Apple Blocks Java 7 Plug-in on OS X to Address Widespread Security Threat

murrayE · Jan 12, 2013

MacRumors said:
[url=http://cdn.macrumors.com/im/macrumorsthreadlogodarkd.png]Image[/url]

...Apple has, however, apparently already moved quickly to address the issue, disabling the Java 7 plug-in on Macs where it is already installed. Apple has achieved this by updating its "Xprotect.plist" blacklist to require a minimum of an as-yet unreleased 1.7.0_10-b19 version of Java 7. With the current publicly-available version of Java 7 being 1.7.0_10-b18, all systems running Java 7 are failing to pass the check initiated through the anti-malware system built into OS X.

Should I have such an entry in Xprotect.plist with key MinimumPlugInBundleVersion under key com.oracle.java.JavaAppletPlugin even if I currently do not have any Java browser plut-in installed?

And how/when do such anti-malware settings get updated? Via normal OS X Software Update? via some daemon that runs at start-up? something else?

----------

murrayE said:
Should I have such an entry in Xprotect.plist with key MinimumPlugInBundleVersion under key com.oracle.java.JavaAppletPlugin even if I currently do not have any Java browser plut-in installed?

And how/when do such anti-malware settings get updated? Via normal OS X Software Update? via some daemon that runs at start-up? something else?

I note that Apple also has updated XProtect.meta.plist, in the same folder as Xprotect.plist, by setting MinimumPlugInBundleVersion for com.oracle.java.JavaAppletPlugin to be 1.7.10.19.

I had to manually get that update to occur right now (via Security preferences). Would it have happened next time I start up or re-start? Or does some daemon run periodically to do this?

munkery · Jan 12, 2013

It updates daily in the background.

It most likely functions in the same way as maintenance scripts such that scripts that don't run when scheduled due to sleep state or turned off are run upon waking or being turned on.

But your situation suggests that it is set to update at a specific time each day.

Obviously, the "Automatically update safe downloads list" setting must be turned on to receive those daily updates.

boodle · Jan 12, 2013

I figured it was something like this but I couldn't find any details on the plugin situation. It was driving me bonkers last night trying to get an unsigned Java app to run in Safari.

I eventually gave up and ran it in Firefox instead, which gave a warning but allowed me to continue.

jazz1 · Jan 12, 2013

No Java No Hulu?

Seems a while back there was a stand alone beta of a Hulu app. Does this use Java?

SeattleMoose · Jan 12, 2013

dokujaryu said:
I've been a J2EE engineer for about 5 years and I was a C/C++ backend / PHP frontend engineer for about 5 before that. But none of that is relevant since this is about the Java browser plugin, which I do not endorse. I also don't endorse Silverlight or Active X or many of the technologies that seek to deliver application features via. a webpage by client program execution. I consider it to be too dangerous and I will always prefer the download and installation path. With all the misinformation in the responses to this article, I'm actually surprised no one has started blaming Oracle JavaScript.

Granted, there is still no cure for stupid. Bad programming can ruin any language. The reason these criticisms about Java persist is that even poorly engineered code will probably still run. C/C++ would have a lot more compilation issues, stack overflows, segfaults, and other inescapable "crash" problems. Java's strict OO, exception system, and garbage collection allows bad engineers to ignore flaws more easily.

Well there you go, bringing experience and wisdom to a board full of pimply gamers and pseudo-intellectuals...how dare you!!!

PJMAN2952 · Jan 12, 2013

I just disabled Java on Google Chrome and on Safari.

----------

munkery said:
The public releases of Java versions 4 to 7 are not safe.
Apparently, the developer release of JDK 7u12 is safe.

Okay thanks. I just disabled Java on Chrome and Safari.

RMo · Jan 12, 2013

grahamperrin said:
Browsers such as Firefox do not respect the blockage.

Screenshots – the eighth demonstrates that whilst users of Safari are protected, users of Firefox may remain at risk with the Java 7 Update 10 that is blocked by Apple.

Funny, because I get... (see attached image)

EDIT: Perhaps this is Firefox's built-in mechanism to do something similar (although I thought it just disabled them) instead of Apple's?

munkery · Jan 12, 2013

RMo said:
Funny, because I get... (see attached image)

"Click here to activate the Java applet plugin"

I don't think Safari provides such an option.

vpro · Jan 12, 2013

Legion

on the move
if the Legion
are on the move
fine by me ^_^ move on by !

jb246 · Jan 12, 2013

Downgrade Java

I followed the Apple post to go back to Java 6 and things work great. I will update again when they fix the issue. I needed Java for work purposes and couldn't wait for any other issues.

Elzas · Jan 12, 2013

Morshu9001 said:
That's just Eclipse. It sucks!!! One of the worst things that happens is when it fails to acknowledge that certain files that I need exist, but I can't drag them in because they already "exist". In truth, they DO exist, but it can't see them and use them as resources for my code. So I have to take everything out then put it back in. Also, it deleted a bunch of my old assignments (not a problem, but scary) for no reason.

Haha, lol, a student is giving his sage wisdom.

