AFTER MAC USERS were left open to attack for "more than six weeks", Apple has finally patched a Java flaw in Mac OS X 10.6 and 10.7.
The Ithing maker released a Knowledge Base article yesterday advising users of Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.3 and OS X Lion Server v10.7.3 to update their Java software.
Apple said that the fix addressed "multiple vulnerabilities" in Java 1.6.0_29, the most serious of which could allow an untrusted Java applet to execute arbitrary code outside the Java sandbox.
"Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating to Java version 1.6.0_31," Apple warned.
However, Apple's advisory and update comes after Oracle warned of the security issues and pushed out the Java 31 updates for Windows, Linux and Unix in the middle of last month. This delay has drawn criticism from security experts.
"Today's release updates Java to version 6 update 31 which Oracle released for Windows, Linux and Unix on February 14th," security company Sophos said on its blog.
"This does make you wonder whether Apple takes security as seriously as it should. Perhaps its public facing image of being invulnerable is the prevailing attitude within the company. Why Apple did not deploy these fixes before Mac users were victimized by criminals is unclear. Fortunately, once it became a problem the company responded quickly."
Sophos went on to point out that the Apple release comes hard on the heels of an in-the-wild exploit actively targeting Mac users, in one of the first drive-by exploits the company has seen for OS X. µ