That disparity seems to validate Apple's 2010 decision "deprecate" Java, or stop bundling the software with OS X. Lion was the first to omit Java, although users have been free to download and install it themselves.
The lower Flashback-infection rate on OS X Lion (at far right) shows Apple's decision to dump Java was a smart one. (Data: Doctor Web and Net Applications.)
Doctor Web did not connect those dots in its analysis, but the numbers make clear that versions of Mac OS X that included Java -- Snow Leopard and Leopard -- are much more likely to be infected by Flashback. Conversely, Lion -- by default, sans Java -- is significantly more resistant to the malware.
The Russian company's data also showed that many Mac users don't keep their machines up-to-date, something ZDNet blogger Ed Bott noted on Friday.
Twenty-four percent of the Snow Leopard-infected Macs were at least one update behind, 10.4% were three or more behind, and 8.5% were four or more behind.
Lion users were no better patch practitioners: 28% were one or more updates behind.
Of course, not all Windows users patch, either. According to Qualys, which regularly examines several hundred thousand PCs, 5% to 10% of business Windows machines never receive any given update.
Qualys has seen some Microsoft updates be ignored by 20% to 30% of Windows PCs for four months or longer.
But by Doctor Web's data, Mac users are even less likely to update promptly, or even at all. OS X 10.6.7, the second-to-last update for Snow Leopard, was first issued 13 months ago, yet 9% of the infected Snow Leopard Macs run that version.
To protect Snow Leopard and Lion systems from the Java-exploiting Flashback, users should launch Software Update from the Apple menu and download this month's Java updates. Software Update will also serve the newest version of those operating systems to Macs running outdated editions.
People running Leopard can disable Java in their browser(s) to stymie attacks.
Later this year, Oracle will release Java 7 for OS X. Mac users who upgrade to Java 7 will then receive security updates directly from Oracle, not from Apple.