The Mac Security Blog

Security & Privacy

Oracle Issues Critical Patch Update for Java SE; Apple Offers Two Java Updates for OS X

Posted on by

Yesterday Oracle released Java SE 7u9 for Mac and other operating systems, issuing a critical patch update to address multiple security vulnerabilities that affect the Java Runtime Environment as well as in the Oracle JRockit component. This update contains 30 new security fixes. Among the notable flaws addressed in Java SE 7u9, Oracle CVE-2012-3202 refers to multiple advisories that are applicable to JRockit from the Java SE security update.

The complete list of all vulnerabilities addressed in JRockit under CVE-2012-3202 is as follows:

  • CVE-2012-1531: Fixes a bug in all versions of Java SE before version 7u9, in which an easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2012-5081: Fixes a bug in all versions of Java SE before version 7u9, in which an easily exploitable vulnerability allows successful unauthenticated network attacks via SSL/TLS. Successful attack of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java Runtime Environment.
  • CVE-2012-5083: Fixes a bug in all version of Java SE before version 7u9, in which an easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2012-5085: Fixes a security-in-depth issue in the Java Runtime Environment component of Oracle Java SE (subcomponent: Networking), affecting all versions of Java SE before version 7u9.

For vulnerable versions of Java SE, the aforementioned bugs allow remote attackers to affect confidentiality, integrity, and availability by way of unknown vectors related to 2D, JSSE, and Networking.

In addition to Oracle’s Java SE 7u9 release, Apple is offering two new Java updates: one for OS X 10.6 Snow Leopard, and the other for OS X 10.7 Lion and OS X 10.8 Mountain Lion. Seen as the next move in Apple’s plan to deprecate maintenance of its own Java runtime, the company’s update for Lion and Mountain Lion improves security by fully uninstalling the Apple-provided Java applet plug-in from all web browsers; in turn, this forces users to download the latest Java SE version from Oracle. “This update also removes the Java Preferences application, which is no longer required to configure applet settings,” said Apple.

Following comes from Apple’s security release notes:

Multiple vulnerabilities exist in Java 1.6.0_35, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating to Java version 1.6.0_37.

The update for Snow Leopard updates the Apple-provided system Java SE 6 to version 1.6.0_37, improving security, reliability and compatibility. Apple also clarifies, “On systems that have not already installed Java for Mac OS X 10.6 update 9 or later, this update will configure web browsers to not automatically run Java applets.”

For those who use Java, we recommend updating immediately. Java is an easily exploitable attack vector, due to the way Java applets can be embedded in web pages. Mac users can go to Oracle’s website to download Java SE 7u9. Apple’s 67.2 MB update for Lion and Mountain Lion can be downloaded from Apple’s Support Downloads page here: Java for OS X 2012-005. Apple’s 81.9 MB update for Snow Leopard can be downloaded from Apple’s Support Downloads page here: Java for Mac OS X 10.6 Update 11.