Apple has released a patch that fixes a laundry list of vulnerabilities in Java after Oracle pushed out a fix for the technology for users of Windows and other platforms. The patch from Apple also completely disables the Java plugin in users’ browsers in order to prevent users from falling victim to new attacks on the oft-vulnerable application.
Apple for some time has pushed out its own patches for Oracle’s Java technology because the company doesn’t like third-party vendors pushing updates to its users. That’s going to change, as Oracle now has the ability to update Java on Mac OS X. The latest Java patch for OS X fixes a large number of vulnerabilities in the application.
“Multiple vulnerabilities exist in Java 1.6.0_35, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating to Java version 1.6.0_37,” Apple’s security advisory said.
The new patches for Java are available for Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 or later, OS X Lion Server v10.7 or later, OS X Mountain Lion 10.8 or later. The list of vulnerabilities fixed by the Apple Java patch are:
CVE-2012-1531 CVE-2012-1532 CVE-2012-1533 CVE-2012-3143 CVE-2012-3159 CVE-2012-3216 CVE-2012-4416 CVE-2012-5068 CVE-2012-5069 CVE-2012-5071 CVE-2012-5072 CVE-2012-5073 CVE-2012-5075 CVE-2012-5077 CVE-2012-5079 CVE-2012-5081 CVE-2012-5083 CVE-2012-5084 CVE-2012-5086 CVE-2012-5089
Java has emerged as one of the key targets for attackers, who have been exploiting vulnerabilities in the application for fun and profit for years now. Some groups have used previously unknown Java bugs in targeted attacks, but it’s often the case that users don’t update their Java plugins on a regular basis, so attacks on older vulnerabilities are quite common, as well.