ATTN: Apple is distributing a Java update in response to a security alert from Oracle. This update should be applied as soon as possible.
Summary [source]
Java for OS X 2012-005 delivers improved security, reliability, and compatibility for Java SE 6. Java for OS X 2012-005 supersedes all previous versions of Java for OS X.
This update configures the Java plug-in to deactivate when no applets are run for an extended period of time. If the previous update named “Java for OS X Lion 2012-004” was not installed on your computer, this update will disable the Java web plug-in immediately. Re-enable Java applets by clicking the region labeled “Inactive plug-in” on a webpage.
This release updates Java SE 6 to version 1.6.0_35.
This release is for OS X versions 10.7 or later.
About the security content of Java for OS X 2012-005 and Java for Mac OS X 10.6 Update 10 [source]
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 or later, OS X Lion Server v10.7 or later, OS X Mountain Lion v10.8 or later
Description: An opportunity for security-in-depth hardening is addressed by updating to Java version 1.6.0_35. Further information is available via the Java website at http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
Oracle Security Alert for CVE-2012-4681 [source]
Description
This Security Alert addresses security issues CVE-2012-4681 (US-CERT Alert TA12-240A and Vulnerability Note VU#636312) and two other vulnerabilities affecting Java running in web browsers on desktops. These vulnerabilities are not applicable to Java running on servers or standalone Java desktop applications. They also do not affect Oracle server-based software.
These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user’s system.
In addition, this Security Alert includes a security-in-depth fix in the AWT subcomponent of the Java Runtime Environment.
Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2012-4681 “in the wild,” Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.
Supported Products Affected
Security vulnerabilities addressed by this Security Alert affect the products listed in the categories below. Please click on the link in the Patch Availability column or in the Patch Availability Table to access the documentation for those patches.