For perhaps the first time in its history, Apple synchronized its Java update for Mac OS X to happen at about the same time that Oracle released its security patches to the system. While Apple seems to have learned its lesson from a security breach back in April, the company could still be doing a better job; some lingering questions remain.
Paul Henry, a security and forensic analyst, noted that “This is the first time that I can ever recall Apple actually doing a reasonable job with a patch for Java from Oracle. Normally, it's many, many months.”
The updates were released this week. If you still need them, check out Oracle's release of Java 6 Update 33 and Java 7 Update 5. Collectively, these two releases patch 14 security vulnerabilities. Apple users who need to patch their systems should grab Apple's Java update 1.6.0_33, which repairs 11 of these flaws.
This, of course, is where the questions begin. Why fix only 11, rather than all 14? Apple is silent on this issue. Andrew Storms, director of security operations for nCircle, noted in an email that “It could be that not all bugs fixed in the three extra updates are applicable to the Mac, and it could be something else entirely.” But with no comment from Apple, we have no way of knowing.
It is exactly this close-mouthed approach to security that makes businesses and, especially, large corporations reluctant to purchase Macs. Henry hesitates to recommend Macs “because they just seem so adamant against talking about any security issues.”
With this attitude, Apple's security problems will only grow along with their popularity. The company got taught a lesson the hard way in April of this year, when the Flashback botnet infection struck 650,000 Macs worldwide, due to Apple's lack of support for security patches for Mac OS X. That recent lesson could be behind Apple's rapid release of the Java patch.
Over the years, Apple seems to have used a “security through obscurity” approach. That strategy won't work any longer, if it ever did. Apple now makes up 11 percent of the computer market in Australia, and 10 percent of the market in the US. With many Mac users still on OS X, the operating system is becoming a target.
It doesn't help that Apple won't allow users to get patches from third-party vendors. This means that a Mac user must wait until Apple creates its own patch – and the company tends to release patches when it does a general upgrade of products, so if a user doesn't want the upgrade, they might not get the patch. “If they're going to discount something as being a feature enhancement or a patch on performance, and it in fact corrects a vulnerability, some users may put off applying that patch, leaving themselves woefully exposed,” Henry noted.
If Apple wishes to continue increasing its computer market share, especially with corporations, it will need to become more transparent about its security issues and patches. This week's release marks excellent progress in its attitude, but more is needed.
For more on this topic, please visit the Infoworld story.