Apple released a Java update for OS X on the same day that Oracle patched the vulnerabilities for Windows and other operating systems.
Apple issued separate updates for OS X 10.7, aka Lion, and OS X 10.6, or Snow Leopard, that hit 11 bugs in each edition. Oracle, which maintains Java for Windows, Linux and Solaris, shipped its update to patch 14 vulnerabilities.
Of the three bugs Oracle fixed but Apple did not, two applied solely to non-Apple operating systems, Solaris and Linux. It was unclear why the third was not included in Apple’s version.
The same-day patching never happened before. Apple, still responsible for Java security updates for Lion and Snow Leopard, typically lags behind Oracle by weeks or even months.
That practice was a problem earlier this year when Apple’s Java update lagged behind Oracle’s by seven weeks. Hackers jumped at the opportunity, and quickly infected an estimated 600,000 Macs with the Flashback malware by exploiting a Java bug that Oracle patched but Apple had not.
Last year, the Cupertino, CA, company halted development on the OS X version of Java, and said it was handing the job off to Oracle. Lion, the version of OS X that launched in July 2011, was the first that did not include Java; users had to download and install the software themselves.
Oracle will be responsible for development, maintenance and the updates for Java for OS X as of Java SE 7 and later. Next month’s OS X 10.8, Mountain Lion, will follow in Lion’s footsteps, and not bundle Java.
As an additional defense, Apple in April issued an OS X update that disabled automatic execution of Java applets in the Java browser plug-in, and deactivated the Oracle software entirely if the user did not use it in the past 35 days.