As as of this week, more than a quarter-million computers on the Web have been infected with malware exploiting the vulnerabilities, said Atif Mushtaq, a security researcher at FireEye.
The bugs were in the Java plug-in used in all the major Web browsers, including Google Chrome, Microsoft Internet Explorer, Apple Safari and Mozilla Firefox. The flaws were rated critical because cybercriminals could use them to install malware capable of commandeering a computer.
Apple’s patches automatically deactivated the Java plug-ins in browsers, leaving it up to Mac users to turn them back on. Until a few months ago, Apple had handled the release of all Java updates. Now, customers can download and install fixes directly from Oracle.
“Apple is trying to distance itself from Java in general,” said Marcus Carey, a security researcher at Rapid7. “Over the last six months, Java has been a headache for everyone in the industry.”
By turning off Java by default, Apple is making customers choose whether to take the risk in running the browser plug-in. “People who need Java are going to be on their own,” Carey said.
“In my opinion, most Apple users should just turn Java off,” Andrew Storm, director of security operations for nCircle, said by email. “Apple doesn’t ship it pre-installed anymore and most Java applets are slow and clunky. It’s always good security practice to turn off anything you don’t really need.”
While Apple moves away from the technology, Java remains a headache for Oracle. Many security experts have criticized the business software maker for the amount of time it takes to release a patch for known Java vulnerabilities.
“Why talking to your customers about security is so difficult is beyond my comprehension,” Storm said. “All software has bugs, customers know that. We don’t ask for a lot of information; the minimum requirements include an estimate of when a fix will be available and some mitigation advice. How hard is that?”
For years, Apple faced the same criticism for taking months to release to its customers Java updates already available through Oracle. In June, Apple appeared to change, releasing a Java patch the same day as Oracle for the first time. Apple doesn’t comment on product security.
“Overall, Apple has been very fast in coming out with new versions of Java, which is a great security improvement over the past,” Wolfgang Kandek, chief technology officer for Qualys, said by email.