I've previously complained about Apple being slow to patch vulnerabilities, and not much seems to have changed in the intervening 17 months.

Mac OS X 10.5.7 arrived last week, but there was no update to protect against a Java security issue that was reported last August and fixed by Sun in December.

Is this important? You bet.

The vulnerability bypasses the Java sandbox and allows the execution of arbitrary code in a browser.

Normally, a Java applet running inside a browser has limited access to system resources. This vulnerability allows malware to break those chains and gain arbitrary privileges.

What's more, the vulnerability can be exploited in Java - no platform-dependent machine code, just plain Java.

So I've disabled Java in all of the browsers I use: Safari, Camino and Firefox.

If I find something that needs it, I'll cautiously and temporarily enable it.

I've written a more detailed discussion of this issue for iTWire.