Tuesday's update to Java included fixes for the four vulnerabilities exploited by researchers at last month's Pwn2Own hacking contest. Each researcher (or in one instance, a team of researchers) was awarded $20,000 by HP TippingPoint, which co-sponsored the challenge.
With Oracle's patches for Pwn2Own's Java vulnerabilities, only Microsoft has yet to close a hole uncovered at the challenge. French bug broker Vupen exploited Internet Explorer 10 (IE10) on Windows 8 at Pwn2Own. Some experts anticipated IE10 fixes for the Pwn2Own flaws last week on April's Patch Tuesday, but Microsoft disappointed.
Also Tuesday, Apple refreshed Safari 6 for OS X Lion and Mountain Lion, and Safari 5 for Snow Leopard to add a new security tool. The browser now lets users closely manage Java permissions by selecting which sites can execute the software. Users comfortable with changing security settings can now allow Java to run on trusted websites -- an online banking site, for example -- while blocking it from executing on other domains.
Apple has published a support document outlining how the new site-by-site Java permission manager operates.
The new Safari tool may come in handy: Hackers have turned up the heat on Oracle in the past year, exploiting a succession of Java vulnerabilities, including several so-called "zero-day" bugs, or unpatched -- and in some cases even unknown -- flaws.
A year ago, for instance, cybercriminals infected more than 600,000 Macs in the widespread "Flashback" malware campaign by exploiting a Java vulnerability that Oracle had fixed, but Apple had not. It was easily the biggest-ever security event on OS X, and a major embarrassment for Apple, which, in response, changed its Java patch cadence to match Oracle's.
OS X Lion and Mountain Lion users running Java 7 will also see new messages that appear in their browser of choice when attempting to launch a Java applet. Those messages, which were called confusing by U.K.-based security vendor Sophos, display small icons or badges that represent various risks.
The next scheduled Java security update is set for release by Oracle on June 18. Unless Apple changes its mind on Snow Leopard, it will also issue patches the same day for that version of OS X as well as for Lion and Mountain Lion.
Safari now lets users define the websites allowed to run Oracle's bug-plagued Java software in the browser's Preferences console. (Image: Apple.)