Filed under: Security
Java vulnerability in Mac OS X finally patched
It's been a long wait. Fire up Software Update and you should see Java for Mac OS X 10.5 (or 10.4) update 4. This update closes a vulnerability first discussed in August of last year; it was patched by Sun and most other JVM developers months ago.Apple's sluggishness on fixing this security issue could have allowed attackers to run arbitrary applications or processes on your machine if you visited a webpage hosting a malicious Java applet. The vulnerability was pointed out in graphic fashion by security researcher Landon Fuller.
Fuller took the exploit code that was circulating in the wild and built a proof of concept page that would run an innocuous program (the command-line 'say' utility) from a rigged Java applet; after the ensuing publicity, less than a month later, we have a patch.
Once you've updated, if you took the precaution of disabling Java in your browser settings, you can feel free to go ahead and turn it back on... although, if you haven't missed it, no need to change anything.
Thanks to everyone who sent this in.
[via Glenn Fleishman / TidBITS]
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 2)
BooyahGuy said 7:08PM on 6-15-2009
a
Reply
Aerospeed said 7:31PM on 6-15-2009
choo?
darth_nazgul said 7:31PM on 6-15-2009
Thank you for your insightful opinion! Your comments make TUAW a happy place for everyone!
LexyF said 7:46PM on 6-15-2009
Lol, mistype. Not Booyah. :)
Jonathan A said 7:43PM on 6-15-2009
I get a dialog saying, "The update "Java for Mac OS X 10.5 Update 4" can't be installed.
Reply
Jonathan A said 8:20PM on 6-15-2009
I rebooted and re-ran Software Update. It re-downloaded the update and then installed. A quick Java test in Safari showed no problems.
Ethan said 8:23AM on 6-16-2009
Same thing happened here. Who know, maybe it had performance anxiety.
Doug McIntosh said 7:34PM on 6-15-2009
Installed on 10.4.11 PPC. Safari 4.0 was really hinky (even crashed without any Crash Report dialog!). Fine after a restart.
So far, so good...
Reply
Cycomachead said 7:53PM on 6-15-2009
I'm pretty sure that if I spill any coffee on my MacBook it will be fired. AFAIK, it's still vulnerable to Java...now when can Apple fix this one? That'd be really cool! ;)
Reply
Dean said 8:01PM on 6-15-2009
Dear reporter,
Are you sure it works on 10.4?
Sincerely yours,
Reply
A A said 8:32PM on 6-15-2009
You have to shut down Safari and iTunes before it will install.
Arvi
Reply
Bryant said 7:30AM on 6-17-2009
Anyone else lose their Java Web Start application after this update?
Reply
AC said 12:40PM on 6-18-2009
"Anyone else lose their Java Web Start application after this update?"
I sure did, and it's driving me nuts. I've not been able to get it back nor find any information on it...
Khan said 12:12AM on 6-16-2009
I installed the new Java Update and after that my LimeWire stopped working, the icon bounce once at the Dock and that's it. Does anyone has the same issue, please tell me how can i fix this?
thanks
Reply
Kyol said 1:13AM on 6-16-2009
Ooo, thanks for the heads up on that - I have a Java-driven Oracle database interface that I would be _seriously_ up a creek if it stopped working. Time to do some basic testing on my laptop first.
C3peos said 11:37AM on 6-23-2009
I had exactly the same problem, did you find out how to solve it???
Thx
MD88 said 12:58AM on 6-16-2009
Thanks A A; I hope that's the reason why my update won't install...
Reply
MD88 said 1:14AM on 6-16-2009
Shutting down ALL applications wasn't enough. I had to restart the computer before the update would install.
Reply
bud said 4:06AM on 6-16-2009
If you run software update while Safari is open, as most of us probably do, it will apparently auto install, without a problem. But has it installed? I couldn't stop the install once it started, although I should have been prompted to quit Safari before it tried.
I figure it will actually install when I restart
Reply
Ivan berroa said 8:19AM on 6-16-2009
If you still want LimeWire to work don't install this update yet. This update has been breaking everyones LimeWire.
Reply