This first couple Java updates already patched the underlying vulnerability. The latest version doesn't address any new vulnerabilities--it takes care of the destruction left in the wake of the vulnerabilities in the first place, and proactively reduces the exposure to risk for Mac users.

The from Apple removes the known variants of the Flashback malware from . It also automatically disables Java if it has not been used during the previous 35 days. Once disabled, users have to manually re-enable Java in order for Java applets to run again. That means that malware attacks like Flashback would be unable to automatically execute and compromise Macs that don't regularly use Java.

In his , CTO Wolfgang Kandek appears to be impressed by Apple's innovative approach to minimizing risk. "This is exciting and to my knowledge nobody has done something like this before. It makes total sense to me: We have been telling users to disable or uninstall Java if they do not need it, but we know very well that only very security conscious users will do so."

It is a core tenet of computer and network security to disable or remove software and services that are not being used. Not doing so exposes the system to undue risk should a vulnerability be discovered and exploited against the unused tools and applications. Adding insult to injury, even when a flaw is discovered and announced, many users mistakenly believe the issue doesn't affect them because they're not actively using the tools. They'll ignore the patch and remain vulnerable.

What Apple has done with this update is to take the decision out of the user's hands--at least as it relates to Java. The OS will now monitor usage and simply disable Java if it is not used for an extended period of time. Other operating system platforms and software vendors may want to adopt a similar approach to automatically disable unused and unnecessary services to reduce exposure to attacks.