Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Blocks Java 7 Plug-in on OS X to Address Widespread Security Threat
- Thread starter MacRumors
- Start date
- Sort by reaction score
Correct, and only in Safari.
----------
One per day. You may turn it off in the Security prefpane.
When Apple was managing Java on OS X, Apple did a piss-poor job and was weeks, months behind on security:
here is one example, though I think there were others in 2011:
https://krebsonsecurity.com/2012/06/apple-oracle-ship-java-security-updates/
"Oracle is the official producer of Java, but Apple maintains its own version, and it has consistently lagged months behind Oracle in fixing security bugs. This failure on Apples part finally caught up with Mac OS X users earlier this year and turned into a major embarrassment for Apple, when the Flashback malware infected more than 650,000 Mac systems using a vulnerability that Oracle (but not Apple) had patched roughly two months earlier."
The current blocking (seems to only work in Safari, not FF, but ok) is probably good enough for most users.
My bank(s) and the Germany IRS (needed every month to file my taxes as a freelancers), both require Java and on the Mac this has usually sucked badly, tending to run much better (i.e. just work) on my Windows VM.
This Java vulnerability is not limited to just OS X, correct? I don't know much about the Java platform, but I am guessing many of the "buggy and slow" experiences you have with Java could be due to crappy developers rather than just the platform itself.
You are correct.
For a work around, you can write a logout hook to disable the code that restricts the Java plugin, but you should be careful for the obvious security reasons.
Use plistbuddy or some other command in your script to remove the "com.oracle.java.JavaAppletPlugin" key. That key is in the following file:
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
You will need some sort of recurring script since XProtect periodically overwrites the contents of this file. If a user logs in and the Java plugin does not work (because of an XProtect update), the user can just logout and back in to invoke the script that removes the key. You could also have users run a command manually in Terminal, etc., when there is an Xprotect update and the Java plugin becomes disabled.
----------
See the post above:
https://forums.macrumors.com/posts/16650023/
If you need help with this, I can send you a Terminal script to enable the plugin and another to reenable the block.
----------
Why be so snarky? That bit of information was included in an update to the article. Perhaps the person asking about rolling back to version 6 posted comments prior to the update. Jeesh!
I've been a J2EE engineer for about 5 years and I was a C/C++ backend / PHP frontend engineer for about 5 before that. But none of that is relevant since this is about the Java browser plugin, which I do not endorse. I also don't endorse Silverlight or Active X or many of the technologies that seek to deliver application features via. a webpage by client program execution. I consider it to be too dangerous and I will always prefer the download and installation path. With all the misinformation in the responses to this article, I'm actually surprised no one has started blaming Oracle JavaScript.
On the debate->
Java is a fine language for both enduser applications and backend server web applications. The problem isn't really the language or the architecture, it's the programmers. Java is like the (airquotes) "new" Visual Basic. It's very easy to access and it breaks down a lot of barriers of entry for new programmers. Don't know what endian your processor is? Who cares! Don't understand memory management? No problem! Need a library? Throw it in a folder YOLO!!! These are just basic examples, but what it boils down to is people who have no business programming will succeed in writing somewhat functional software with it.
In my opinion, the argument that Java is slow is fairly dead in common usages of the language. People complain about things like performance when they've never really profiled well written code. In my tests, Java algorithms perform close to the same speed as C given a sufficiently long running process. In most cases the JVM can optimize many complex operations after it has been running for a few iterations (code warmup). In addition, few people take advantage of the performance features of Java such as NIO file access.
In addition, using Java in an enterprise context generally gives you something more important than performance: velocity. Today processors are sufficiently fast, memory is sufficiently cheap, and clustered blades scale sufficiently to allow companies (in general) to buy their way out of the performance argument for a lot less than hiring more engineers to optimize code. And besides, why would you spend money on engineers to optimize features that are already written when there's a huge backlog of features that haven't been written yet? So much of software isn't about actual software engineering, and only a subset of of the software engineering concerns revolve around performance.
