Bit of a pity that the Fruity Ones didn’t do this back at the beginning of February, when Oracle’s emergency “pre-Patch-Tuesday” update came out to fix the hole that Apple is only now closing off.
→ Curiously, Cupertino did push out a patch early in February, but only for OS X 10.6 users. Lion and Mountain Lion users have been in limbo until now.
Apple therefore bumps its Java distribution from 1.6.0_37 to 1.6.0_41, leapfrogging OS X 10.7 and 10.8 users past 1.6.0_39 entirely (the even numbers weren’t used for official releases).
Twitter, too, admitted to a breach recently, didn’t say how it happened, but suggestively invited everyone to turn off Java in their browser as part of its official statement.
The smart money, then, is that Twitter fell into the same hole as Facebook and Apple.
No-one quite seems to know where this attack, or series of attacks, came from.
Bloomberg offers speculation that “the hackers are a criminal group based in Russia or Eastern Europe.”
It doesn’t really matter where the attacks came from if you’ve already followed the advice we’ve been trotting out since last year to turn Java off in your browser.
That stops dodgy Java applets from anywhere on the web from playing havoc with your computer, whether you’re running Windows, OS X, Linux or any other operating system on which Java is supported.
It’s telling, perhaps, that Apple, with this most recent update, seems to have washed its hands permanently of browser-based Java.
As its own update notification (see above) points out:
This update disables the Java SE 6 applet plug-in. To use applets on a web page, click on the region labeled "Missing plug-in" to download the latest version of the Java applet plug-in from Oracle.
I wonder how many Apple programmers will tempt their employer’s wrath by reaching out to Oracle to re-enable Java in their browsers?