Network News

X My Profile
View More Activity

Apple Patches Java Flaws, At Last

Apple on Monday shipped updates to plug more than two dozen security holes in its version of Java, including a particularly dangerous flaw that Java maker Sun patched back in early December.

Last month, Security Fix and others took Apple to task for taking too long to fix Java vulnerabilities. In fact, I found that Apple patches Java flaws on average about six months after Sun had shipped its own updates to fix the same vulnerabilities. At least two different researchers even released proof-of-concept exploits to shame Apple into quickly fixing an easy-to-exploit vulnerability that potential attackers had known about for six months.

This Java update appears to address most of the outstanding Java vulnerabilities. From looking at the common vulnerabilities and exposures (CVE) numbers attached to each of the flaws fixed by Apple's Java rollup, it looks like this update brings Mac OS X systems to the equivalent of Java 6 Update 13 (Sun recently released Update 14, but there don't appear to be any security related fixes in that bundle).

Mac users can grab the latest Java version via Software Update or directly from Apple's Software Downloads Web site.

By Brian Krebs  |  June 16, 2009; 6:55 AM ET
Categories:  New Patches , Safety Tips  | Tags: apple patch, java  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Default Passwords Led to $55 Million in Bogus Phone Charges
Next: Top Security Minds Urge Google to Encrypt All Services

Comments

Hi Brian.
When I tried to install this patch on my MacBook this morning, I got a "cannot download the update" message. When I tried to intall it on my brand new (and I mean brand new) iMac, it froze up the preference panel and I had to do a hard reboot. I've NEVER had a problem downloading an update on a Mac. Any thoughts?

Posted by: smkpuck1 | June 16, 2009 10:02 AM | Report abuse

So, uh, Brian - how many of the 75M or so OS X users were affected by the dire and evil script kiddies who were able to use this Java hack?

I thought so.

Posted by: Eideard | June 16, 2009 10:19 AM | Report abuse

Hi Eideard -- I don't know. And I doubt if any of them were affected, that they'd know either.

Posted by: BTKrebs | June 16, 2009 10:23 AM | Report abuse

Eiheard the Diehard:

How about letting BK respond to your legitimate question before inserting your wiseacre response?

Posted by: peterpallesen | June 16, 2009 10:25 AM | Report abuse

I also got an error on an attempt of installation, until I realized that Java is an integral program on the Mac.

I simply shutdown all software programs not essential to the Java installation. It seems that the main culprit was the browser, Firefox in this case.

I initiated a software update and the update installed with no errors. I still reboot my Mac like I used to do Windows, just for good measure.

Hope this helps anyone else faced with the error message.

Posted by: belukaszewicz1 | June 16, 2009 1:37 PM | Report abuse

This was a first for me: an Apple update that would not install despite all browsers being closed as per installation instructions. An error report was generated instead. Re-booting the computer and immediately doing the install seemed to remedy the situation.

Posted by: Cortimetrix | June 16, 2009 3:39 PM | Report abuse

I also initially had an error on installing this update this morning. Curious, usually updates go smoothly, so I looked at the description and noticed the part that tells the user to quit all web browsers (I had both Safari and Firefox running at the time). I quit the browsers and tried again - same error. Confused, I quit Software Update, figuring it cached something. Started SU again - success!

Bottom line - make sure to quit all browsers before running the update!

Posted by: dalkorian | June 16, 2009 3:44 PM | Report abuse

I've read on /. that there was a permissions problem in the initial fix provided by Apple that caused the install of the patch to fail.

Rebooting my Macbook Air and my wife's Macbook after receiving the error the first time fixed the issue. Apparently rebooting somehow forces the machines to download the patch a second time and install cleanly.

Posted by: Annorax | June 16, 2009 5:11 PM | Report abuse

Instructions very clear:
Java for Mac OS X 10.5 Update 4 delivers improved reliability, security, and compatibility for Java SE 6, J2SE 5.0 and J2SE 1.4.2 on Mac OS X 10.5.7 and later. This release updates Java SE 6 to version 1.6.0_13, J2SE 5.0 to version 1.5.0_19, and J2SE 1.4.2 to 1.4.2_21.
******
Please quit all web browsers before installing this update.
********
For more details on this update, please visit this website: http://support.apple.com/kb/HT3581

Posted by: Rejini | June 17, 2009 8:28 AM | Report abuse

As reported by others, even though all applications were shutdown, I had to reboot before the installation would work... Also a first for me.

And those simple instructions were followed.

Posted by: hubiehd | June 17, 2009 10:31 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company