updated 06:00 pm EDT, Tue April 3, 2012
Addresses new Flashback vulnerability
Apple has released an updated Java version for 10.6.x Snow Leopard and made available an updated optional Java distribution for Lion, both coming just one day after warnings of a new version of the Flashback malware that can exploit a Java vulnerability. Although not confirmed in the public release notes, the update patches the vulnerability, bringing it up-to-date with Oracle's own patched version, 1.6.0_31.
The Lion version is referred to simply as "Java for OS X" with a tag "2012-001" while the Snow Leopard version is called "Java for Mac OS X 10.6" with the tag "Update 7." Snow Leopard was the last OS X release to automatically include Java; Lion shipped without a built-in distribution, and prompted users to download one if they tried to run a program or visit a website that required it.
The update patches multiple vulnerabilities that existed in Java 1.6.0_29, in particular the bug that allowed the Flashback malware to operate without requesting user permission to be installed. Untrusted Java applets could, under the previous version, execute arbitrary code outside the Java sandbox. In all, the update addresses a dozen vulnerabilities, marked as CVE-2011-3563, CVE-2011-5035, and CVE-2012-0497 through 0507 inclusive.
For many users (or those running systems earlier than 10.5), a simpler solution was to simply disable Java in Safari or their browser of choice. Though there are still web sites that use it, security issues have lessened its popularity over the years, to the point where having it disabled is a viable option for many users. Apple deprecated its own custom versions of Java with Lion, making its installation optional but also allowing users to get updated versions that are supported directly by Oracle rather than wait months for Apple to release its own version.