Apple pushes out critical Java security update for OS X users

Stephen Gillies, editor

In an effort to resolve at least two remotely exploitable vulnerabilities that can be taken advantage of whilst a user is browsing the Internet, Apple has released an update to Java SE 6 which appears as 'Java for Mac OS X Update 5 Version 1.0' within the Software Update tab.

All OS X users are strongly encouraged to update, as this update resolves a number of published security issues.

java update mac OS X

According to Oracle, Java Platform Standard Edition (Java SE) is "designed to enable you to develop secure, portable, high-performance applications for the widest range of computing platforms possible."

"Java SE lets you develop and deploy Java applications on desktops and servers, as well as today's demanding embedded and real-time environments."

With a significant global footprint it's no wonder Oracle need to keep on top of the latest vulnerabilities. The latest update to the Java 6 Platform (6 1.6.0_26) was released in the second week of June 2011, and was available immediately to Linux, Windows, and Solaris platforms. Android users are encouraged to update their host and development operating systems where relevant. iOS 4.3 does not support Java.

Paul Ducklin from Sophos points out that Java updates for Mac OS X aren't listed on the Oracle download website. "You can download the latest updates for Linux, Solaris and Windows - and even for the esoteric Itanic processor - but there's no offering for OS X users of any stripe."

Mac users are left to wait for Apple to approve the updates and distribute them, a wait which could be days or even weeks while the Java environment remains unpatched. As recently as May 2011 McAfee reported in a blog post that a new cross-platform malware threat had been seen 'in the wild' - one that can execute on Windows and Mac operating systems with older versions of Java.

"IncognitoRAT is one example of a Java-based Trojan discovered in the wild that is being downloaded and installed by another component. This malware behaves like other Windows botnets but uses source code and libraries that can operate on other platforms" McAfee blog author Carlos Castillo wrote.

IncognitoRAT performs a number of activities, including

  • Java Remote Control: To view and take remote control (keyboard and mouse) of an infected machine
  • JLayer – MP3 Library: To remotely play an MP3 file on the infected machine
  • RNP-VideoPlayer: To play videos remotely
  • JavaMail: Optional Java package to send stolen information to an email account
  • Freedom for Media Java: Open-source alternative to the official Java Media Framework; used by the malware to watch and record images from a remote webcam

One of the most worrying issues fixed by the latest Java release is the ability for a Java applet to escape from Java's much-vaunted protective sandbox.

"Escape from the sandbox means that remotely-served, untrusted applets can trick the system into letting them behave like locally-installed, trusted applications. That's never supposed to happen, and it's always bad." Ducklin explains.

To update, just invoke the Software Update... option under the Apple menu and apply the outstanding Java update.

For corporate networks with large numbers of Mac users this could be a bandwidth intensive task.

There are some solutions available including software which can manage OS X end points centrally. Apple also provides the Software Update Enabler (free from Apple downloads) which points Mac clients later than OS X 10.4 to a local server for system updates.

The Mac OS X Update 5 Version 1.0 update is approximately 80Mb.