Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.0567 -- [Mac][OSX] Java for Mac OS X: Multiple Vulnerabilities 16 June 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Java for Mac OS X Publisher: Apple Operating System: Mac OS X Impact: Execute Arbitrary Code/Commands Increased Privileges Read-only Data Access Denial of Service Inappropriate Access Reduced Security Access: Remote/Unauthenticated CVE Names: CVE-2009-1719 CVE-2009-1107 CVE-2009-1106 CVE-2009-1104 CVE-2009-1103 CVE-2009-1101 CVE-2009-1100 CVE-2009-1099 CVE-2009-1098 CVE-2009-1097 CVE-2009-1096 CVE-2009-1095 CVE-2009-1094 CVE-2009-1093 CVE-2008-5360 CVE-2008-5359 CVE-2008-5357 CVE-2008-5356 CVE-2008-5354 CVE-2008-5353 CVE-2008-5352 CVE-2008-5351 CVE-2008-5350 CVE-2008-5349 CVE-2008-5348 CVE-2008-5347 CVE-2008-5346 CVE-2008-5345 CVE-2008-5344 CVE-2008-5343 CVE-2008-5342 CVE-2008-5341 CVE-2008-5340 CVE-2008-5339 CVE-2008-2086 Ref: ESB-2009.0509 ESB-2009.0451 ESB-2009.0400 ESB-2009.0332 ESB-2009.0234 Original Bulletin: http://support.apple.com/kb/HT3633 http://support.apple.com/kb/HT3632 Comment: This advisory contains two (2) Apple Security bulletins. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2009-06-15-1 Java for Mac OS X 10.5 Update 4 Java for Mac OS X 10.5 Update 4 is now available and addresses the following: Java CVE-ID: CVE-2009-1106, CVE-2009-1107, CVE-2008-5352, CVE-2008-5356, CVE-2008-5353, CVE-2008-5354, CVE-2008-5357, CVE-2008-5339, CVE-2009-1104, CVE-2008-5360, CVE-2008-5344, CVE-2008-5345, CVE-2008-5346, CVE-2009-1103, CVE-2008-5347, CVE-2008-5348, CVE-2008-5349, CVE-2008-5350, CVE-2008-5351, CVE-2009-1100, CVE-2009-1100, CVE-2009-1101, CVE-2009-1099, CVE-2009-1098, CVE-2009-1097, CVE-2009-1097, CVE-2009-1095, CVE-2009-1096, CVE-2009-1094, CVE-2009-1093, CVE-2008-5341, CVE-2008-5339 Available for: Mac OS X v10.5.7 and later, Mac OS X Server v10.5.7 and later Impact: Multiple vulnerabilities in Java 1.6.0_07 Description: Multiple vulnerabilities exist in Java 1.6.0_07, the most serious of which may allow an untrusted Java applet to obtain elevated privileges. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating Java 1.6 to version 1.6.0_13. Further information is available via the Sun Java website at http://java.sun.com/javase/6/webnotes/ReleaseNotes.html Java CVE-ID: CVE-2009-1107, CVE-2008-5352, CVE-2008-5356, CVE-2008-5353, CVE-2008-5354, CVE-2008-5357, CVE-2008-5359, CVE-2009-1104, CVE-2008-5360, CVE-2008-5344, CVE-2008-5345, CVE-2008-5346, CVE-2009-1103, CVE-2008-5349, CVE-2008-5350, CVE-2008-5351, CVE-2008-5348, CVE-2009-1101, CVE-2009-1100, CVE-2009-1100, CVE-2009-1099, CVE-2009-1098, CVE-2009-1095, CVE-2009-1096, CVE-2009-1094, CVE-2009-1093, CVE-2008-5341, CVE-2008-5339 Available for: Mac OS X v10.5.7 and later, Mac OS X Server v10.5.7 and later Impact: Multiple vulnerabilities in Java 1.5.0_16 Description: Multiple vulnerabilities exist in Java 1.5.0_16, the most serious of which may allow an untrusted Java applet to obtain elevated privileges. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating Java 1.5 to version 1.5.0_19. Further information is available via the Sun Java website at http://java.sun.com/j2se/1.5.0/ReleaseNotes.html Java CVE-ID: CVE-2008-5342, CVE-2008-5356, CVE-2008-5353, CVE-2008-5354, CVE-2008-5357, CVE-2008-5340, CVE-2008-5339, CVE-2009-1104, CVE-2008-5360, CVE-2008-5344, CVE-2008-5345, CVE-2008-2086, CVE-2008-5346, CVE-2009-1103, CVE-2008-5351, CVE-2008-5348, CVE-2009-1100, CVE-2009-1098, CVE-2009-1095, CVE-2009-1096, CVE-2009-1094, CVE-2009-1093, CVE-2008-5343, CVE-2008-5339, CVE-2008-5350 Available for: Mac OS X v10.5.7 and later, Mac OS X Server v10.5.7 and later Impact: Multiple vulnerabilities in Java 1.4.2_18 Description: Multiple vulnerabilities exist in Java 1.4.2_18, the most serious of which may allow an untrusted Java applet to obtain elevated privileges. