Apple Slow To Fix Java Flaws

Instructions showing wannabe Mac-hackers a way to remotely take control over OS X systems through an unpatched security hole have been posted online. The researcher who published the blueprints said he did so to nudge Apple into fixing the problem, which the company has known about for more than six months. But Security Fix has found that half a year is about the average time it takes Cupertino to plug these types of holes.

On Tuesday, renowned Apple researcher Landon Fuller published a proof-of-concept exploit for a particularly dangerous bug in Java that Sun Microsystems fixed in a patch released Dec. 3, 2008. However, Apple -- which ships its own version of Sun's Java with OS X -- has yet to push out an update to fix that particular flaw.

"Unfortunately, it seems that many Mac OS X security issues are ignored if the severity of the issue is not adequately demonstrated," Fuller wrote on his blog. "Due to the fact that an exploit for this issue is available in the wild, and the vulnerability has been public knowledge for six months, I have decided to release a my own proof of concept to demonstrate the issue."

Six months may seem like a long time to address a particularly dangerous vulnerability, but it's about par for the course with Apple and its record on patching Java flaws. I have reviewed the last three Java updates that Apple shipped during the past 18 months, and found that Apple patched Java flaws on average about 166 days after Sun had shipped its own patch to fix the same vulnerabilities.

I put together a rudimentary chart comparing Sun and Apple's Java patch times for the last three Java for Mac releases, available here:

HTML Version

Microsoft Excel version

Fuller's blog includes some workarounds that Mac users can take to mitigate any threat from this vulnerability, until Apple issues a patch. Researcher Julien Tinnes also has an extended discussion about the dangers of this vulnerability, and a decent back-and-forth between readers, over at at his blog.

Please join me today at 11 a.m. ET for Security Fix Live, where I will endeavor to answer your questions on all things security, tech and privacy related. Drop by then, or send me a question in advance. Curious what we've discussed in previous chats? Check out the Security Fix Live archives. See you then!