Repeating the same sentence forever without any facts.
And where are your facts?
Repeating the same sentence forever without any facts.
This only affects the Java plug-in, right? That being blocked I can deal with. If the entire JDK/JRE is blocked, that is more problematic.
Is there any way to know exactly WHEN Apple makes these "background updates"? Like... does it happen any time I connect to the App Store under the (Checking for) Updates tab? I'm not as paranoid about this, but I am curious to know when files are modified on my Mac.
Thanks for the fast action, Apple. Although it shows the tradeoff we've had to accept, that keeping up with the latest version can produce situations like this, with a discovered vulnerability for which there is no patch yet. Ironically, when Apple was a version behind, bleeding edge security issues would have been addressed by the time we Mac users got a Java release from Apple.
Thanks!Actually, no. Researching this issue myself, I found these instructions for determining when my Plugin Black List was last updated:Apple has already addressed it, as long as you are connected to the internet.
http://osxdaily.com/2011/06/02/check-mac-malware-definition-list-update/
Following these instructions, I came up with 12 Dec 2012. Following the instructions to force updating, it now results in 10 Jan 2013. I presume I will need to repeat this method of all of my Macs, since very clearly automatic is not the answer, at least not for everybody. Also left out generally from this discussion is that the automatic security is not present in Pre-Lion systems if all of the security updates have not been installed.
Java is the worst thing ever. Always buggy and slow. Oracle doesn't give a damn about Macs.
On my mac, this change is in XProtect.meta.plist, not XProtect.plist.
How do I re-enable the Java plugin? I don't mind having a warning, and I'll disable it again after I've done what I'm trying to do, but I can't find how to work around this block. Any ideas?
...which would help how? The vulnerability affects versions 4-7.
com.oracle.java.JavaAppletPlugin = Browser plug-in.
Apple has not blocked Java 7 on OS X.
Please correct the headline ASAP before this thread becomes a major flamewar.
Java is the worst thing ever. Always buggy and slow. Oracle doesn't give a damn about Macs.
I've been a J2EE engineer for about 5 years and I was a C/C++ backend / PHP frontend engineer for about 5 before that. But none of that is relevant since this is about the Java browser plugin, which I do not endorse. I also don't endorse Silverlight or Active X or many of the technologies that seek to deliver application features via. a webpage by client program execution. I consider it to be too dangerous and I will always prefer the download and installation path. With all the misinformation in the responses to this article, I'm actually surprised no one has started blaming Oracle JavaScript.
On the debate->
Java is a fine language for both enduser applications and backend server web applications. The problem isn't really the language or the architecture, it's the programmers. Java is like the (airquotes) "new" Visual Basic. It's very easy to access and it breaks down a lot of barriers of entry for new programmers. Don't know what endian your processor is? Who cares! Don't understand memory management? No problem! Need a library? Throw it in a folder YOLO!!! These are just basic examples, but what it boils down to is people who have no business programming will succeed in writing somewhat functional software with it.
In my opinion, the argument that Java is slow is fairly dead in common usages of the language. People complain about things like performance when they've never really profiled well written code. In my tests, Java algorithms perform close to the same speed as C given a sufficiently long running process. In most cases the JVM can optimize many complex operations after it has been running for a few iterations (code warmup). In addition, few people take advantage of the performance features of Java such as NIO file access.
In addition, using Java in an enterprise context generally gives you something more important than performance: velocity. Today processors are sufficiently fast, memory is sufficiently cheap, and clustered blades scale sufficiently to allow companies (in general) to buy their way out of the performance argument for a lot less than hiring more engineers to optimize code. And besides, why would you spend money on engineers to optimize features that are already written when there's a huge backlog of features that haven't been written yet? So much of software isn't about actual software engineering, and only a subset of of the software engineering concerns revolve around performance.
Granted, there is still no cure for stupid. Bad programming can ruin any language. The reason these criticisms about Java persist is that even poorly engineered code will probably still run. C/C++ would have a lot more compilation issues, stack overflows, segfaults, and other inescapable "crash" problems. Java's strict OO, exception system, and garbage collection allows bad engineers to ignore flaws more easily.
bad java. baaaad java
If you want REAL SECURITY, you DISABLE all Client Side code, including JavaSCRIPT.
