Days after a serious malware threat to Mac OS X was discovered, Apple finally patched the three-month-old security flaw that made it possible.
Security updates to Mac OS X 10.6 Snow Leopard and OS X 10.7 Lion were pushed out to Macs worldwide Tuesday evening (April 3), inoculating iMacs, MacBooks and professional Macs against drive-by Trojans that infected machines unlucky enough to visit rigged websites.
All users of those two versions of OS X should apply those updates immediately.
The flaw in the Java runtime engine that made the exploits possible was discovered in mid-January. A month later, Oracle, Java's owner, released a stand-alone patch for Windows and Linux/Unix machines. But because Apple bundles Java updates into its own OS X security updates, it can take much longer for Macs to get such patches.
[ 10 Best Anti-Virus Programs for Macs ]
That wasn't a problem until malware writers took notice in late March. First the Blackhole exploit kit, a sort of jack-of-all-trades malware bundle that keeps probing browsers until it finds a flaw, incorporated the Java flaw into its latest version.
Several days later, the Mac Flashback Trojan, a hardy bug that manages to always stay one step ahead of its pursuers, added the Java flaw exploit to its many features.
Both of these developments essentially left Mac users exposed to the worst forms of drive-by downloads. The Java flaw was so severe that exploits based on it could bypass the administrator permission normally needed to install any software on a Mac.
Finnish security firm F-Secure even recommended that Mac users disable the Java runtime engine entirely to protect themselves. (Java comes bundled with OS X 10.6, but not with 10.7.)
A Russian security firm, Dr. Web, claimed today (April 4) that its research showed that 550,000 Macs had been infected with Mac Flashback, 75 percent of which were in the U.S. or Canada. Those numbers couldn't be independently confirmed.
Unfortunately, users of older Macs with PowerPC chips will still have to do that. Apple no longer supports their machines, and didn't push out a patch for Mac OS X 10.5 Leopard, the last version of OS X that those machines can run.
The Java runtime engine is a virtual, self-contained mini-operating system that runs small applications, such as casual games on websites. It's "platform agnostic," and hence flaws in it affect Macs, Windows PCs and Linux machines equally.