Third-party software is an ideal vector. The current exploit is triggered by a known flaw in Java, which was installed on every copy of OS X until the release of Lion (OS X 10.7) last summer. The flaw was reported in January and patched by Oracle in February, but the Apple version of Java didn’t get a patch until early April. So for several months, every Mac owner was vulnerable unless they took specific steps to remove or disable Java.
Mungkin inilah alasannya Canonical menghapus Java dari repositori Ubuntu (dan menggantinya dengan OpenJDK):
Oracle has published an advisory about security issues in the version of Java we currently have in the partner archive . Some of these issues are currently being exploited in the wild.
Due to the severity of the security risk, Canonical is immediately releasing a security update for the Sun JDK browser plugin which will disable the plugin on all machines. This will mitigate users’ risk from malicious websites exploiting the vulnerable version of the Sun JDK.