Security Update 2005-002

Apple’s sticking with the new security update naming convention. Security Update 2005-002 is primarily a Java fix.

According to Apple:

Security Update 2005-002

Available for: Java 1.4.2

CVE-ID: CAN-2004-1029

Impact: Updates Java to address an issue where an untrusted applet could gain elevated privileges and potentially execute arbitrary code.

Description: A vulnerability in the Java Plug-in may allow an untrusted applet to escalate privileges, through JavaScript calling into Java code, including reading and writing files with the privileges of the user running the applet. Releases prior to Java 1.4.2 on Mac OS X are not affected by this vulnerability. Further information is available in Document ID 57591 from Sun.

But what does that mean Professor? One of the rules of untrusted Java applets was that they had no access to the hosting computer’s filesystem. This prevents things like collecting your personal information and sending it to their servers (and then to spammers). It also prevents modifications to your data and prevents things from being written out, like say the Opener malware. Not good.

Anyway, run software update so you too can feel warm and fuzzy inside.