February 23, 2005, 9:43 AM — Apple Computer Inc. has released a patch for Mac OS X fixing a major security hole in Java -- three months after Sun Microsystems Inc.'s original warning.
The vulnerability, first revealed in late November, could allow an applet, embedded in a website for example, to bypass Java's security restrictions and potentially execute malicious code on a user's system. It wasn't originally clear whether OS X was affected -- Sun's November advisory only listed Solaris, Linux and Windows in its list of vulnerable operating systems.
"You only need to visit a website for it to be able to run arbitrary code outside the Java sandbox environment. This gives the attacker the same privileges as the user who is currently logged on," said Thomas Kristensen, chief technology officer at IT security firm Secunia.
On Tuesday, Apple acknowledged the Java flaw affects Mac OS X and included the fix in a security update. The fix is available from Apple's website and through OS X's automated update system. On OS X, the bug doesn't affect versions of Java before 1.4.2, Apple said. Kristensen noted that some operating system makers, such as Gentoo, patched the flaw a few days after Sun's original warning.
The Java flaw is an embarrassment for Sun, which portrays Java as more secure than Microsoft alternatives such as ActiveX. Apple has also had a problem with its handling of security issues recently -- last year it was criticized for downplaying serious security flaws in Mac OS X, though critics say the company has become more open since then.
In an analysis last year, security firm Secunia found that OS X doesn't stand out as particularly more secure than the competition, in contrast to its image. The operating system had a similar proportion of critical bugs to competitors such as Windows XP Professional, Red Hat Advanced Server and Suse Linux Enterprise Server, Secunia said. However, Mac users generally don't experience the kinds of attacks Windows users do, because of the platform's small market share.
In January, researchers found a serious hole in Darwin, the Unix-based core of OS X that Apple likes to call "rock-solid".