Apple Promptly Patches Java Flaws

/ Source: SecurityNewsDaily

Apple has released software updates to take care of Java security vulnerabilities, a decision that could indicate the computer giant has learned from its past mistakes.

Shipped yesterday (June 12), the patches fix 11 Java security vulnerabilities in the "oft-attacked software that is installed on more than three billion devices worldwide," researcher Brian Krebs said in his Krebs on Security blog.

Oracle, the maker of Java, patched 14 security bugs the same day, 12 of which it said in its security advisory  could be remotely exploited without the need for a username or password.

Although companies like Oracle, Microsoft and Adobe regularly issue software updates, Adobe's prompt attention to the Java bugs is telling. Apple's failure to patch Java in a timely manner led directly to the denting of its longstanding reputation as more secure than Windows.

A quick timeline: A Java flaw was discovered in mid-January. Oracle patched the flaw for Windows and Linux machines on Feb. 17. Apple insists on doing its own security updates, and did not have a patch ready until April 2.

In the meantime, the guys who ran the Mac Flashback Trojan saw that delay, and re-engineered the Mac Flashback dropper to take advantage of the Java flaw, leading to the Mac Flashback infection. That infection compromised 600,000 machines across the English-speaking world.

Apple has also, deliberately or not, led Mac users to believe they are inherently immune to viruses and other forms of malware. That has never been true — some of the first viruses were written for Macs — but Apple has done nothing to correct that false belief.

Today, Apple changed the wording in the "Why You'll Love a Mac" section of its website by removing claims that Macs don't get PC viruses.