Apple Plugs Java Security Hole

Apple has issued a Java security update after last week’s hullabaloo over a gaping hole in the software platform.

Oracle patched a number of Java security vulnerabilitie after the security community pleaded for it to fix a zero-day flaw, but certain flaws were left unfixed for Mac users.

As Apple still takes responsibility for maintaining security for Java 6 on Mac OS, it has been compelled to issue its own update. In 2010, it handed full responsibility back to Oracle for future versions of Java, meaning that it hasn’t been forced into issuing its own Java 7 updates.

Security-in-depth

In yesterday’s update for the Snow Leopard, Lion and Mountain Lion operating systems, Apple said it was offering cover for the CVE-2012-0547 flaw. Apple said there was  “an opportunity for security-in-depth hardening” that would be addressed by updating to Java version 1.6.0_35, in its advisory posted yesterday.

Right at the end of August, Oracle issued out-of-band Java security fixes, one of which addressed the zero-day flaw that hackers were trying to exploit.

But it may have more patching to do, as Polish firm Security Explorations said it had found a new flaw, which, when combined with some other unaddressed vulnerabilities, could be used to bypass Java security.

It is not scheduled to patch Java again until mid-October, so may be forced into issuing another out-of-band release. It has yet to offer comment on the newly-found bug.

Are you a security guru? Try our quiz!