Search:

September 2008

3691 - APPLE-SA-2008-09-24 Java for Mac OS X 10.4, Release 7

ID: 3691
Date: 25/09/2008

Title: 3691 - APPLE-SA-2008-09-24 Java for Mac OS X 10.4, Release 7
Platform level affected:Operating System
Hardware components affected:Apple MAC
Specific operating systems components affected: Apple Mac OS
Net-enabled software: Other
Security software:Other
Other software: Other
Remediation Summary:Update your copy of the software with the download available from the supplier.
Vendors affected:Apple
Applications affected:Java for Mac OS X 10.4
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Virulence: Unknown
Warning Status: Active
Potential Damage: Remote execution/modification
Possible Duration: Open Ended
Availability of fix: Available
Type of fix: Patch
Source: Apple
Reliability of source: Trusted
Source URL: http://www.apple.com/support/downloads/
CVE: CVE-2008-1185, 2008-1186, 2008-1187, 2008-1188, 2008-1189, 2008-1190, 2008-1191, 2008-1192, 2008-1193, 2008-1195, 2008-1196, 2008-3104, 2008-3107, 2008-3108, 2008-3111, 2008-3112, 2008-3113, 2008-3114, 2008-3637
Abstract: Java for Mac OS X 10.4, Release 7 is now available and addresses a number of issues.

APPLE-SA-2008-09-24 Java for Mac OS X 10.4, Release 7

Java for Mac OS X 10.4, Release 7 is now available and addresses the following issues:

Java

CVE-ID: CVE-2008-3637

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Visiting a maliciously crafted website may lead to arbitrary code execution

Description: An error checking issue leading to the use of an uninitialized variable exists in the Hash-based Message Authentication Code (HMAC) provider used for generating MD5 and SHA-1 hashes. Visiting a website containing a maliciously crafted Java applet may lead to arbitrary code execution. This update addresses the issue through improved error handling. This is an Apple-specific issue. Credit to Radim Marek for reporting this issue.

Java

CVE-ID: CVE-2008-1185, CVE-2008-1186, CVE-2008-1187, CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1191, CVE-2008-1192, CVE-2008-1195, CVE-2008-1196, CVE-2008-3104, CVE-2008-3107, CVE-2008-3108, CVE-2008-3111, CVE-2008-3112, CVE-2008-3113,

CVE-2008-3114

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Multiple vulnerabilities in Java 1.4.2_16

Description: Multiple vulnerabilities exist in Java 1.4.2_16, the most serious of which may allow untrusted Java applets to obtain elevated privileges. Visiting a web page containing a maliciously crafted Java applet may lead to arbitrary code execution. These issues are addressed by updating Java 1.4 to version 1.4.2_18.

Further information is available via the Sun Java website at http://java.sun.com/j2se/1.4.2/ReleaseNotes.html

Java

CVE-ID: CVE-2008-1185, CVE-2008-1186, CVE-2008-1187, CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1191, CVE-2008-1192, CVE-2008-1193, CVE-2008-1194, CVE-2008-1195, CVE-2008-1196, CVE-2008-3103, CVE-2008-3104, CVE-2008-3107, CVE-2008-3111, CVE-2008-3112, CVE-2008-3113, CVE-2008-3114, CVE-2008-3115 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Multiple vulnerabilities in Java 1.5.0_13

Description: Multiple vulnerabilities exist in Java 1.5.0_13, the most serious of which may allow untrusted Java applets to obtain elevated privileges. Visiting a web page containing a maliciously crafted Java applet may lead to arbitrary code execution. These issues are addressed by updating Java 1.5 to version 1.5.0_16.

Further information is available via the Sun Java website at http://java.sun.com/j2se/1.5.0/ReleaseNotes.html

Java for Mac OS X 10.4, Release 7 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/

The download file is named: "JavaForMacOSX10.4Release7.dmg"

Its SHA-1 digest is: 67d17ba3e854101d890633f507b4c02e031b3a05

Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key, and details are available at:

http://www.apple.com/support/security/pgp/

This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.

The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.

CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.