At long last, Apple patches its Java vulnerability
After nearly a year, Apple has chosen to issue patches for a notorious security flaw in Java long since addressed by other operating systems. The move follows the release late last month of a zero-day release by a security researcher frustrated by the lag in Apple's response to the problem, not to mention a blitz of highly negative press coverage (here and elsewhere) for a company that has historically claimed its products to be more than ordinarily secure.
Both Java 1.4.2_18 and Java 1.5.0_16 have been known to contain multiple vulnerabilities for quite some time. Those vulnerabilities could if exploited allow an attacked to gain elevated privileges on a system, from which s/he could execute other attacks, scoop up sensitive information, or undertake any of the usual sorts of mayhem. The problem was especially dangerous because it was "purely Java" in nature. That is, an exploit could be written in Java and executed on any platform running it -- Windows, Mac, whatever.
Patches are available for both OS X users running 10.5.7 and later and for those on 10.4.11 and later, and your friends at Betanews suggest that you do not wait for Apple to push this update to you. Updating will require that you close all your browser windows.
One San Francisco researcher took matters into his own hands last month, Noting in a glum blog post that "it seems that many Mac OS X security issues are ignored if the severity of the issue is not adequately demonstrated," Plausible Labs' Landon Fuller released proof-of-concept code showing just how easy the problem was to exploit. It's unclear whether Fuller's action, the combined efforts of the tech press, or a general cold wind from outside One Infinite Loop impelled Apple to make the security effort.