Apple's iron grip on information and the release of fixes has been a nagging issue for years. In 2008, for example, Apple took over four months to patch a DNS vulnerability.
"Why Apple did not deploy these fixes before Mac users were victimized by criminals is unclear," wrote Chester Wisniewski, a security researcher for UK-based vendor Sophos, in a blog post about Flashback.
Brian Krebs, of Krebs on Security, says that more threats are on the way. "We can expect an evolution of threats against Mac users that will largely mirror those that Windows users face: that is, via the exploitation of vulnerable browser plug-ins, such as Adobe Reader, Flash, and most definitely Java."
Apple's Flashback fix, deployed Thursday, mitigates Java flaws. "As a security hardening measure, the Java browser plug-in and Java Web Start are deactivated if they are unused for 35 days," Apple says.
Ignorance Is Not Bliss