Two weeks ago we blocked vulnerable versions of the Java plugin on Windows and some Linux distributions. We haven’t followed up with the Mac OS X operating system for a couple of reasons.
One reason is that the Apple has already patched its Java software and the Software Update application is very effective doing its job. The other one is that there’s a bug in Firefox that prevents it from reloading plugin metadata after an update. This means that even if someone updates Java on Mac, Firefox will continue to say an old and vulnerable version is installed. This bug will be fixed in Firefox 12 and we will complete the block on Mac OS X after it is released on April 24th.
However, people who are using Mac OS X 10.5 and older won’t get the Java update, which means they will remain vulnerable unless they update their operating system or upgrade their hardware. For these users there’s no point in waiting, so we have blocked the Java plugin for them. This is a soft block, meaning that they are free to continue using the plugin if they choose to, at their own risk.