Mac OS X : Java for OS X Lion 2012-001

This script is Copyright (C) 2012-2014 Tenable Network Security, Inc.


Synopsis :

The remote host has a version of Java that is affected by multiple
vulnerabilities.

Description :

The remote Mac OS X host is running a version of Java for Mac OS X
10.7 that is missing update 2012-001, which updates the Java version
to 1.6.0_31. As such, it is affected by several security
vulnerabilities, the most serious of which may allow an untrusted Java
applet to execute arbitrary code with the privileges of the current
user outside the Java sandbox.

See also :

http://support.apple.com/kb/HT5228
http://lists.apple.com/archives/security-announce/2012/Apr/msg00000.html
http://lists.apple.com/archives/java-dev/2012/Apr/msg00022.html

Solution :

Upgrade to Java for OS X Lion 2012-002, which includes version
14.2.1 of the JavaVM Framework.

Note that these vulnerabilities are actually addressed with Java for
OS X Lion 2012-001. That update was found to have some non-security
bugs, though, and has been re-released as 2012-002.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true