From the ‘why so long?‘ files:
Apple has finally patched Java on the Mac for a long list of issues that had already been patched on other operating system platforms.
As opposed to Windows users that get their Java updates directly from Sun (and soon Oracle?), Apple packages Java for the Mac itself. So users need to wait until Apple releases its official Java for the Mac updates to get the latest fixes.
The issue with Apple providing its own fixes is that they are delayed – by some accounts by as much as six months – after Sun issues updates for other operating systems.
Security researcher Landon Fuller recently warned on his site about numerous Java vulnerabilities that had already been publicly disclosed, and fixed by Sun. Fuller issued his own proof of concept for the flaws in May.
While I understand the need for Apple to maintain its own Java packages to ensure the quality of experience for Mac users — I do not understand the excessive delay in following Sun’s patches. If proof of concept code exists — as it did for the Java issues – Mac users are at risk, when they shouldn’t be.
Simply put, Apple needs to be more diligent in tracking updates to third party software that it maintains – whether it’s Java or any of the open source packages it also maintains.