Apple has issued security updates for Java for both Leopard (Mac OS X 10.5) and Snow Leopard (Mac OS X 10.6). The Java for Mac OS X 10.6 Update 4 fixes 16 vulnerabilities, “the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox.” As Apple says, “Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.”
The Java for Mac OS X 10.5 Update 9 fixes the same vulnerabilities plus 11 others, and covers two versions of Java.
Interestingly, Apple is not giving any details about these flaws; they are merely citing the CVE (Common Vulnerabilities and Exposures) numbers for them. In a recent security update for iTunes for Windows, Apple did the same thing, but in the past, they provided more detailed information for each flaw. Apple directs users to the Oracle website for “more information” about these updates, but the information presented is only about the different version numbers of Java that are affected.
In any case, all those who use Java should update immediately. Java is an easily-exploitable attack vector, due to the way Java applets can be embedded in web pages.
