Apple has released a patch for a number of critical flaws in its Java implementation in Mac OS X, and users are being encouraged to update their machines as soon as possible. The most serious of the 11 vulnerabilities fixed in the Java update can allow an attacker to bypass the sandbox and run arbitrary code.
Apple shipped fixes for Java in both OS X 10.6.6 and later and OS X 10.5.8. The fix for Java comes just a few days after the company released a huge set of security updates as well as OS X 10.6.8.
“Multiple vulnerabilities exist in Java 1.6.0_24, the most serious of
which may allow an untrusted Java applet to execute arbitrary code
outside the Java sandbox. Visiting a web page containing a maliciously
crafted untrusted Java applet may lead to arbitrary code execution with
the privileges of the current user. These issues are addressed by
updating to Java version 1.6.0_26,” Apple said in its advisory.
Java is installed on millions of Macs worldwide and has become a favorite target of attackers in a number of different scenarios. It’s used in many drive-by download attacks and the prevalance of Java vulnerabilities and targeted attacks has led some security experts to recommend that users remove Java from their machines altogether.