Java vulnerabilities?

Java is an integral part of MacOS X. Apple provides the updates to Java via Software Update. It is interesting that you look to a Mozilla website as an authority. Firefox and other Mozilla browsers include their own Java VM [developed by Symantec, IIRC]. However, the Mozilla JVM lags behind Apple's. This is why the Javaplugin Project developed the Java Embedding Plugin. It allows Mozilla browsers to access the Apple JVM.

 

Security issues do indeed exist in the latest Java version for Mac OS X. Apple is working on an update - as evidenced in their developer site (free registration required). However, the update only brings Mac OS X Java 6 to u21 currently. I firmly believe that Apple will integrate the u22 changes into the update that they are currently working on, though.

 

Acording to Microsoft blog, Java is vulnerable until latest update 23. One of this vulnerability is afecting also MacOS X.
http://blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-java.aspx

"CVE-2008-5353 3,560,669 1,196,480 A deserialization issue in vulnerable versions of JRE (Java Runtime Environment) allows remote code execution through Java-enabled browsers on multiple platforms, such as Microsoft Windows, Linux, and Apple Mac OS X."

 

I think you are mistaken. Firefox and others contain and own implementation of JavaScript, but that has NOTHING to do with Java the language or Java the platform/VM. All web browsers require a platform specific installation of Java when you visit a Java enabled website, and Firefox on Mac definitely launches Apple's Java VM when you navigate to a Java website.

Since Apple officially deprecated its own Java implementation (and used to be awfully slow with updating the VM even when it was still officially supported), this is now just another security hole in OS X that probably won't ever be closed.