Apple patches the Java hole its own developers fell into – eventually

Shortly after admitting that its own techies got infected thanks to a Java hole, Apple has pushed out a Java update for the rest of us.

Bit of a pity that the Fruity Ones didn’t do this back at the beginning of February, when Oracle’s emergency “pre-Patch-Tuesday” update came out to fix the hole that Apple is only now closing off.

→ Curiously, Cupertino did push out a patch early in February, but only for OS X 10.6 users. Lion and Mountain Lion users have been in limbo until now.

Apple therefore bumps its Java distribution from 1.6.0_37 to 1.6.0_41, leapfrogging OS X 10.7 and 10.8 users past 1.6.0_39 entirely (the even numbers weren’t used for official releases).

This re-aligns Apple’s version with Oracle’s own recent patch, which came out on 19 February 2013 as scheduled.

Both Facebook and Apple have now admitted to being owned due to malicious Java code hosted inadvertently by a website popular with mobile developers.

Twitter, too, admitted to a breach recently, didn’t say how it happened, but suggestively invited everyone to turn off Java in their browser as part of its official statement.

The smart money, then, is that Twitter fell into the same hole as Facebook and Apple.

No-one quite seems to know where this attack, or series of attacks, came from.

Bloomberg offers speculation that “the hackers are a criminal group based in Russia or Eastern Europe.”

Reuters quotes an expert who alludes to China as a possible source, but at least has enough perspicacity to mention that “there was no proof.”

It doesn’t really matter where the attacks came from if you’ve already followed the advice we’ve been trotting out since last year to turn Java off in your browser.

That stops dodgy Java applets from anywhere on the web from playing havoc with your computer, whether you’re running Windows, OS X, Linux or any other operating system on which Java is supported.

It’s telling, perhaps, that Apple, with this most recent update, seems to have washed its hands permanently of browser-based Java.

As its own update notification (see above) points out:

This update disables the Java SE 6 applet plug-in. To use applets on a web page, click on the region labeled "Missing plug-in" to download the latest version of the Java applet plug-in from Oracle.

I wonder how many Apple programmers will tempt their employer’s wrath by reaching out to Oracle to re-enable Java in their browsers?