Apple has once again taken it upon themselves to fix Sun Microsystems’ Java plugin for OS X, releasing yet another update to correct security issues in the plugin. Interestingly, Apple’s update only patches Java SE 6, while a separate update direct from Sun Microsystems is also available to patch issues in the Java 7 runtime.
Today Oracle released Security Alert CVE-2013-1493 to address two vulnerabilities affecting Java running in web browsers (CVE-2013-1493 and CVE-2013-0809). One of these vulnerabilities (CVE-2013-1493) has recently been reported as being actively exploited by attackers to maliciously install the McRat executable onto unsuspecting users’ machines. Both vulnerabilities affect the 2D component of Java SE. These vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications. They also do not affect Oracle server-based software. These vulnerabilities have each received a CVSS Base Score of 10.0.
The update is available immediately from Sun’s website. Meanwhile, Apple’s Java for OS X 2013-002 update is also available. Release notes for the update are as follows:
About Java for OS X 2013-002
This release updates the Apple-provided system Java SE 6 to version 1.6.0_43 and is for OS X versions 10.7 or later.
This update uninstalls the Apple-provided Java applet plug-in from all web browsers. To use applets on a web page, click on the region labeled “Missing plug-in” to go download the latest version of the Java applet plug-in from Oracle.
This update also removes the Java Preferences application, which is no longer required to configure applet settings.
It would be great if these updates weren’t necessary. Why can’t Sun get their act together? The world may never know…