Apple support document for OS X 10.7 (Lion) and 10.6 (Snow Leopard)
Putting on my old IT hat, this is one area where I have no problems crucifying Apple over. Their overall response to this Java related security issue was too slow. The Java vulnerabilities which provided the attack vector for the Flashback malware was taken care of by most other vendors back in February.
It was until this latest Flashback variation, that Apple finally released a set of Java security updates to address this particular vulnerability. This update takes care of removing the actual trojan. In the meantime though, users had to scramble to figure out if they’d been infected. Initially, it required opening a Terminal session in order to perform some shell commands. For non technical people, performing this action is nonsensical at best. That is NOT the Macintosh way. Third party vendors quickly offered up the first set of GUI’s within hours to check for the trojan while Sophos provided removal capabilities in their free Home version of their anti-virus software. Then just a day ago, various security software companies also offered up free apps to also check and remove Flashback.
In Internet time, Apple’s response was glacial and inexcusable. The brunt of the initial support was taken up by consultants, contractors, and outside companies (including myself). If you equate time to money, it amounted to a chunk of both for many (especially when you consider the average minimum billable hourly rate for tech is around $60/hour) of those people and firms who offered their services for free (and that is the right thing to do as opposed to even thinking of profiting from it). This isn’t anything new though. Apple has often times lagged in not only addressing vulnerabilities, but also working with the 3rd parties who discover and then report them.
In IT enterprise, vendors like IBM and Sun quickly issued security patches. Furthermore, depending on your SLA (service level agreement), a support engineer would be on-hand within 24 hours to make sure the patches went through ok and didn’t affect anything else. Yes, I know that I’m referring to an enterprise deployment as opposed to Apple’s consumer oriented base. The point is that Apple now has a sizable consumer footprint which requires a faster response time when it comes to security vulnerabilities in code which Apple maintains. Apple also has to better communicate with those who discover and report such issues (at least acknowledge the receipt of such feedback) and then at least address the customer base that they are at least aware of the issue, and working on addressing it (as opposed to not saying anything at all).
