Six months after the discovery of a security flaw in Apple's implementation of Java software in some versions of the Mac OS X operating system, the company is releasing a fix.

The software flaw could allow a hacker to install and execute malicious software (malware) on Macs running Leopard and some Tiger operating systems. Once onboard the Macs, the malware could be used to steal information from the computers.

Security researchers claim that Apple has been ignoring their warnings about this problem for months. Five months ago the Java vulnerabilities were publicly disclosed, and fixed by Sun Microsystems (the company that developed and maintains Java), according to a May blog post by Landon Fuller, founder of software maker Plausible Labs Cooperative, Inc. in San Francisco and a former Apple programmer. Fuller also published a proof-of-concept hack on his Web site demonstrating how someone could exploit the vulnerability to attack or even take control of another person's Mac, Computer Reseller News (CRN) reports.

Intego, an Austin, Texas, -based maker of Mac security software, last month also issued a warning for Mac users to disable Java in their Web browsers until Apple got around to fixing the Java vulnerability, reports InformationWeek. The flaw in Java, a programming language Sun introduced in 1995 to allow the same software to run on many different computer platforms, could allow Mac users to be attacked simply by visiting a Web site containing malware designed to exploit the flaw (also known as "drive-by" attacks). Hackers writing such malware could then access or delete files on the vulnerable Mac, according to Intego.

While Washington Post computer security reporter Brian Krebs writes that Apple has a history of patching Java flaws on average about six months after Sun has fixed them, Apple is far from the only big software company known to drag its feet when fixing problems with its products. Microsoft, Oracle, Cisco and others have been known to take a reactive (rather than proactive) approach toward disclosing and fixing security flaws in their software, sometimes prompting security experts to (as Fuller did) write and publish blueprints for exploiting those flaws.

One of the most infamous examples of this came at the Black Hat security conference in July 2005 when then-24-year-old security expert Michael Lynn gave a presentation demonstrating how to take control of Cisco network routers thanks to a security hole in Cisco's software. When Cisco got wind of what Lynn was doing at the conference, the company demanded that Black Hat remove Lynn's presentation from its conference handouts and got a court order to prevent Lynn from ever giving his presentation again. Cisco claimed that it had already issued a patch for the problem in April 2005, but Lynn countered that Cisco underplayed to customers the seriousness of the security problem, so many had not bothered to install it.

Image © Robert Koopmans