Granted, there is still no cure for stupid. Bad programming can ruin any language. The reason these criticisms about Java persist is that even poorly engineered code will probably still run. C/C++ would have a lot more compilation issues, stack overflows, segfaults, and other inescapable "crash" problems. Java's strict OO, exception system, and garbage collection allows bad engineers to ignore flaws more easily.
On the debate->
Java is a fine language for both enduser applications and backend server web applications. The problem isn't really the language or the architecture, it's the programmers. Java is like the (airquotes) "new" Visual Basic. It's very easy to access and it breaks down a lot of barriers of entry for new programmers. Don't know what endian your processor is? Who cares! Don't understand memory management? No problem! Need a library? Throw it in a folder YOLO!!! These are just basic examples, but what it boils down to is people who have no business programming will succeed in writing somewhat functional software with it.
In my opinion, the argument that Java is slow is fairly dead in common usages of the language. People complain about things like performance when they've never really profiled well written code. In my tests, Java algorithms perform close to the same speed as C given a sufficiently long running process. In most cases the JVM can optimize many complex operations after it has been running for a few iterations (code warmup). In addition, few people take advantage of the performance features of Java such as NIO file access.
In addition, using Java in an enterprise context generally gives you something more important than performance: velocity. Today processors are sufficiently fast, memory is sufficiently cheap, and clustered blades scale sufficiently to allow companies (in general) to buy their way out of the performance argument for a lot less than hiring more engineers to optimize code. And besides, why would you spend money on engineers to optimize features that are already written when there's a huge backlog of features that haven't been written yet? So much of software isn't about actual software engineering, and only a subset of of the software engineering concerns revolve around performance.
Granted, there is still no cure for stupid. Bad programming can ruin any language. The reason these criticisms about Java persist is that even poorly engineered code will probably still run. C/C++ would have a lot more compilation issues, stack overflows, segfaults, and other inescapable "crash" problems. Java's strict OO, exception system, and garbage collection allows bad engineers to ignore flaws more easily.
Last edited:
Assuming the this affects PPC Macs as well.
I'm assuming this vulnerability affects Power Macs running OS X as well. Although the Java exploit back in April of last year that tried to hack the PPC Mac using a binary it downloaded failed because it was an i386 only code and not universal binary resulting in a non-execution of the binary.
According to my Java enabled Safari 5.0 running OS X 10.5.8 it has "Java 1.5.0_30 from Apple" installed by default and is easily disabled by the preference panel in Safari.
I tried to enable Java in TenFourFox Firefox 17 config console but wasn't even able to do that, so I left all the extensions and plugins disabled by default. I'm sure Camino and Opera as easy to switch off as well.
The real question remains if someone can exploit the Java that is physically installed in the operating system by running a java app through the command line vulnerability when files download and try to open automatically.
Eventually Java may need to be physically removed from the hard disk for a complete solution.
I'm assuming this vulnerability affects Power Macs running OS X as well. Although the Java exploit back in April of last year that tried to hack the PPC Mac using a binary it downloaded failed because it was an i386 only code and not universal binary resulting in a non-execution of the binary.
According to my Java enabled Safari 5.0 running OS X 10.5.8 it has "Java 1.5.0_30 from Apple" installed by default and is easily disabled by the preference panel in Safari.
I tried to enable Java in TenFourFox Firefox 17 config console but wasn't even able to do that, so I left all the extensions and plugins disabled by default. I'm sure Camino and Opera as easy to switch off as well.
The real question remains if someone can exploit the Java that is physically installed in the operating system by running a java app through the command line vulnerability when files download and try to open automatically.
Eventually Java may need to be physically removed from the hard disk for a complete solution.
Apple Blocks Java7 Plug-in
Thanks for the heads up on this. Hope to see how this is resolved in the weeks to come.
Thanks for the heads up on this. Hope to see how this is resolved in the weeks to come.
VERY confusing... What was original headline, what is 'current' one.
----------
Both show that you block JAVA by using Safari Preferences Security
and disable the JAVA box. Not the other 3 RIGHT?
Please explain these things in NON TECHY Talk.
Mine was enabled and I have seen no warnings...what is all that warning mumbo jumbo about.