As Cross Site Scripting is the Worst Security Vulnerability out there.
Doing that, however, loses all the "cool" features.
The most secure sites run just JavaEE or Windows ASPX, with No client side libraries.
Nothing.
I've been a J2EE engineer for about 5 years and I was a C/C++ backend / PHP frontend engineer for about 5 before that. But none of that is relevant since this is about the Java browser plugin, which I do not endorse. I also don't endorse Silverlight or Active X or many of the technologies that seek to deliver application features via. a webpage by client program execution. I consider it to be too dangerous and I will always prefer the download and installation path. With all the misinformation in the responses to this article, I'm actually surprised no one has started blaming Oracle JavaScript.
On the debate->
Java is a fine language for both enduser applications and backend server web applications. The problem isn't really the language or the architecture, it's the programmers. Java is like the (airquotes) "new" Visual Basic. It's very easy to access and it breaks down a lot of barriers of entry for new programmers. Don't know what endian your processor is? Who cares! Don't understand memory management? No problem! Need a library? Throw it in a folder YOLO!!! These are just basic examples, but what it boils down to is people who have no business programming will succeed in writing somewhat functional software with it.
In my opinion, the argument that Java is slow is fairly dead in common usages of the language. People complain about things like performance when they've never really profiled well written code. In my tests, Java algorithms perform close to the same speed as C given a sufficiently long running process. In most cases the JVM can optimize many complex operations after it has been running for a few iterations (code warmup). In addition, few people take advantage of the performance features of Java such as NIO file access.
In addition, using Java in an enterprise context generally gives you something more important than performance: velocity. Today processors are sufficiently fast, memory is sufficiently cheap, and clustered blades scale sufficiently to allow companies (in general) to buy their way out of the performance argument for a lot less than hiring more engineers to optimize code. And besides, why would you spend money on engineers to optimize features that are already written when there's a huge backlog of features that haven't been written yet? So much of software isn't about actual software engineering, and only a subset of of the software engineering concerns revolve around performance.
Granted, there is still no cure for stupid. Bad programming can ruin any language. The reason these criticisms about Java persist is that even poorly engineered code will probably still run. C/C++ would have a lot more compilation issues, stack overflows, segfaults, and other inescapable "crash" problems. Java's strict OO, exception system, and garbage collection allows bad engineers to ignore flaws more easily.
When Apple was managing Java on OS X, Apple did a piss-poor job and was weeks, months behind on security:
here is one example, though I think there were others in 2011:
https://krebsonsecurity.com/2012/06/apple-oracle-ship-java-security-updates/
"Oracle is the official producer of Java, but Apple maintains its own version, and it has consistently lagged months behind Oracle in fixing security bugs. This failure on Apples part finally caught up with Mac OS X users earlier this year and turned into a major embarrassment for Apple, when the Flashback malware infected more than 650,000 Mac systems using a vulnerability that Oracle (but not Apple) had patched roughly two months earlier."
The current blocking (seems to only work in Safari, not FF, but ok) is probably good enough for most users.
My bank(s) and the Germany IRS (needed every month to file my taxes as a freelancers), both require Java and on the Mac this has usually sucked badly, tending to run much better (i.e. just work) on my Windows VM.
Is there anything I need to do to address this issue? I went into Safari>Preferences>Security and disabled (unchecked) Java. Do I also need to disable JavaScript? When I disable JavaScript, my web pages do not display properly. I know nothing about Java. I also searched the forum and didn't find recommendations.
So what should I do? I downgraded to Java 7 so it would work with Google Chrome since it's not a 64 bit app. Am I safe? Should I update to the newest version?
I ran into this problem yesterday before hearing about the Java vulnerability news. I was trying to run something within our institution which requires java and it kept giving me an error. I launched Firefox and it worked fine. I just tested this on the java.com site and confirmed java is disabled in Safari but running in Firefox on the same machine. That's much different than Apple completely "disabling" java.