Saturday, February 2, 2013

Apple Releases Java 6u39
for OS X 10.6 Snow Leopard

--
Today Apple released their Java update for users of OS X 10.6 Snow Leopard. It is listed as 'Java for Mac OS X 10.6 Update 12'. The version of Java provided is 6u39, AKA Java 1.6 Update 39.

Apple's Java update is available via Software Update from within OS X 10.6.

For the moment, you can also download 10.6 Update 12 at the link below. HOWEVER, please note that ALL the information on the page is WRONG and out-of-date. (0_o) Hopefully this will be corrected by the time you visit the page. For now, only use the page for the download link! Ignore everything else and just click the 'download' button:

http://support.apple.com/kb/DL1573

At this time, there is no security information available about this update at Apple's website. Apple has so far failed to update their 'Apple security updates' page with this update. (0_o) Hopefully they will have caught up with themselves by the time you visit their security page:

http://support.apple.com/kb/HT1222

Thankfully, Apple has emailed the security details about this update, which I have provided below:
APPLE-SA-2013-02-01-1 Java for Mac OS X v10.6 Update 12
Java for Mac OS X v10.6 Update 12 is now available and addresses thefollowing: 
Java 
Available for:  Mac OS X v10.6.8, Mac OS X Server v10.6.8Impact:  Multiple vulnerabilities in Java 1.6.0_37Description:  Multiple vulnerabilities exist in Java 1.6.0_37, themost serious of which may allow an untrusted Java applet to executearbitrary code outside the Java sandbox. Visiting a web pagecontaining a maliciously crafted untrusted Java applet may lead toarbitrary code execution with the privileges of the current user.These issues are addressed by updating to Java version 1.6.0_39.Further information is available via the Java website at: 
http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html 
CVE-ID 
CVE-2012-3213
CVE-2012-3342
CVE-2013-0351
CVE-2013-0409
CVE-2013-0419
CVE-2013-0423
CVE-2013-0424
CVE-2013-0425
CVE-2013-0426
CVE-2013-0427
CVE-2013-0428
CVE-2013-0429
CVE-2013-0432
CVE-2013-0433
CVE-2013-0434
CVE-2013-0435
CVE-2013-0438
CVE-2013-0440
CVE-2013-0441
CVE-2013-0442
CVE-2013-0443
CVE-2013-0445
CVE-2013-0446
CVE-2013-0450
CVE-2013-1473
CVE-2013-1475
CVE-2013-1476
CVE-2013-1478
CVE-2013-1480
CVE-2013-1481

Java for Mac OS X 10.6 Update 12 may be obtainedfrom the Software Update pane in System Preferences orApple's Software Downloads web site: 
http://www.apple.com/support/downloads/ 
The download file is named: JavaForMacOSX10.6.dmg 
Its SHA-1 digest is: 0c790491ca22ee009086ee1ec1f1b358024dd83e
Information will also be posted to the Apple Security Updatesweb site: 
http://support.apple.com/kb/HT1222 
This message is signed with Apple's Product Security PGP key, and details are available at:
https://www.apple.com/support/security/pgp/

________________________________ 
Security-announce mailing list
(Security-announce@lists.apple.com)
--


1 comment:

  1. Well, I've followed this subject, more or less, all along. While the complete wrongness of Oracle, with Apple not enough better, has been pretty clear throughout, I retain a little residual confusion at this pioint.

    Does this release mean that they appear to have *fixed* *the* *problem* And not just provided a wotkaround for the users to apply? That the thing now works (or is said to) without any problems that were known before this date?

    I understand that that the info on the download page was totally wrong, and I suppose that it is still so; hence the explanation about how it *disables* Java is totally wrong, right?

    There are problems here with not quite knowing for sure whether I'm seeing the totally wrong version or a revised version. A guide to "how to know whether the info you see is still unfixed nonsense" might help the less informed users. Thanks for listening, and especially for following this mess.

    ReplyDelete