So Struts 2.3.15.1 which has the fix for this was released 16 July 2013. In fairness, it may be that Apple, being as big a target as they are, had little time to react before they were penetrated. But this really goes to show that when you are informed of a "highly critical" remote code execution vulnerability in one of your public-facing applications, you need to drop what you are doing, take the service offline immediately and start the process of upgrading/patching. You may literally have only minutes.
This reminds me of the post I saw on here, can't remember exactly what it was called, but the guy talked about putting servers up with a honey pot and at this point within hours they're getting scanned and probed.
He said it used to take days or weeks for that to happen. Now it's hours.
I used to work for the kind of companies that only use Struts+Spring+Hibernate, and it's simply appalling how many of their applications are running on year-old library versions with severe security flaws. One week is the median lead time for an emergency deployment.
