Why did it take Apple six weeks to fix critical Java exploit?

Mac

Apple criticised for its tardy response to a Java vulnerability that left Mac users exposed

Apple has been criticised for taking six weeks to fix a Java flaw that was being openly exploited by criminals.

The Mac maker has come under fire from security experts for failing to react more quickly to the problem – a Java vulnerability so serious that security company F-Secure and other security vendors recommended disabling Java.

The patch arrvied days after drive-by exploits were seen in the wild and the vulnerability was included in blackhat exploit kits available online.

“After leaving Mac users vulnerable for more than six weeks, Apple has finally released a new version of Java for OS X 10.6 and 10.7,” wrote Chester Wisniewski on the Sophos blog.

Why Apple did not deploy these fixes before Mac users were victimised by criminals is unclear

The release updates Java to Version 6, Update 31, which Oracle released for Windows, Linux and Unix on 14 February, leaving security professionals questioning Apple's commitment to protecting its users.

“This does make you wonder whether Apple takes security as seriously as it should,” Wisniewski said. "Perhaps its public facing image of being invulnerable is the prevailing attitude within the company.

“Why Apple did not deploy these fixes before Mac users were victimised by criminals is unclear.”

The fix addresses the Java vulnerability known as CVE-2012-0507 and is available from the Apple security update centre.

Apple declined to comment on why it took so long to respond.

Read more

News