Re: Macintosh java updates

[Curt Wilson <curtw () SIU EDU>]

I don't have the answers, however this is certainly something that's
worthy of some investigation, especially as client-side application
attacks continue to grow (Storm for instance hitting Quicktime and
Winzip vulns).

Old versions of Java seem to just stack up on the box. I'm not sure if
they can be accessed by a remote hostile applet or not. I've known of
some hostile java in the past (brown orifice, byteverify trojan) but it
seems like an area ripe for attack and therefore in need of defense.

Gary Flynn wrote:
> Can someone more Macintosh literate than me explain how java security
> updates are handled on the Macintosh platform?
>
> Apple's web site says "Apple has optimized Java on Mac
> OS X".
> http://www.apple.com/macosx/features/java/
>
> Sun's java site says to download java from the Apple site:
>
> http://www.java.com/en/download/manual.jsp
> links to:
> http://www.apple.com/support/downloads/javaformacosx104release5.html
>
> The update offered there is dated February 15th, 2007. The only
> java versions available are 1.5.0_07 and 1.4.2_12. Those
> versions are significantly out of date. There have been at least
> six critical java security udpates since December that are not
> included in the offered versions.


--
Curt Wilson
IT Network Security Officer
Southern Illinois University Carbondale
618-453-6237

GnuPG key: http://www.infotech.siu.edu/security/curtw.pub.asc