Apple on Tuesday shipped a Java security update to Leopard and Snow Leopard users that patched a total of 27 vulnerabilities in the Oracle software.
Some of the bugs could be exploited to execute attack code outside the Java sandbox, Apple said, letting hackers hijack a vulnerable Mac. However, Apple did not spell out how many of the vulnerabilities could be exploited to "execute arbitrary code," its way of saying that the flaws should be considered critical.
Mac OS X 10.5, aka Leopard, received an update that patched 16 vulnerabilities in Java SE 6 and another 11 in Java SE 5. The update for the newer Mac OS X 10.6, aka Snow Leopard, also patched the 16 bugs in Java SE 6.
The Java SE 6 update fixed the same flaws that Oracle patched with the 1.6.0_24 security update issued on Feb. 15, 2011.
Tuesday's Java update was the first for Apple since mid-October 2010.
Shortly before that, Apple "deprecated" the Java runtime on Mac OS X -- telling developers not to rely on it being present in the operating system -- and announced it would contribute the tools and technologies it had created to build Java SE 7 to Oracle's OpenJDK open-source project.
In other words, Apple said it stop its own development of Java for Mac and would drop it from future versions of the OS.
The company did commit to continuing to support Java in Leopard and Snow Leopard, however.
"The Java runtime shipping in Mac OS X 10.6 Snow Leopard, and Mac OS X 10.5 Leopard, will continue to be supported and maintained through the standard support cycles of those products," Apple said on its developer Web site last October.
Last year's announcement hinted that Apple would not bundle a Java runtime with Mac OS X 10.7, aka Lion, the operating system upgrade slated to ship this summer. Reports, including one by AppleInsider last month, confirmed that Java is AWOL from Lion.
Experts have split over whether the disappearance of Java from Mac OS X will improve the operating system's security.
The Java updates , which range between 75GB and 120GB in size, can be downloaded at the Apple site or installed using the operating system's integrated update service.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org .
Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.