For many years, I've been of the opinion that software bug fixes (which includes patches for vulnerabilities) should be kept separate from feature changes. That is, you shouldn't be required to purchase an upgrade for a piece of software in order to receive patches needed to make it work safely or 'as described'.

I'm not too bothered when free updates deliver fixes and improvements in one go, but that's probably because (as far as I can recall) I've never been in a situation where I've been unable to apply such an update due to an incompatibility with another essential piece of software.

So I was very pleased to hear that Adobe backed down from its initial stance that the only way for its CS5 customers to get a fix for a TIFF-related vulnerability was to upgrade to CS6 at considerable expense. Instead, patches for the CS5.x versions of Illustrator, Photoshop and Flash Professional will be made available in due course.

Similarly, though less thoroughly, Apple this week broke from tradition and released a security update for Leopard to at least partially address the Flashback malware and a second to discourage the continued use of old and vulnerable versions of Flash.

What we may need is legislation to ensure that software developers continue to deliver bug fixes - especially those with security implications - for the useful life of their products. They take our money upfront, and I believe that imposes certain responsibilities which they have tended to avoid. (Just to be clear, I don't think those responsibilities include accommodating subsequent changes to other companies' products, such as providing compatibility with a new major version of an operating system, or with hardware that wasn't on the market at the time the program was sold.)

The problem is defining 'useful life' in this context. I'm inclined towards a fixed number of years after the last sale of a given version, as other rules (such as supporting version n-1 or n-2) can easily be manipulated by the vendors.

My feeling is that five or six years is probably about right. These days, we consider software expensive if it costs $2000 - yes, I'm thinking of you, Adobe! But spread over five years, that's less than $8 per week, so it doesn't seem too unreasonable if the program is left to 'wear out' after that period.

But maybe it's too late. We might not all like the idea of software subscriptions (whether the programs are delivered for use on our hardware or offered as a service from data centres that could be anywhere in the world), but there does seem to be an inexorable move in that direction.

It looks like the delays between the release of new versions of Java and their availability for Mac OS X will soon be a thing of the past.

Oracle has now released Java Development Kit (JDK) 7 and the JavaFX 2.1 Software Development Kit (SDK) for Mac OS X.

"Mac OS X is major new platform for us; the first new platform added in a very long time. It should be considered a '1.0' release and there are a number of known issues," said Henrik Stahl, senior director of product management at Oracle's Java platform group.

JDK 7 includes the Java Runtime Environment and hence the Java Virtual Machine, which are the parts of interest to Mac users who just need to run Java applications and applets.

The main user release won't happen until JDKu6, which is expected after the release of OS X 10.8 Mountain Lion. Apple has never (to the best of my knowledge) articulated a formal policy about supporting older versions of the operating system, but in practice it has only released updates for the current and immediately previous version. Oracle is taking a similar approach with Java for Mac, so Lion will be the earliest supported version.

Community-built OpenJDK 7 and 8 packages are available for Lion and Snow Leopard.

The good news is that according to Stahl, "From this point on, every release of Oracle JDK 7 and JavaFX 2.1 (and later) will be available on Mac at the same time as for Linux, Windows and Solaris."

This doesn't mean there will be no exploitable Java vulnerabilities in future, but it does mean that we shouldn't see a repeat of Flashback.K which exploited a vulnerability that became public knowledge when it was fixed in an update for Oracle's Java. That hole was left open for several weeks, although Apple's Java update appeared just a few days after Flashback.K.

Flashback.K was particularly effective because it used a true drive-by exploit. Once a web browser opened an 'infected' page, the malware was installed regardless of the user's subsequent actions unless security software that recognised the malware was running.

Well over 600,000 Macs were thought to be infected, with a search ad hijacker installed by Flashback.K estimated to have garnered as much as $10,000 per day for its perpetrators.

Apple CEO Tim Cook has given the clearest indication yet that the Mac won't be subsumed into the iOS family in the foreseeable future.