What do we do next and please specifiy for Mountain Lion and Pre ML OSX.
you're full of ****.
----------
Let's not get hysterical.
Javascript itself, that Apple depends on for a host of application coding, is vulnerable to many security attacks.
http://www.slideshare.net/orysegal/clientside-javascript-vulnerabilities
If you want REAL SECURITY, you DISABLE all Client Side code, including JavaSCRIPT.
As Cross Site Scripting is the Worst Security Vulnerability out there.
Doing that, however, loses all the "cool" features.
The most secure sites run just JavaEE or Windows ASPX, with No client side libraries.
Nothing.
What kind of cool features do you lose? I've been using NoScript forever. Can you control java with that?
Thank you. I'm a Java/J2EE developer too, and have had experience with other languages (as well as C and PHP, which you mentioned). It can be clunky for desktop applications, certainly not going to deny that, and poor programming only makes the problem worse. But for web, it's an excellent platform and I wouldn't want to code with anything else right now.
Prior to Flashback, malware leveraging Java in OS X wasn't exploiting Java without user interaction but required users to accept running an unsigned or self-signed Java applet.
In relation to Java exploiting malware without user interaction, Java in OS X was never targeted until Java on other platforms became heavily targeted as well. This is despite the Apple released Java lagging behind the mainstream Java.
The only protection in Java is the Java sandbox, which doesn't use the sandbox of the host OS, given the purpose of Java is to execute code; the host OS memory protections don't apply in relation to Java. Java exploiting malware that doesn't require user interaction targets bypassing the Java sandbox to install payloads.
I think that this type of Java malware has become an issue more recently because malware developers have become more proficient at bypassing the Java sandbox. This type of Java exploiting malware wasn't an issue during the time period where Java for OS X was supplied by Apple at least until Flashback.
The final payload of Flashback was only installed on 10000 of the infected targets despite the number of users infected with the initial payload.
Flashback was an ad-click hijacking malware where the attackers were actually serving the ads instead of altering legitimate ads on websites. So the attackers had bandwidth considerations to deal with which limited the amount of targets that could be served ads until more profit was earned. The threat wasn't in the wild long enough for the attackers to profit enough to inject the final payload and serve ads to everyone in the botnet.
Also being an ad-click hijacking malware, Flashback didn't cause any financial loss to individual users but only to organizations that serve ads.
But, Apple has removed the vector used to allow ad-click hijacking in OS X without password authentication so malware targeting this functionality is no longer able to install silently in OS X.
This threat, like all OS X malware, was overblown by those with a vested interest, such as anti-virus developers, and the media.
But this recent Javapocalypse shows that Java functionality within browsers represents a security issue to the point that users should avoid requiring Java functionality within the browser.
Switch to banks with web apps that don't require Java and lobby your government to no longer use Java for web services as well.
Is there anything I need to do to address this issue? I went into Safari>Preferences>Security and disabled (unchecked) Java. Do I also need to disable JavaScript? When I disable JavaScript, my web pages do not display properly. I know nothing about Java. I also searched the forum and didn't find recommendations.
All you need to do is uncheck Java. Leave the Javascript on as it is not related to this threat.
The public releases of Java versions 4 to 7 are not safe.
Apparently, the developer release of JDK 7u12 is safe.
Java only blocked in Safari?
I ran into this problem yesterday before hearing about the Java vulnerability news. I was trying to run something within our institution which requires java and it kept giving me an error. I launched Firefox and it worked fine. I just tested this on the java.com site and confirmed java is disabled in Safari but running in Firefox on the same machine. That's much different than Apple completely "disabling" java.
I ran into this problem yesterday before hearing about the Java vulnerability news. I was trying to run something within our institution which requires java and it kept giving me an error. I launched Firefox and it worked fine. I just tested this on the java.com site and confirmed java is disabled in Safari but running in Firefox on the same machine. That's much different than Apple completely "disabling" java.
Apple is just disabling Java in Safari until a fix is provided from Oracle. Apple is not disabling Java in general.
This has already been stated in this thread.