Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0854 Java for OS X 2013-004 and Mac OS X v10.6 Update 16 19 June 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Java for OS X Publisher: Apple Operating System: OS X Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-3743 CVE-2013-2473 CVE-2013-2472 CVE-2013-2471 CVE-2013-2470 CVE-2013-2469 CVE-2013-2468 CVE-2013-2466 CVE-2013-2465 CVE-2013-2464 CVE-2013-2463 CVE-2013-2461 CVE-2013-2459 CVE-2013-2457 CVE-2013-2456 CVE-2013-2455 CVE-2013-2454 CVE-2013-2453 CVE-2013-2452 CVE-2013-2451 CVE-2013-2450 CVE-2013-2448 CVE-2013-2447 CVE-2013-2446 CVE-2013-2445 CVE-2013-2444 CVE-2013-2443 CVE-2013-2442 CVE-2013-2437 CVE-2013-2412 CVE-2013-2407 CVE-2013-1571 CVE-2013-1500 Reference: ASB-2013.0075 ESB-2013.0545 Original Bulletin: http://support.apple.com/kb/HT1222 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2013-06-18-1 Java for OS X 2013-004 and Mac OS X v10.6 Update 16 Java for OS X 2013-004 and Mac OS X v10.6 Update 16 is now available and addresses the following: Java Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 or later, OS X Lion Server v10.7 or later, OS X Mountain Lion 10.8 or later Impact: Multiple vulnerabilities in Java 1.6.0_45 Description: 8011782 Multiple vulnerabilities existed in Java 1.6.0_45, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues were addressed by updating to Java version 1.6.0_51. Further information is available via the Java website at ht tp://www.oracle.com/technetwork/java/javase/releasenotes-136954.html CVE-ID CVE-2013-1500 CVE-2013-1571 CVE-2013-2407 CVE-2013-2412 CVE-2013-2437 CVE-2013-2442 CVE-2013-2443 CVE-2013-2444 CVE-2013-2445 CVE-2013-2446 CVE-2013-2447 CVE-2013-2448 CVE-2013-2450 CVE-2013-2451 CVE-2013-2452 CVE-2013-2453 CVE-2013-2454 CVE-2013-2455 CVE-2013-2456 CVE-2013-2457 CVE-2013-2459 CVE-2013-2461 CVE-2013-2463 CVE-2013-2464 CVE-2013-2465 CVE-2013-2466 CVE-2013-2468 CVE-2013-2469 CVE-2013-2470 CVE-2013-2471 CVE-2013-2472 CVE-2013-2473 CVE-2013-3743 CVE_2013-2445 Java for OS X 2013-004 and Mac OS X v10.6 Update 16 may be obtained from the Software Update pane in System Preferences, Mac App Store, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For Mac OS X v10.6 systems The download file is named: JavaForMacOSX10.6.Update16.dmg Its SHA-1 digest is: a6b5a9caa3c0d9acf743da8e4c0e5cfe4e471b01 For OS X Lion and Mountain Lion systems The download file is named: JavaForOSX2013-004.dmg Its SHA-1 digest is: 153c3f74d5285d10008fce2004d904da8d2ffdff Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJRwL5AAAoJEPefwLHPlZEwju0QALM1IST/ATt2xR1L0AQcaZRX eiM07MlvAlE9Jv45xqKLUezRU8XQT6+glN51/hBhpyCa8MJIzPiSnnOIAW+vbA5o RjXQTGPGT1IPSfEk7OWS++566riMLmTOvg45Qn0E/ibOqJHpfrR4wzQX5jpv7lzH EbdKxn+KWfHCF2y/2LCFifDHUBPCjUlbWTRznDCYVHsFbtDiP/vAZiSXsNJtLTXK UOD/eGbel2PEqWOOsUNIrzwvztRB+LsYT4xKQQnsEKJqoyMch/UgB1Uo2jgEPn0U YP3WZbjbDV+UcM+yMoCV/qDFhbJ+qBxTbuwYOHuSDpgqJ7vF8s0cdUUb6U7QLW4/ 3ykC7vOUS/JqYkiqwUxuKVpzSUYXrlez36sQuwCR9AOGCJ/0/MwM8QPavFAdGisP 36ZavJ4k2Dp2CfVmWjexpWY7XN9M36Lh57XChxQk9TcbjUJRrqNadlPyzaja3G9a 95Dq1N1dYfLuFm4MtyeDA0xQl8m8ljnSxH3TQoDcTwvvWGIGdG7EEVpdQqM/MTWY CY2EqMkY3Gouet+QvECYwxOz+g0hcaJd973kSM+5AJ7tVfod93NDW3P13k2cfdTC uo9IgGkhuNY40NuLpJLtTwlHcTCwBtKPt0BLwXugZdoDrgz1j8Q+fLuASSTkUQxl 3t9MUCG40o5ZQFyWqV1+ =zFXN - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUcEK5+4yVqjM2NGpAQJObg/9FzgPrJ0IjMgRpyScwFba6uw6nkbSYN8F uWNkuzZVK84m+afZP/M+tSt/RBZiDj7j0D2zvZUWtUlk7WDQimme3XMaZ79UI6IS WUH6ssZxbOk98h2Y3oKmdLJAUgHoa+BhyHiqyOvuxNQ9cZow36eE3k+5jdLdDMdh igGPPgswrivamQTTEi395WswarbUBCwzZejUhGmEAU08S3QyEuImEOip3i4ZIwmv Xa3YGYmYTPnQ5ghiEDaK2HbbucNZYlbbUbnEeWGbyZ0OiDLAVRrb0Z11EgC/xHnk UEUtMFlS/xMtYc8dO2k97qBjrVfD7ENnm/fdDC+0+zxBuJ57fRVfgYfU65oXWwGV pfxDX5wixVe3peq4ww4j+3AO6BDewq2EOHh5DhpsH8mnhc/9ij/cxYUi/ksYiFGp jHEZoe0JEfYhOt7nweGEGEnTcTuhUcTH/hU3aDfpJo9RzGHEt27jaksDHgB2Tq4h EWpvmFPdjKUxZI+NJ9MjzevCRUeGYkaSFL7BBBYD2Lg6Z34b3Cg3YpMIe7PUU8v8 RN4+AyQO9qc1Yx/lssDMAcXNRkQ4o053Y44FWGGBgtt/Tpo5lAvt7o94qXV+RCXt xkJEqe12rKmh0V3+DqLVLAlCom1E3fYJvwlxTbP1ZOzdBaHioXjSIbexd2EOR0Jq m8OtuEks67M= =tCP1 -----END PGP SIGNATURE-----