Apple Fixes Six-Month-Old Java Bug For Leopard, Tiger
Specifically, the security update addresses a Java flaw in both the Leopard and later versions of the Tiger operating systems that could allow hackers to execute malicious code remotely on the Mac OS X. The flaw can lead to "drive-by" attacks, which leave users susceptible to becoming infected simply by visiting a malicious Web site or clicking on an infected link. Malicious Java applets also can be distributed as attachments to e-mail messages, usually delivered in a social engineering scheme.
Java is a programming language that allows applications to run easily on multiple platforms and is embedded in Web pages.
Once malware is installed, hackers can then change or delete programs, view and steal sensitive information, run applications with full user rights or entirely shut down a user's Mac.
The Java flaw, which was first published in December 2008, came into the public eye again last month after security researcher Landon Fuller published a proof-of-concept exploit code on his Web site demonstrating how the vulnerability could be exploited in the wild to execute malicious attacks or take control of a user's computer.
"Unfortunately, it seems that many Mac OS X security issues are ignored if the severity of the issue is not adequately demonstrated," Fuller said in a blog post. "Due to the fact that an exploit for this issue is available in the wild, and the vulnerability has been made public knowledge for six months, I have decided to release my own proof of concept to demonstrate the issue."
Apple has come under fire from the security community for failing to address the Java bug for at least six months after it was first published.
While the Java error was made public and patched by its creator Sun Microsystems on Dec. 3, until Monday it had yet to be addressed with an update by Apple -- which has its own version of Sun's Java for the Mac OS X.
As a workaround, Apple recommended that users disable Java in Safari or Firefox until a patch could be created and deployed. The Java patch is automatically available for Mac users and requires a restart for installation. Once the update is downloaded, users can safely reinstall Java in their Web browsers.