Apple released a major round of Java fixes for the Mac platform Wednesday that addressed at least 30 vulnerabilities, including ones that enable hackers to launch remote code execution and denial of service attacks on Mac users.
Altogether, Apple released Java Mac OS X 10.5 Update 7 and Java for Mac OS X 10.6 Update 2, addressing multiple vulnerabilities, the most serious of which allow a maliciously crafted Java applet to be used by attackers for remote code execution or denial of service attacks, according to security advisories released by Cupertino, Calif.-based Apple.
In an attack scenario, hackers could either embed an infected Java applet in a legitimate site or create a malicious site and trick users into visiting it. In most cases, hackers can initiate malicious attacks by embedding a specially crafted link in an e-mail or otherwise enticing users to visit an infected site, typically through some kind of social engineering scheme.
The critical Java errors occur for a variety of reasons, including out of bounds memory issues, an out of bounds memory access issue in the handling of mediaLibImage objects and signedness issues in the handling of a window drawing.
Among Apple's slew of patches was a fix for a Java Plug-in in Java SE Development Kit (JDK) and Java Runtime Environment vulnerability that has remained unpatched since March 2009. If left unpatched, the flaw allows remote attackers to cause a trusted applet to run in an older JRE version, which can subsequently be used to exploit vulnerabilities in that older version. Attackers who exploit the flaw could access privileged information, steal, alter or delete data or shut down a user's Mac.
Thus far there are no attacks actively exploiting the Java vulnerabilities. Even so, Apple recommends that users update their systems as soon as possible. Users can access the Java for Mac updates on the Software Update pane in System Preferences or from Apple’s Software Downloads site.