More than six months after Sun Microsystems cautioned that a flaw in its Java virtual machine will make it easy for hackers to install malware on end users' machines, the vulnerability remains unaddressed and unsolved on Apple's end, thus leaving its Mac platform susceptible to malicious attacks.

In contrast, most other operating systems (like major Linux distributions and the latest versions of Windows) had already fixed the glitch months ago. This is good news for the two corporations, but terrible news for Apple because the vulnerability has the possibility of being actively exploited in the wild, victimizing machines operating under the Mac OS X platform or operating systems that haven't gotten updates for the last six months.

Breach and vulnerability testers, which include VUPEN Security and Immunity, believe the hole is important enough to offer their clients exploit code that tests against the error. According to an email sent by Immunity researcher Bas Alberts, "This bug, and others like it, are essentially 'write once, own all' type deals. So yeah, they're fairly interesting to people on the offense side of the fence."

The company's exploit code that targets the weakness is written in Java and works equally well on targets running on OS X, Linux, or Windows. However, Apple has yet to address the vulnerability. In fact, it has already issued major OS upgrades lacking a patch for the bug a week ago.

Dino Dai Dovi, coauthor of "The Mac Hacker's Handbook" and an independent security researcher notes that Apple is a bit slow on the uptake when it comes to applying upstream security updates in Java. He believes it's pretty significant when the company lags behind patching a vulnerability that's already been exposed.

He further adds that Apple has done this before, and claims that potential hackers don't need to search for anything new because they can just use existing Java vulnerabilities in Mac applications that, more often than not, are neglected from being fixed.

In fairness to Apple, its developers do run the extra mile of writing and testing their own Java patches. Such double-duty dedication isn't required on Microsoft's part because Sun automatically gives the company all the Java fixes and patches that Windows needs. Then again, that's not really an excuse since Suse, Red Hat, and Hewlett-Packard do patch their platforms on their own. There has been no comment so far from Apple itself, and its spokesperson has not been answering emails inquiring about the vulnerability.