Educause Security Discussion mailing list archives
Re: Macintosh java updates
From: Curt Wilson <curtw () SIU EDU>
Date: Wed, 18 Jul 2007 14:56:47 -0500
I don't have the answers, however this is certainly something that's worthy of some investigation, especially as client-side application attacks continue to grow (Storm for instance hitting Quicktime and Winzip vulns). Old versions of Java seem to just stack up on the box. I'm not sure if they can be accessed by a remote hostile applet or not. I've known of some hostile java in the past (brown orifice, byteverify trojan) but it seems like an area ripe for attack and therefore in need of defense. Gary Flynn wrote:
Can someone more Macintosh literate than me explain how java security updates are handled on the Macintosh platform? Apple's web site says "Apple has optimized Java on Mac OS X". http://www.apple.com/macosx/features/java/ Sun's java site says to download java from the Apple site: http://www.java.com/en/download/manual.jsp links to: http://www.apple.com/support/downloads/javaformacosx104release5.html The update offered there is dated February 15th, 2007. The only java versions available are 1.5.0_07 and 1.4.2_12. Those versions are significantly out of date. There have been at least six critical java security udpates since December that are not included in the offered versions.
-- Curt Wilson IT Network Security Officer Southern Illinois University Carbondale 618-453-6237 GnuPG key: http://www.infotech.siu.edu/security/curtw.pub.asc
Current thread:
- Macintosh java updates Gary Flynn (Jul 17)
- <Possible follow-ups>
- Re: Macintosh java updates Julian Y. Koh (Jul 17)
- Re: Macintosh java updates Curt Wilson (Jul 18)