes Apple, "Java for Mac OS X 10.5 Update 4 delivers improved reliability, security, and compatibility for Java SE 6, J2SE 5.0 and J2SE 1.4.2 on Mac OS X v10.5."

View: Article @ Source Site