Apple on Tuesday released Security Update 2005-002. This update covers installations of Mac OS X that use Java 1.4.2. The update is available for download through the Software Update system preference pane, and is also available for download from Apple’s Web site.
According to information posted on Apple’s Web site, this update corrects an issue “where an untrusted applet could gain elevated privileges and potentially execute arbitrary code.”
Apple describes the problem as related to a vulnerability in the Java plug-in. The exploit works through JavaScript “calling into Java code, including reading and writing files with the privileges of the user running the applet. Releases prior to Java 1.4.2 on Mac OS X are not affected by this vulnerability.”
Further information about this vulnerability is available in Document ID 57591 from Sun.
Apple’s update makes changes to the following files:
Java Web Start JavaPluginCocoa.bundle JavaScriptCore Core Java classes