Photo: Apple

During a conference call following the announcement of Apple's extremely solid March quarter results (apart from stellar iPad and iPhone numbers, Mac sales growth comfortably exceeded that of the global PC market), Cook noted that the tablet market will probably exceed the PC market in three years or so, partly due to the "universal" appeal of the iPad.

But he went on to say "I also believe that there is a very good market for the MacBook Air, and we continue to innovate in that product. And - but I do think that it appeals to somewhat - someone that has a little bit different requirements. And you wouldn't want to put these things together because you wind up compromising in both and not pleasing either user. Some people will prefer to own both, and that's great, too. But I think to make the compromises of convergence, so - we're not going to that party. Others might. Others might from a defensive point of view, particularly. But we're going to play in both."

So while Mountain Lion will bring a number of iOS features to Mac OS X, it seems clear that the Apple is committed - at least for the next several years - to the Mac for those who want or need a more traditional computing experience (keyboard, larger screens, generous storage, and so on).

[Quotes taken from a transcript of the conference call provided by Seeking Alpha.]

The number of Macs infected with Flashback.K continues to fall. According to Symantec it was down to around 140,000 at the beginning of this week, after peaking at something like 650,000. Apple's release of a second-generation Java update (plus a Lion-only standalone utility) that cleans up certain Flashback variants presumably contributed to the reduction.

But another piece of malware exploiting the same Java vulnerability has emerged. Dubbed Sabpab, it plants a backdoor on affected systems.

If you promptly applied Apple's Java update, you shouldn't be bothered by this variant of Sabpab. But in the last couple of days security vendors have warned that an earlier version of Sabpab appeared in February and used a vulnerability in Word 2004 and 2008 to infect systems.

That Word flaw was fixed in 2009, so unless you're particularly slack when it comes to updating software you should be safe. Furthermore, it seems that version of Sabpab was pushed out in a spearphishing campaign, so unless you're associated with Tibetan nationalism the infected document was unlikely to come your way (which is why it stayed under the radar for so long). But it sounds as if the malware itself as well as the document that conceals it could be modified quite easily, so it may crop up in another form.

I can understand people not wanting to be on the bleeding edge when it comes to updating software, but recent events suggest you shouldn't get too far behind the curve.

Returning to the theme of last week's post, it seems that over 650,000 Macs had been infected with the Flashback malware as of Monday April 9.

If that's anything like correct (the numbers are based on the instances detected by fake command and control servers set up by two Russian security companies), that makes Flashback one of the most successful pieces of malware ever - at least in terms of the proportion of the installed base that it managed to infect. Note that's not just Mac malware, it's malware for any platform.

[Update: I now see Symantec - which is sinkholing the current domains used for Flashback command and control - reports the number of infected systems has fallen to 270,000. That seems to indicate that clean-up is well under way.]

The overwhelming majority of Flashback.K infections have supposedly occurred in the English speaking world (around 6% of them in Australia). This probably says something about the sites used to deliver drive-by downloads of the malware.

If something like 1% of the Mac installed base has been infected then I would have expected to have heard by now from a friend, acquaintance or colleague who had fallen victim. But I haven't, although I have seen a few online reports from people who have found Flashback on computers they administer.

That might be explained by the profile of the Mac users in my circle: relatively sophisticated (at least in terms of knowing not to authenticate when the request comes out of the blue), and quite likely to be running Microsoft Office or Skype (Flashback.K's 'stealth' installation avoids systems with those programs installed, apparently because the code it adds adds may cause them to crash).

Apple has now revealed that it is working on software to detect and remove Flashback, but I'm left with the impression that the company still hasn't implemented a solid security strategy. In my book, that would include prompt delivery of updates to third-party code such as Java and all the open source components, giving prompt warnings (along with any mitigations) to customers when issues do arise, and cooperating with security vendors and individual researchers rather than treating them as if they were the enemy.

Anyway, Adam's recent SMH piece 'What's your long weekend tech project?' prodded my conscience, and I finally got round to upgrading one of my Macs to Lion. In the light of all the "don't install Java if you don't need it" surrounding Flashback.K, I didn't - at least not until I discovered the hard way that Photoshop CS3 required Java.