Severity: Medium
25 September, 2008
Summary:
§This vulnerability affects: OS X 10.4.x (Tiger) and 10.5.x (Leopard)
§How an attacker exploits it: By enticing your users to a malicious web site
§Impact: In the worst case, an attacker executes code on your user’s computer, potentially gaining control of it
§What to do: Install Java for OS X 10.4 Release 7 or Java for OS X 10.5 Update 2 as soon as possible
Severity: Medium
25 September, 2008
Summary:
§This vulnerability affects: OS X 10.4.x (Tiger) and 10.5.x (Leopard)
§How an attacker exploits it: By enticing your users to a malicious web site
§Impact: In the worst case, an attacker executes code on your user’s computer, potentially gaining control of it
§What to do: Install Java for OS X 10.4 Release 7 or Java for OS X 10.5 Update 2 as soon as possible
Exposure:
Amidst all the noise created by Cisco and Mozilla yesterday, Apple quietly issued two alerts [ 1 / 2 ] updating the Java components that ship with OS X 10.4 and 10.5. The alerts describe several vulnerabilities in OS X’s Java components. They describe some of the vulnerabilities in detail, while leaving others unexplained. Despite their technical differences, the worst of these Java vulnerabilities all share the same potential impact: Specifically, an attacker can exploit many of these Java flaws to either execute code or elevate privileges on your users’ OS X computers. In order to exploit these vulnerabilities, the attacker would simply have to lure one of your OS X users into visiting a malicious web page containing specially crafted Java code.
Solution Path:
Apple has issued Java Release 7 for OS X 10.4 and Java for OS X 10.5 Update 2 to correct these flaws. If you manage OS X computers, we recommend you download, test and deploy these updates as soon as possible.
OS X’s Software Update utility automatically detects updates such as this one for OS X and then informs you, so that you can install the update as soon as possible. We recommend that you set up Software Update to check for new updates daily, and allow it to assist you in keeping your Apple software current.
For All WatchGuard Users:
Some of these attacks rely on one of your users visiting a web page containing malicious Java bytecode. The HTTP-Proxy policy that ships with most Firebox models automatically blocks Java bytecode by default. If you manage a Firebox with its default HTTP-Proxy, your users will not be able to download the malicious code needed to trigger some of these vulnerabilities.
Status:
Apple has released Java Release 7 for OS X 10.4 and Java for OS X 10.5 Update 2, which fixes these issues.