Latest OS X Java Updates Prevent Code Execution

Summary:

  • This vulnerability affects: OS X 10.5.x (Leopard) and 10.6.x (Snow Leopard)
  • How an attacker exploits it: By enticing your users to a malicious website containing specially crafted Java applets
  • Impact: In the worst case, an attacker executes code on your user’s computer, with that user’s privileges
  • What to do: Install Java for OS X 10.5 Update 9 or Java for OS X 10.6 Update 4 as soon as possible, or let Apple’s updater do it for you.

Exposure:

Today, Apple issued two advisories [ 1 / 2 ] describing Java security updates for OS X 10.5.x and OS X 10.6.x. The advisories warn of 16 vulnerabilities in OS X’s Java components (number based on CVE-IDs).

Apple doesn’t describe these flaws in specific detail, rather, they only share the  potential impact of the worst case flaw. By luring one of your users to a malicious website containing a specially crafted Java applet, an attacker can exploit some of these Java flaws to either execute code or elevate privileges on your users’ OS X computers. In most cases, the attacker would only gain the privileges of the currently logged in user, which doesn’t include root or administrator access in OS X. Nonetheless, we recommend you install Apple’s OS X Java update as soon as possible.

Solution Path:

Apple has issued Java for OS X 10.5 Update 9 [dmg file] and Java for OS X 10.6 Update 4 [dmg file] to correct these flaws. If you manage OS X 10.5.x or 10.6.x computers, we recommend you download and deploy these update as soon as possible, or let OS X’s automatic Software Update utility install the proper update for you.

For All WatchGuard Users:

Some of these attacks rely on one of your users visiting a web page containing malicious Java bytecode. The HTTP-Proxy policy that ships with most Firebox models automatically blocks Java bytecode by default, which somewhat mitigates the risk posed by some of these vulnerabilities.

Status:

Apple has released Java updates to fix these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

Trackbacks/Pingbacks

  1. Latest OS X Java Updates Prevent Code Execution | microreksa - March 8, 2011

    [...] Latest OS X Java Updates Prevent Code Execution [...]

  2. IT Secure Site » Latest OS X Java Updates Prevent Code Execution - March 8, 2011

    [...] (source: WatchGuard) [...]

  3. 2011′s First OS X Update Patches 57 Vulnerabilities « WatchGuard Security Center - March 21, 2011

    [...] a related note, Apple has released many security updates in the last few weeks. Besides the Java update we alerted about early this month, Apple has also posted the following security-related product [...]

  4. 2011′s First OS X Update Patches 57 Vulnerabilities | microreksa - March 21, 2011

    [...] a related note, Apple has released many security updates in the last few weeks. Besides the Java update we alerted about early this month, Apple has also posted the following security-related product [...]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 7,579 other followers

%d bloggers like this: