Better late than never? Apple has released the third Java update in a week for Mac OS X, and this one contains the tool to remove the Flashback malware from infected systems. Beneath the belated fix to help users eradicate the threat, Apple has introduced a proactive approach to reducing security risk that other vendors should take note of.
This first couple Java updates already patched the underlying vulnerability. The latest version doesn't address any new vulnerabilities--it takes care of the destruction left in the wake of the vulnerabilities in the first place, and proactively reduces the exposure to risk for Mac users.
The latest Java update from Apple removes the known variants of the Flashback malware from infected Mac OS X systems. It also automatically disables Java if it has not been used during the previous 35 days. Once disabled, users have to manually re-enable Java in order for Java applets to run again. That means that malware attacks like Flashback would be unable to automatically execute and compromise Macs that don't regularly use Java.
In his Laws of Vulnerabilities blog, Qualys CTO Wolfgang Kandek appears to be impressed by Apple's innovative approach to minimizing risk. "This is exciting and to my knowledge nobody has done something like this before. It makes total sense to me: We have been telling users to disable or uninstall Java if they do not need it, but we know very well that only very security conscious users will do so."
It is a core tenet of computer and network security to disable or remove software and services that are not being used. Not doing so exposes the system to undue risk should a vulnerability be discovered and exploited against the unused tools and applications. Adding insult to injury, even when a flaw is discovered and announced, many users mistakenly believe the issue doesn't affect them because they're not actively using the tools. They'll ignore the patch and remain vulnerable.
What Apple has done with this update is to take the decision out of the user's hands--at least as it relates to Java. The OS will now monitor usage and simply disable Java if it is not used for an extended period of time. Other operating system platforms and software vendors may want to adopt a similar approach to automatically disable unused and unnecessary services to reduce exposure to attacks.
Kudos to Apple. It may be late to the game when it comes to helping users remove the Flashback malware from Mac OS X, but it has raised the bar for proactively protecting systems at the same time.