Mac users still waiting for ‘critical’ Java runtime update

Posted by Dennis Sellers Apple ico Aug 23, 2007 at 3:45pm

Mac users are still waiting … and waiting … and waiting on a “critical” Java runtime update.

Ten months ago, a member of Google’s security team discovered and reported two code execution vulnerabilities in Sun’s Java ICC (image) profile parsing code.Seven months later, Sun issued an update (JDK 1.5.0_11-b03) that was available for Window, Solaris, and Linux. However, Apple’s Java runtime has not yet been updated, “meaning that millions of Mac OS X users are at risk of remote code execution attacks,” according to a ZDNet article.

The article notes that “Apple’s security team does not answer questions on specific patches (my queries routinely get a non-response about taking security seriously) so it’s anyone’s guess when a Mac OS X update will ship. Meanwhile, developer Landon Fuller has created a third-party patch with full source code.

“Apple’s Java runtime has not yet been updated, so I’ve gone ahead and written a run-time patch for my own use,” Fuller says. “If you’d like to use the patch too, you can download the source, or a pre-built binary. You’ll need to install Application Enhancer to use the patch. Alternatively, you could simply disable Java in your browser to close the most likely vector. The issue is due to an integer overflow that occurs when validating that an ICC header tag does not exceed the total length of the heap allocated profile data buffer; The comparison will overflow if the header declares an too-large tag size.”

Have you joined the Apple Nation Panel yet?



Leave a comment ⇒
Please post the article topic & comment in our forums. No registration required.






Article Information

Comment on this Article Print this Article Email this Article Digg This

Contributor

Contributor

Dennis Sellers

Dennis has been a newspaper editor/reporter (seven years) and teacher (seven years). He has over 4,000 magazine, newspaper and online articles to his credit.  He has also covered the Mac and tech industries for over a decade for such online publications as MacCentral, MacMinute and now MacsimumNews.

Recent Articles

The MacReviewCast #215: SnapArt 2, FotoMagico, Mach Desktop, MacNerdNews
Follow ‘Macsimum News’ on ‘Twitter’ now
‘Macsimum Podcast’ looks at Sonnet price cuts, iPhone boot camp, more
Join our forums and win a bundle of Mac apps!
Macsimum iPhone Video: Speed Test - iPhone 3G S vs. iPhone 3G vs. Palm Pre
Happy 4th of July weekend! (2nd annual virtual fireworks)
‘The Tech Night Owl’ looks at PR Mac, new MacBook Airs, more
One person shot at Apple retail store in Arlington, Virginia
iPhone 3G S ‘cleans up’ in Japan’s smartphone market
The Mac Night Owl: ‘The Mac Hardware Report: no more price cuts for now’
iHanWel releases iDay Deluxe 2.3 for the iPhone, iPod touch
MacOSG: How to monitor iPhone/iPod touch power consumption
eMedia Music to distribute Guitar Lab instructional DVDs
BagAmp portable amplifier system announced
Ngmoco releases Rolando 2 for iPhone, iPod touch
FlashVideo Converter for Mac OS X gets improved FPS settings
Mac cloner Psystar says it’s ready to leave Chapter 11 bankruptcy protection
Apple exempt from China’s Internet filtering mandate?

Milebug 1.4 released for the iPhone, iPod touch
Sonnet announces price cut on Tempo SATA Pro ExpressCard/34


Hotel München