[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CSIRTUK ADVISORY - 3520 - Apple - APPLE-SA-2007-12-14 Java Release 6 for Mac OS X 10.4



________________________________________________________________________


CSIRTUK ADVISORY - 3520 dated 14.12.07 time 18:50

Centre for the Protection of National Infrastructure (CPNI)

________________________________________________________________________

 Further details about CPNI, including information about our products
can be
 found at www.cpni.gov.uk

 Please note that CSIRTUK RSS Feeds are available from:
 http://www.cpni.gov.uk/rss/advisories.xml
________________________________________________________________________

Title
=====
3520 - APPLE-SA-2007-12-14 Java Release 6 for Mac OS X 10.4

Detail
======
ID: 3520
Date: 14/12/2007

------------------------------------------------------------------------
--------
Title: 3520 - APPLE-SA-2007-12-14 Java Release 6 for Mac OS X 10.4
Platform level affected:Net Application - Enterprise
Hardware components affected:Apple MAC
Specific operating systems components affected: Apple Mac OS
Other software: Other
Remediation Summary:Update your copy of the software with the download
available from the supplier.
Vendors affected:Apple
Applications affected:Java
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Warning Status: Unknown
Potential Damage: Remote execution/modification
Possible Duration: Unknown
Availability of fix: Available
Type of fix: Patch
Source: Apple
Reliability of source: Trusted
Source URL: http://www.apple.com/support/downloads/
Abstract: Java Release 6 for Mac OS X 10.4 is now available and
addresses a number of issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2007-12-14 Java Release 6 for Mac OS X 10.4

Java Release 6 for Mac OS X 10.4 is now available and addresses the
following issues:

Java
CVE-ID:  CVE-2007-5862
Available for:  Mac OS X v10.4.10, Mac OS X v10.4.11, Mac OS X Server
v10.4.10, Mac OS X Server v10.4.11
Impact:  A malicious webpage can remove or insert keychain items
Description:  An access check may be bypassed for Keychain updates. A
specially crafted Java applet may be able to add or remove items from a
user's Keychain, without prompting the user. This update addresses the
issue through an improved access check. This issue does not affect
systems running Mac OS X v10.5 and later. Credit to Bruno Harbulot of
the University of Manchester for reporting this issue.

Java
CVE-ID:  CVE-2006-4339, CVE-2006-6731, CVE-2006-6736, CVE-2006-6745,
CVE-2007-0243, CVE-2007-2435, CVE-2007-3004, CVE-2007-3005,
CVE-2007-3504, CVE-2007-3698, CVE-2007-3922, CVE-2007-4381,
CVE-2007-5232
Available for:  Mac OS X v10.4.10, Mac OS X v10.4.11, Mac OS X Server
v10.4.10, Mac OS X Server v10.4.11
Impact:  Multiple vulnerabilities exist in Java 1.4
Description:  Multiple vulnerabilities exist in Java 1.4, the most
serious of which may lead to arbitrary code execution and privilege
escalation. These are addressed by updating Java 1.4 to version
1.4.2_16. These issues are already addressed in systems running Mac OS X
v10.5 and later.

Java
CVE-ID:  CVE-2006-4339, CVE-2006-6731, CVE-2006-6745, CVE-2007-0243,
CVE-2007-2435, CVE-2007-2788, CVE-2007-2789, CVE-2007-3004,
CVE-2007-3005, CVE-2007-3503, CVE-2007-3504, CVE-2007-3655,
CVE-2007-3698, CVE-2007-3922, CVE-2007-4381, CVE-2007-5232 Available
for:  Mac OS X v10.4.10, Mac OS X v10.4.11, Mac OS X Server v10.4.10,
Mac OS X Server v10.4.11
Impact:  Multiple vulnerabilities exist in J2SE 5.0
Description:  Multiple vulnerabilities exist in J2SE 5.0, the most
serious of which may lead to arbitrary code execution and privilege
escalation. These are addressed by updating J2SE 5.0 to version
1.5.0_13. These issues are already addressed in systems running Mac OS X
v10.5 and later.

Java Release 6 may be obtained from the Software Update pane in System
Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

For Mac OS X v10.4.10 and Mac OS X v10.4.11 The download file is named:
"JavaForMacOSX10.4Release6.dmg"
Its SHA-1 digest is:  ee4e261070354b0f95f88a92a1b00f8cf39886c4

Information will also be posted to the Apple Product Security web site:
http://docs.info.apple.com/article.html?artnum=61798

This message is signed with Apple's Product Security PGP key, and
details are available at:
http://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: 9.7.0.867

wsBVAwUBR2LK18gAoqu4Rp5tAQgG8gf/UCD9npaJL3to97F+On2L7AUmEXgKh7N0
mrT0GErNHmUiXaLHrAJ5GH2e/SYVGpfV9PlyV2iNAx4d1lXhM0hXAwINZfTDy0nm
ZpBBvwRjWeZSRaJk6saM0vIYt+tCQMREFR7m5qBrnteo2wA3bUuFBZmwJMyWz3ls
boTozFrbr9mDzk/mTnTxHvEDZAAEbH21aqyZPEuFK8FwGbrCffIKl+EmUPiMxjhe
SxqUl4eGep+WcwosOdsxqwlo9ia9UcO21zGlgr75Ibu5W/xvoHO+yAHHufm6CI4b
JpU3/tDvdyPUMFDJayNik622GlbZUNEIfDoasOfKPiyHv93gCValtg==
=CNOz
-----END PGP SIGNATURE-----


________________________________________________________________________

CPNI values your feedback.

1. Which of the following most reflects the value of the advisory to
you?
(Place an 'X' next to your choice)

Very useful:__ Useful:__ Not useful:__

2. If you did not find it useful, why not?


3. Any other comments? How could we improve our advisories?


Thank you for your contribution.

________________________________________________________________________

CSIRTUK wishes to acknowledge the contributions of Apple for the
information
contained in this advisory.
________________________________________________________________________

This advisory contains information released by the original author. Some
of the
information may have changed since it was released. If the issue affects
you,
it may be prudent to retrieve the advisory from the site of the original
source to ensure that you receive the most current information
concerning that
problem.

Reference to any specific commercial product, process, or service by
trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its
endorsement, recommendation, or favouring by CPNI. The views and
opinions of
authors expressed within this notice shall not be used for advertising
or
product endorsement purposes.

CPNI shall not accept responsibility for any errors or omissions
contained
within this advisory. In particular, they shall not be liable for any
loss or
damage whatsoever, arising from or in connection with the usage of
information
contained within this advisory.

CSIRTUK is a member of the Forum of Incident Response and Security Teams
(FIRST)
and has contacts with other international Incident Response Teams (IRTs)
in
order to foster cooperation and coordination in incident prevention, to
prompt
rapid reaction to incidents, and to promote information sharing amongst
its
members and the community at large.
________________________________________________________________________

<End of CPNI Advisory>


The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless in partnership with MessageLabs. (CCTM Certificate Number 2007/11/0032.) On leaving the GSi this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.