Apple Mac OS X users have found themselves under attack in recent week from the Flashback malware outbreak.
The Flashback malware was successful because it was able to exploit a vulnerability in Java that Oracle had already publicly patched. Apple has long trailed Oracle (and previously Sun) in providing OS X users with updates to Java. Back in 2009, security researchers issued warnings about the possible risks of the long delay between the official Sun/Oracle Java release and the Apple Java release.
In fact, multiple organizations have in recent years pointed to out-of-date Java installations as being the most vulnerable browser plug-in.
Both Oracle and Apple are aware of the issue and InternetNews.com has learned that there is a fix in the works that may help to reduce the vulnerability window for Apple users. Currently there is a delay between the time an Oracle Java update is released and the corresponding Apple Java release is generally available. That delay will soon be a thing of the past.
Apple has been working on fixing this delay since at least November 2010. At that time, Apple announced that they would be giving the components for their implementation of Java on OS X to the Oracle-led OpenJDK project. However, Apple’s OpenJDK announcement was specific for Java SE 7, while Apple would continue to maintain Java SE 6 for OS X.
There is an OpenJDK update that is due to drop in the next two weeks, before month’s end. eSecurity Planet has learned that for the first time, OS X will be part of that release. Unfortunately, that release will only be the JDK (Java Developer Kit) and not the JRE (Java Runtime Environment) that end-users install. It is, however, the first official step in the process that will soon lead to a release of a Java JRE for Mac OS X at the same time as it is available for Windows, Linux, and Solaris users.