Like Windows and Linux, Apple’s Mac OS X includes Sun Microsystems’ Java. But while users of those operating systems got their patches for Java vulnerabilities a month ago, Apple’s update came only yesterday.
The Java for Mac OS X 10.5 Update 5 includes five advisories for security vulnerabilities that could put OS X 10.5 users at risk. According to Apple, the new Mac OS X 10.6 Snow Leopard release is not affected by the security issues.
Among the Java issues patched by Apple in the update is a stack buffer overflow condition in the Java Web Start command launcher.
“Launching a maliciously crafted Java Web Start application may lead to an unexpected application termination or arbitrary code execution,” Apple stated in its advisory. “This update addresses the issue through improved bounds checking.”
While Mac users may be getting their update later than Windows users, OS X is not at risk from all the same vulnerabilities as Windows. For instance, Apple’s Java update advisory does not include a reference to the CVE-2009-2493 vulnerability patched on Windows. CVE-2009-2493 refers to a Java Web Start ActiveX control issue that is triggered by a flaw in Microsoft’s Active Template Library (ATL).
It is the same flaw that resulted in Microsoft issuing out-of-band updates in July to correct.
Apple has faced earlier criticism for lagging behind in providing OS X users with software updates from third parties like Sun.
With Java in particular, Apple’s last update in June also came well behind Sun’s own fixes. Security researcher Landon Fuller warned on his site about the numerous Java vulnerabilities that had already been publicly disclosed and addressed by Sun — but which still existed in shipping OS X code. Fuller issued his own proof of concept for the flaws in May.
Spokespeople from Apple didn’t return requests for comment by press time.
Java isn’t the only lagging software update for Apple. With the recent Snow Leopard release, Apple delivered an out-of-date version of Adobe Flash that is vulnerable to known security exploits.
Apple has not yet directly provided Snow Leopard users with an update for Flash, but Adobe is advising that Mac OS X 10.6 users get it for themselves.
“The initial release of Mac OS X 10.6 (Snow Leopard) includes an earlier version of Adobe Flash Player than what is available from Adobe.com,” Adobe’s David Lenoe wrote in a blog post. “We recommend all users update to the latest, most secure version of Flash Player (10.0.32.18) — which supports Snow Leopard and is available for download from http://www.adobe.com/go/getflashplayer.”
Adobe itself has come under criticism by at least one security vendor that claims the software maker isn’t doing enough to ensure that Flash users are running the most up-to-date version.