Mac OS X Includes Known Vulnerable Version of Java
Current releases of Mac OS X (version 10.5.7 and version 10.4.11 with security update 2009-002) include a version of Java Runtime Environment (JRE) containing known security vulnerabilities. US-CERT is aware of publicly available exploit code for one of these vulnerabilities. This vulnerability may allow untrusted applets to obtain read, write, and execute permissions to local files and applications with the privileges of the local user. A fix for this vulnerability has been released by Sun, but Mac OS X users cannot apply the fix directly. Mac OS X users must use Apple updates to obtain updated JRE versions. At this time, Apple has not yet released an update to address this issue.
US-CERT encourages Mac OS X users to disable Java in each web browser they use until a patch is available from Apple. Guidance for disabling Java can be found in the Securing Your Web Browser document. Please note that disabling Java may affect the functionality of websites that use Java.
US-CERT will provide additional information as it becomes available.