Apple has issued a patch for Mac OS X that fixes a serious Java security flaw publicly disclosed six months ago, following criticism from security researchers.
The vulnerability affects a number of platforms running Java, and it was patched weeks earlier by most other operating-system vendors. Apple said its patch, published on Monday, updates Mac OS X's Java to include security fixes delivered by Sun in December.
In May, security researcher Julien Tinnes publicised the vulnerability of OS X to the bug, after he noted that Apple had not included a fix in its most recent patch.
"Unfortunately, it is still not patched in [Apple's] latest security update from just a few days ago," he wrote in a blog post.
Security firm Intego joined in the criticism of Apple at the time. "Apple has been aware of this vulnerability for at least five months, since it was made public, but has neglected to issue a security update to protect against this issue," the company said in an advisory.
Also in May, researcher Landon Fuller published a proof-of-concept exploit demonstrating the danger posed by the bug to Mac systems. "Unfortunately, it seems that many Mac OS X security issues are ignored, if the severity of the issue is not adequately demonstrated," he wrote in an advisory.
The bug (designated CVE-2008-5353 in the Common Vulnerabilities and Exposures database) was first reported to Sun in August of last year, and was patched by Sun in December. It allows a remote attacker to take over a system, and was ranked as 'highly critical' by security vendor Secunia.
Exploits taking advantage of the flaw can be written in pure Java code, meaning they work on multiple platforms, Tinnes said. He recommended that Mac OS X users disable Java in their web browsers.
"This one is a pure Java vulnerability," Tinnes wrote. "This means you can write a 100 percent reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers."
Java is enabled by default in Mac OS X browsers such as Firefox and Safari, and Tinnes said he had successfully exploited the Java bug on both browsers.