Apple has released a Java for Mac update to fix multiple security security vulnerabilities, some serious enough to expose Mac OS X users to remote code execution attacks.

According to an Apple advisory, the most serious flaw could allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. This could cause computer takeover attacks if an unpatched user simply surfs to a maliciously rigged Web site.

The Java for Mac patch, available for Mac OS X v10.5.8, Mac OS X Server v10.5.8, addresses security holes in Java 1.6.0_22 and Java 1.5.0_26.

The raw details:

Multiple vulnerabilities exist in Java 1.6.0_22 and Java 1.5.0_26, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating to Java version 1.6.0_24 and Java version 1.5.0_28.

Java for Mac OS X 10.5 Update 9 can be downloaded and installed via the Software Update preferences, or from Apple Downloads.