Severity: Medium
14 December, 2007
Summary:
- This vulnerability affects: OS X 10.4.x (not Leopard, 10.5)
- How an attacker exploits it: By enticing your users to a malicious web site
- Impact: Attacker executes code on your user’s computer, or modifies your user’s Keychain (passwords), potentially gaining complete control of your user’s computer
- What to do: Install Java Release 6 as soon as possible
Severity: Medium
14 December, 2007
Summary:
- This vulnerability affects: OS X 10.4.x (not Leopard, 10.5)
- How an attacker exploits it: By enticing your users to a malicious web site
- Impact: Attacker executes code on your user’s computer, or modifies your user’s Keychain (passwords), potentially gaining complete control of your user’s computer
- What to do: Install Java Release 6 as soon as possible
Exposure:
Today, Apple issued an alert fixing multiple vulnerabilities in the Java component that ships with OS X 10.4. Leopard (10.5) users are not affected by these vulnerabilities. Apple doesn’t explain these vulnerabilities in technical detail; instead, they describe the potential impact of these flaws. For instance, an attacker can exploit multiple unspecified flaws in Java and Java2 Standard Edition (J2SE) to either execute code or elevate his privileges on your user’s OS X computer. An attacker could also exploit another unspecified Java flaw to add or remove items from your user’s Keychain, which is essentially OS X’s password store. More simply, the attacker can mess with your passwords. In order to exploit any of these vulnerabilities, an attacker would have to entice one of your OS X users into visiting a malicious web page containing specially crafted Java code.
Solution Path:
Apple has issued Java Release 6 for OS X 10.4 to correct these flaws. If you manage OS X 10 computers, we recommend you download, test and deploy Java Release 6 [direct link to dmg] as soon as possible..
OS X’s Software Update automatically detects updates such as this one for OS X and then informs you, so that you can install the update as soon as possible. We recommend that you set Software Update to check for new updates daily, and allow it to assist you in keeping your Apple software current.
For All Users:
These attacks rely on one of your users visiting a web page containing malicious Java bytecode. The HTTP-Proxy policy that ships with most Firebox models automatically blocks Java bytecode by default. If you manage a Firebox with its default HTTP-Proxy, your users will not be able to download the malicious code needed to trigger many of these vulnerabilities.
Status:
Apple has released Java Release 6, which fixes these issues.