Apple Patches Java for Mac OS X Flaw

The "highly critical" fix comes three months after Sun Microsystems first warned of the vulnerability, which could allow an attacker to turn off Java's security feature.

Apple on Wednesday released a fix for a highly critical flaw affecting users of its Mac OS X operating system.

The Apple patch comes exactly three months after Sun Microsystems Inc.s original warning that a vulnerability in its JRE (Java Runtime Environment) could allow an attacker to turn off Javas security feature and execute malicious code on a compromised machine.

Apple Computer Inc., based in Cupertino, Calif., said the Mac OS X patch updates Java to correct the issue, wherein an untrusted applet could gain elevated privileges and potentially execute arbitrary code.

Independent research firm Secunia, which first flagged the flaw last November, rates the Apple patch as "highly critical."

Security experts are also questioning why it took three months for Apple to patch such a high-profile vulnerability.

/zimages/4/28571.gifClick here to read more about Secunias warnings about Web browsers vulnerability to "phishing".

"Sadly, were at the stage where its not unusual for a software firm to take three months to fix [a serious flaw]," said Johannes Ullrich, chief technology officer at the SANS Internet Storm Center.

"The problem is severe, and exploit code has been made available shortly after the vulnerability was announced," Ullrich told

Apple officials could not be reached to discuss the timing of the patch.

/zimages/4/28571.gifRead more here about Apples file-sharing, printing and QuickTime security update for its Mac OS X client and server software.

Michael Haisley, an incident handler at the SANS ISC, called on Apple to do a better job of addressing well-known vulnerabilities in a timely manner. If not, Haisley warned, "Mac OS systems will likely become a much more favorable target for attackers."

/zimages/4/28571.gifCheck out eWEEK.coms for the latest news, reviews and analysis on Apple in the enterprise.