The Mac Security Blog

Security & Privacy

Apple Releases Java 6 Update to Fix Vulnerabilities

Posted on by

Apple has released critical Java 6 updates for Mac OS X Snow Leopard, OS X Lion, and OS X Mountain Lion. Described as “an opportunity for security-in-depth hardening,” these patches will update Java SE 6 to version 1.6.0_35.

Apple’s release for Snow Leopard, Java for Mac OS X 10.6 Update 10, and for Lion and Mountain Lion, Java for OS X 2012-005, each resolve exploitable vulnerabilities in the Java SE 6 plugin by configuring web browsers to not automatically run Java applets. “This update configures the Java plug-in to deactivate when no applets are run for an extended period of time,” says a release on Apple’s support site.

This update comes on the heels of last week’s Java 0-day exploit, CVE-2012-4681, which Oracle patched for the vulnerable Java version 7. Oracle’s out-of-band patch incorporated fixes for vulnerabilities exploited “in the wild”; however, the resolution may have caused a new security issue that also makes other bugs not yet addressed possible to exploit.

Adam Gowdiak wrote about the new security issue affecting Java SE 7 Update 7 in greater detail on Bugtraq:

One of the fixes incorporated in the released update also addressed the exploitation vector with the use of the sun.awt.SunToolkit class. Removing getField and getMethod methods from the implementation of the aforementioned class caused all of our full sandbox bypass Proof of Concept codes not to work any more […].
[W]e sent a security vulnerability report along with a Proof of Concept code to Oracle. The code successfully demonstrates a complete JVM sandbox bypass in the environment of a latest Java SE software (version 7 Update 7 released on Aug 30, 2012). The reason for it is a new security issue discovered, that made exploitation of some of our not yet addressed bugs possible to exploit again.

Note that Mac users running Java 6 are not vulnerable to the alleged sandbox bypass issue discovered in Oracle’s emergency Java 7 patch. The Java 0-day exploit only affects OS X users who have Java 7 installed, which we clarified in a tweet last week:

As always, these updates can be obtained from the Software Update pane in System Preferences or via Apple’s Software Downloads page.