Apple fixes Safari RSS vulnerability, updates Java
Apple on Thursday afternoon released Security Update 2009-001 that, among other fixes, tackles the Safari RSS vulnerability made public last month. Also, a Java for Mac OS X update delivers security and compatibility improvements for users running Leopard or Tiger.
Security Update 2009-001
The new update is available in many flavors through Software Update for Leopard (43.4MB), Server Universal (213MB), Tiger PowerPC (74MB), Leopard Server (46.54MB), Tiger Server PowerPC (141.76MB), and Tiger Intel (164.23MB).
According to Apple, the update fixes the security flaw found in Safari last month that opened the door to malicious websites accessing personal information through an RSS feed.
"This update addresses the issues through improved handling of embedded JavaScript within feed: URLs," Apple wrote, thanking Brian Mastenbrook for bringing attention to the issue in mid-January along with Laconic Security's Clint Ruoho and Microsoft's Billy Rios.
Other fixes are enclosed for vulnerabilities in the X11 server, AFP server, Apple Pixlet Video, a memory corruption issue in CarbonCore, and a flaw where local users could access another user's deleted, then recreated, Downloads folder, to name a few.
Tiger-specific vulnerabilities repaired with the round of fixes were found in FreeType and LibX11. According to the document, computers running Leopard are either not affected by these two issues or have already been fixed in Mac OS X 10.5.6.
Apple Support has the full release notes.
Java for Mac OS X 10.5 Update 3, 10.4 Release 8
Leopard users are asked to install Java for Mac OS X 10.5 Update 3 (3MB), which improves the security and compatibility of Java on Mac OS X 10.5.6 and later.
Details are few, but Apple says the release updates the Java Web Start and Java Applet components.
Users of Apple's older Tiger release are being given Java for Mac OS X 10.4 Release 8 (1.6MB) through Software Update to update the same Web Start and Applet components in the earlier software.
Security Update 2009-001
The new update is available in many flavors through Software Update for Leopard (43.4MB), Server Universal (213MB), Tiger PowerPC (74MB), Leopard Server (46.54MB), Tiger Server PowerPC (141.76MB), and Tiger Intel (164.23MB).
According to Apple, the update fixes the security flaw found in Safari last month that opened the door to malicious websites accessing personal information through an RSS feed.
"This update addresses the issues through improved handling of embedded JavaScript within feed: URLs," Apple wrote, thanking Brian Mastenbrook for bringing attention to the issue in mid-January along with Laconic Security's Clint Ruoho and Microsoft's Billy Rios.
Other fixes are enclosed for vulnerabilities in the X11 server, AFP server, Apple Pixlet Video, a memory corruption issue in CarbonCore, and a flaw where local users could access another user's deleted, then recreated, Downloads folder, to name a few.
Tiger-specific vulnerabilities repaired with the round of fixes were found in FreeType and LibX11. According to the document, computers running Leopard are either not affected by these two issues or have already been fixed in Mac OS X 10.5.6.
Apple Support has the full release notes.
Java for Mac OS X 10.5 Update 3, 10.4 Release 8
Leopard users are asked to install Java for Mac OS X 10.5 Update 3 (3MB), which improves the security and compatibility of Java on Mac OS X 10.5.6 and later.
Details are few, but Apple says the release updates the Java Web Start and Java Applet components.
Users of Apple's older Tiger release are being given Java for Mac OS X 10.4 Release 8 (1.6MB) through Software Update to update the same Web Start and Applet components in the earlier software.
Comments
Apple's Java has been really spotty on my system. The Sunlit Earth widget, which uses Java, doesn't launch properly at least 50% of the time. It just sits there with the graphic indicating it's loading Java. Hopefully, this update fixes that.
I have that widget too but its not given me any problems.
I've not bothered with these updates so far. I'll wait and see how they do in the wild first. And you never know, Apple may take them down tomorrow.
How about giving the real facts about the security update so people actually do the update.
Quote from article posted on Computer World along with a link to the rest of the story
"According to Brian Masterbrook, one of the three researchers Apple credited with reporting the Safari bug, Apple had information about the flaw more than seven months ago. "After six months passed without a fix, I decided to post a warning on January 11, 2009, due to my judgment that this issue could be exploited at any time as long as it remained unfixed," Masterbrook said in an entry to his blog Thursday, after Apple had delivered its updates."
Link along with the other 55 bugs that the update fixes.
http://www.computerworld.com/action/...ource=rss_news
Apple needs to grow up with regards to how it handles security patches. Two months delay for a Java security fix / Seven months for a know RSS feed bug.
And not a single report of any Mac user being compromised by any of the alleged serious flaws. So go right ahead and hide under your bed while the rest of us continue to enjoy using our Macs.
... So go right ahead and hide under your bed ...
Without aluminum foil on your head, hiding under the bed does no good at all.
Apple long ago decided to implement their own version of Java for OS X, and Sun allowed them to do so. In retrospect, Apple should have been more careful about making the commitment to Java, which I'm sure they regret seeing as it's drawing away resources from their native software development needs. It doesn't help that they had to catch flack from the Java development community (many of whom buy Apple's pro machines to do development) for their atrocious communication about which version of Java Leopard would ship with (it ended up being Java 5).
Fortunately, Java is now open sourced, and there's an active community of Java developers working to port OpenJDK to OS X. The Swing implementation may take a while, though.