Security Patch Catchup: Java, Safari & OS X

Security Fix took a mini-vacation last week, but that's all it takes to fall behind in important software security updates. Here's a quick pointer to some recent updates that have recently happened.
The last time I wrote about Java updates was at Update 13, but as several readers have pointed out, the latest version is now Update 16. Near as I could tell, Updates 14 and 16 did not include security updates. Indeed, Java maker Sun Microsystems says users who have Java SE 6 Update 15 have the latest security fixes and do not need to upgrade to version 16 to be current on security fixes.

However, Update 15 shipped fixes for a number of serious security holes, so if you've got an earlier version of this program installed, take a few minutes to update. Don't know whether you have Java or what version you may have? Visit this link.

Unfortunately, Sun still hasn't made the process of updating Java as easy as it should be. When I tried to update one of my Vista machines from Update 13 using the Windows Control panel (by clicking the Java icon, then the Update tab, and then the "Update Now" button), the updater told me I had the latest version installed.

To grab the latest version, I have to download and run a full installer from Java.com. The installer by default tries to install one of several programs the company has a deal with (mine offered the Yahoo! toolbar), so if you don't want the extra software be sure to deselect that option.

Apple also recently released several important updates. Among them was an update for the Safari Web browser that fixes at least six security holes. This patch brings Safari to version 4.0.3. Updates are available for Mac and Windows versions. Mac users can grab the update from Apple Downloads or Software Update, while Windows Safari users will need to use the bundled Apple Software Update tool.

In addition, Apple has released an update that corrects an important security vulnerability in Mac OS X 10.4 and 10.5 systems. That update is available through the Mac's built-in Apple Software Update feature.

http://voices.washingtonpost.com/securityfix/2009/08/security_patch_catchup.html?wprss=securityfix

A Baker's Dozen of Security Updates for iPhone 2.0

As expected, the 2.0 version of iPhone released today includes a number of security updates, patching more than a dozen holes in the slimmed-down OS X operating system that powers the devices.

That means for those who already own Apple's mobile device, it's time to update.

As detailed in a column last week, a number of these patches are updates that Apple shipped earlier this year for Safari and/or the version of OS X designed for Mac desktop and laptop computers. iPhone 2.0 bundles some 13 security updates, five of which address previously undocumented security flaws.

Among the more notable (if not serious) patches: One fix for the gadget's Safari Web browser that was addressed by a number of other software makers (including Mozilla) back in June 2006. Another Safari update plugs a security hole that Apple sealed in its Microsoft Windows version of Safari last month. Another fix corrects a bug in the iPhone's innards that Apple said could allow remote attackers to reset a targeted iPhone by sending it a specially crafted packet. An exploit for this vulnerability has been available online since February.

The new software is available for iPhone 1.0 and iTouch 1.1 devices, through iTunes.

Read more ...
Brian Krebs on Computer Security. The Washington Post Company.