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating Java 1.4 to version 1.4.2_21. Further information is available via the Sun Java website at http://java.sun.com/j2se/1.4.2/ReleaseNotes.html Java CVE-ID: CVE-2009-1719 Available for: Mac OS X v10.5.7 and later, Mac OS X Server v10.5.7 and later Impact: Untrusted Java applets may obtain elevated privileges Description: Multiple vulnerabilities in the "Aqua Look and Feel for Java" implementation may allow an untrusted Java applet to obtain elevated privileges. Visiting a web page containing a maliciously crafted Java applet may lead to arbitrary code execution with elevated privileges. This update addresses the issues by denying access to internal details of Aqua Look and Feel for untrusted Java applets. This issue only affects Java 1.5 on Mac OS X v10.5 systems. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue. Java for Mac OS X 10.5 Update 4 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The download file is named: JavaForMacOSX10.5Update4.dmg Its SHA-1 digest is: 1e873214b23561e49dce37c163abf87d53f968f6 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJKNopiAAoJEHkodeiKZIkBqwUIAMPlUmmtipj/7OQGfe6JSgrT vQbq958KShezy7IXEKjyxh4YbDFnC1e7e+IhwOmJqcOM95z9iAtUJnW24r0Q6QUK JrzSVX9UCEVYksXcE7zEo1R19F6rGP1Tlmnengm4rrJTCo1UatSLRbW//6lkou5a 18rjcmPELrlpOyDTdNabcCr3RMHVR7hsOiKriDehtOKlgkRw9hQ2uDfL2wgHfE3D hoPNw0iaxjt5C+oyHPbU28d/pV+QLbNG42+3IMZMXqzAK5/vtXRLHtCnxAdXppVi oPee4DWFbWAZp3Ec9mzgnx0a2Ke8JWSWoMtTPrYq0EKuxeknvFD10i/iyw663T4= =Qb9W - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2009-06-15-2 Java for Mac OS X 10.4 Release 9 Java for Mac OS X 10.4 Release 9 is now available and addresses the following: Java CVE-ID: CVE-2009-1107, CVE-2008-5352, CVE-2008-5356, CVE-2008-5353, CVE-2008-5354, CVE-2008-5357, CVE-2008-5359, CVE-2009-1104, CVE-2008-5344, CVE-2008-5345, CVE-2008-5346, CVE-2009-1103, CVE-2008-5349, CVE-2008-5350, CVE-2008-5351, CVE-2008-5348, CVE-2009-1101, CVE-2009-1100, CVE-2009-1100, CVE-2009-1099, CVE-2009-1098, CVE-2009-1095, CVE-2009-1096, CVE-2009-1094, CVE-2009-1093, CVE-2008-5341, CVE-2008-5339, CVE-2008-5360 Available for: Mac OS X v10.4.11 with Java for Mac OS X 10.4 Release 8, Mac OS X Server v.10.4.11 with Java for Mac OS X 10.4 Release 8 Impact: Multiple vulnerabilities in Java 1.5.0_16 Description: Multiple vulnerabilities exist in Java 1.5.0_16, the most serious of which may allow an untrusted Java applet to obtain elevated privileges. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating Java 1.5 to version 1.5.0_19. Further information is available via the Sun Java website at http://java.sun.com/j2se/1.5.0/ReleaseNotes.html Java CVE-ID: CVE-2008-5342, CVE-2008-5356, CVE-2008-5353, CVE-2008-5354, CVE-2008-5357, CVE-2008-5340, CVE-2008-5359, CVE-2009-1104, CVE-2008-5360, CVE-2008-5344, CVE-2008-5345, CVE-2008-2086, CVE-2008-5346, CVE-2009-1103, CVE-2008-5350, CVE-2008-5351, CVE-2008-5348, CVE-2009-1100, CVE-2009-1100, CVE-2009-1098, CVE-2009-1094, CVE-2009-1093, CVE-2008-5343, CVE-2008-5339 Available for: Mac OS X v10.4.11 with Java for Mac OS X 10.4 Release 8, Mac OS X Server v.10.4.11 with Java for Mac OS X 10.4 Release 8 Impact: Multiple vulnerabilities in Java 1.4.2_18 Description: Multiple vulnerabilities exist in Java 1.4.2_18, the most serious of which may allow an untrusted Java applet to obtain elevated privileges. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating Java 1.4 to version 1.4.2_21. Further information is available via the Sun Java website at http://java.sun.com/j2se/1.4.2/ReleaseNotes.html Java for Mac OS X 10.4 Release 9 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The download file is named: JavaForMacOSX10.4Release9.dmg Its SHA-1 digest is: cc470c07eb67f66b4980cea2a6566a7b0e4bf755 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJKNopyAAoJEHkodeiKZIkBQTgH/jgtmho0SjvzX93WpoNUfjQ6 xZJElEjdkRqxDAK6ittRfo4JPsf/tOkG8ZLP3hzuj6SPKN+XlRorxdd9jyu6ZGKC dkege0Xvs9Gx6HEOGsY1P/j/349q/4WP/z5DZxK5ostoWttwNlSMLmnM+dxmxG3Y gNYV0fwIrB50WCZwwPECyAnQrwkfAdwdKSwhxNSfnl3qlvVf2F532Kc2BcS3KK1X iimy4u7QhAhqbuMe0mjpXums+bXHzi0DV/n96jgqMpzqBa7/bVKS3xOFJ/oC1mJf 9OgDrBqxT3e9SxnTKzSMNRIMhPK2GsrtrES9GuzonyGme9sekpmPQPEF83+V6aQ= =1WtD - -----END PGP SIGNATURE----- _______________________________________________ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFKNvHFNVH5XJJInbgRApOxAJ40Fvy8DuZRDL32dcnbfwgFGWaCVACeOiE1 iytwnsUtbeksA142d/dRz3I= =+05D -----END PGP SIGNATURE-----