p2pnet - rss feed: Apple Java vulnerability
p2p news / p2pnet: Apple has released a Mac security update for a Java vulnerability that could allow, "Untrusted Java applications" to "obtain elevated privileges," says the company.
"Elevated privileges" mean hackers could get into users’ computers.
"For example an application may grant itself permissions to read and write local files that are accessible to the user running the Java Web Start application," said Sun way back in February.
The fix provides J2SE version 1.5.0_06, "which is not susceptible to these vulnerabilities," promises Apple, adding:
"Additionally, a minor security-related fix is included in this update for Java InputMethods. Due to an issue handling input method events, it is possible that key events intended for a secure field such as a password field may be sent to a normal text field in the same window. This could result in accidental password disclosure to others present when the password is entered. This update addresses the problem by properly handling input method events."
There are, "no reliable symptoms that would indicate the described issue has been exploited," warned Sun.
Apple gives the CVE-IDs as: CVE-2006-0614, CVE-2006-0615, CVE-2006-0616, CVE-2006-0617 and, "To determine the version of Java on a system, the following command can be run," says Sun:
% java -fullversion
java full version "1.5.0_02-b09"
J2SE 5.0 Release 4 can be downloaded and installed using Software Update, or Apple Downloads, says Apple.
Also See:
Apple - About the security content of J2SE 5.0 Release 4, April 17, 2006
Sun - Sun Alert ID: 102170, February 7, 2006
