This document describes the security content of J2SE 5.0 Release 4, which can be downloaded and installed using Software Update, or from Apple Downloads.
For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred, and any necessary patches or releases are available. To learn more about Apple Product Security, visit the Apple Product Security website.
For information about the Apple Product Security PGP Key, see "How to Use the Apple Product Security PGP Key."
Where possible, CVE IDs are used to reference the vulnerability for further information.
To learn about other Security Updates, see "Apple Security Updates."
Java
CVE-ID: CVE-2006-0613
Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5
Impact: Untrusted Java applications may obtain elevated privileges.
Description: A security vulnerability in Java Web Start may allow an untrusted application to elevate its privileges. This update addresses the issue by providing J2SE version 1.5.0_06, which is not susceptible to this vulnerability. For additional information on this issue see Sun Alert 102170 (http://sunsolve.sun.com/search/document.do?assetkey=1-26-102170-1)
Java
CVE-ID: CVE-2006-0614, CVE-2006-0615, CVE-2006-0616, CVE-2006-0617
Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5
Impact: Untrusted Java applets may obtain elevated privileges.
Description: Security vulnerabilities related to the use of "reflection" APIs in the Java Runtime Environment may allow an untrusted applet to elevate its privileges. This update addresses these issues by providing J2SE version 1.5.0_06, which is not susceptible to these vulnerabilities. For additional information on these issues see Sun Alert 102171 (http://sunsolve.sun.com/search/document.do?assetkey=1-26-102171-1)
Additionally, a minor security-related fix is included in this update for Java InputMethods. Due to an issue handling input method events, it is possible that key events intended for a secure field such as a password field may be sent to a normal text field in the same window. This could result in accidental password disclosure to others present when the password is entered. This update addresses the problem by properly handling input method events. Credit to Misako Ishida from SAP AG for reporting this issue.