Apple(s AAPL) recently introduced multiple software updates and a removal tool for the “Flashback” threat that takes advantage of an exploit in Java on Macs. For users of the current version of Apple’s desktop OS, Lion 10.7.3, and the previous OS, Snow Leopard 10.6.8, Apple’s got you covered. For anything older than that Apple’s current recommendation is to disable Java. That’s wrong, and here’s why.
Apple’s “solution” of disabling Java on versions prior to Snow Leopard isn’t realistic for users that still intend to keep their Mac on the Internet, since web-based Java is still popular, especially for proprietary corporate applications. If you are on a Leopard (10.5) or older system, Apple’s solution means that you could try to enable Java only while you are using websites that require it and then immediately turn it off afterward (a common example of usage is for remote control programs such as GotoMyPC and Logmein). To be fully secure though, the better solution is to upgrade your OS. However, upgrading your Mac’s OS could introduce incompatibilities with existing software that will require further costs to upgrade. Plus, if a user hasn’t upgraded to Snow Leopard — an admittedly old OS — yet, they may have a good reason for doing so.
Apple updates its operating system at a much faster pace than Microsoft(s MSFT). Leopard was superseded by Snow Leopard in August 2009 and Windows XP was superseded by Vista in November 2006, yet Microsoft is still providing critical security updates for XP until April 2014. Microsoft is providing more security updates for more versions of their operating system while Apple is starting to abandon users after less than three years.
To be fair, a majority of Mac users have already moved to either Snow Leopard or Lion, according to estimates from Net Market Share so most Mac users will be protected from this security flaw after installing Apple’s latest updates. Windows XP, meanwhile, is still on a majority of PCs according to that same study, even though its successor, Windows 7, was released in July 2009. Microsoft is doing this right by continuing to provide security updates for its older operating systems, which sort of makes sense given Microsoft’s constant battle with malware over the years. But Apple isn’t.
With Apple’s accelerated OS release cycle, leaving Leopard’s Java security unsupported after less than three years is unfair to users and a potential class action lawsuit waiting to happen since Apple’s extended warranty (AppleCare) is designed to support the Mac for three years. That MacBook you bought in May 2009 has a problem that Apple knows about, and Apple’s solution is to simply disable portions of the OS provided by Apple for your computer.
At the very least, Apple should be required to either patch a security flaw in any computer still under AppleCare or provide a free update to a currently supported version like they are doing for MobileMe users. Two years is simply too short of an upgrade cycle to expect users to keep up with in order to maintain the security of their systems.
If Apple continues this “current and previous version” approach towards security, Snow Leopard users are going to miss out on security updates when Mountain Lion 10.8 comes out this summer, only two years after they upgraded to Snow Leopard. Apple needs to step up to the plate and provide security updates for at least three years — otherwise Mac users could be more secure wiping an older Mac OS on that Intel-based Mac and installing Windows XP instead! At least then they’ll have until April 2014 before their computer turns into an unsecured ticking time bomb.