Apple has pushed out a security update for Java on OS X 10.6 and 10.7 (with support for previous versions being discontinued).
The patch is aimed at defeating Flashback, a trojan horse which was first spotted in September of last year. Initially it was disguised as a fake Flash Player, then a fake security certificate, and last weekend another variant emerged taking advantage of a fresh Java vulnerability.
This new patch addresses that latter flaw, and is available via Software Update for systems with Java installed. Alternatively, you can snag it from the Apple support site (opens in new tab).
On its support page, Apple noted: "Multiple vulnerabilities exist in Java 1.6.0_29, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating to Java version 1.6.0_31."
Previously Apple has come under fire for its slow response in keeping Java secure, but this time around, the reaction has been commendably swift. How long it will be before another variant of Flashback emerges, however, we'll just have to see.
Source: CNet (opens in new tab)