Eclipse is a most excellent IDE. I know, I've been a software developer for over 25 years now and worked with pretty much all well-known IDE's out there with pretty much every well-known language out there. Eclipse was not that great in its infant years but these days it's rock solid: fast, reliable and very feature-complete. Naturally, use when applicable and pick the right tool for the job. But that should go without saying.

And for those people out there that are still on the "Java is slow" (true until the year 2000 when 1.3 was released) bandwagon, please do your homework before posting such rubbish. If it's real-world experience that you lack then at the very least check the Wikipedia entry first:

http://en.wikipedia.org/wiki/Java_performance#Comparison_to_other_languages

And just to quote one of the lines in that article:
"However, high performance computing applications written in Java have recently won benchmark competitions. In 2008[70] and 2009,[71][72] an Apache Hadoop (an open-source high performance computing project written in Java) based cluster was able to sort a terabyte and petabyte of integers the fastest."

gotluck · Jan 12, 2013

jb246 said:
I followed the Apple post to go back to Java 6 and things work great. I will update again when they fix the issue. I needed Java for work purposes and couldn't wait for any other issues.

I believe Java 6 has the same security flaw, see the bottom of the OP.

JadedRaverLA · Jan 12, 2013

munkery said:
The public releases of Java versions 4 to 7 are not safe.

Apparently, the developer release of JDK 7u12 is safe.

Do you have a source on that?

NIST lists JDK and JRE 6u35 and previous as being vulnerable. The latest Apple provided build for Macs is 6u37, and 6u38 is available for other platforms.

So, a fully up to date Java 6 installation "appears" to be safe from this attack.

gotluck said:
I believe Java 6 has the same security flaw, see the bottom of the OP.

I question the OP on that. It appears to be only Java 6 updates 35 and BELOW that are vulnerable, not the most recent updates.

munkery · Jan 12, 2013

JadedRaverLA said:
Do you have a source on that?

NIST lists JDK and JRE 6u35 and previous as being vulnerable. The latest Apple provided build for Macs is 6u37, and 6u38 is available for other platforms.

So, a fully up to date Java 6 installation "appears" to be safe from this attack.

I question the OP on that. It appears to be only Java 6 updates 35 and BELOW that are vulnerable, not the most recent updates.

Good catch but the Apple provided Java 6u37 doesn't support the browser plugin anyway so I don't see the point that you are trying to make?

Using 6u37 version of Java won't allow you to use Java web apps. So, 6u37 isn't a solution for those that want to use Java web apps while being safe from this vulnerability.

munkery · Jan 12, 2013

For those concerned, no payloads targeting OS X are associated with this vulnerability.

http://reviews.cnet.com/8301-13727_...xploiting-java-7-in-windows-and-unix-systems/

JadedRaverLA · Jan 12, 2013

munkery said:
Good catch but the Apple provided Java 6u37 doesn't support the browser plugin anyway so I don't see the point that you are trying to make?

Using 6u37 version of Java won't allow you to use Java web apps. So, 6u37 isn't a solution for those that want to use Java web apps while being safe from this vulnerability.

It's disabled by default, but can be turned on.

Code:

sudo ln -sf /System/Library/Frameworks/JavaVM.framework/Commands/javaws /usr/bin/javaws

Link to Apple Support site.

Works for me in Safari and Firefox using the test here.

munkery · Jan 12, 2013

JadedRaverLA said:
It's disabled by default, but can be turned on.

Code:

sudo ln -sf /System/Library/Frameworks/JavaVM.framework/Commands/javaws /usr/bin/javaws

Link to Apple Support site.

Works for me in Safari and Firefox using the test here.

Good find.

Hope this solution helps users that require the Java plugin.

Puevlo · Jan 12, 2013

I thought Macs were meant to be secure.

stickybuns · Jan 12, 2013

Does Java for iOS Safari need to be disabled as well? Thank you.

mentaluproar · Jan 12, 2013

stickybuns said:
Does Java for iOS Safari need to be disabled as well? Thank you.

I'm pretty sure it doesn't have Java, only Javascript. They sound similar but are entirely different technologies.

MacNut · Jan 12, 2013

So now we are supposed to use " safe download list". I thought we were supposed to turn that off because of a different security risk.

CharBroiled20s · Jan 12, 2013

camnchar said:
This is strange because Ellison and Jobs were supposedly good friends.

----------

Of course, unpatched security flaws from the previous release went a lot longer before they were fixed, so

your statement is especially relevant since this java exploit has been around since java version 4...

Morshu9001 · Jan 12, 2013

Puevlo said:
I thought Macs were meant to be secure.

They are. That's why Apple is blocking the Java browser plugin. I didn't read all the details about re-enabling it since it doesn't affect me.

Tech198 · Jan 12, 2013

needfx said:
bad java. baaaad java

Lol I agree..

Seems this is getting almost as bad as Flash.... (Maybe. More so)

Would this prevent this version from installing since its blacklisted?

iMichael! · Jan 12, 2013

Puevlo said:
I thought Macs were meant to be secure.

That's not the point.

This is a risk to everything, due to Java's Programing.

In that case i thought Windows and Linux were meant to be secure.

Apple Blocks Java 7 Plug-in on OS X to Address Widespread Security Threat

macrumors member

macrumors 68020

macrumors regular

Contributor

macrumors 68000

macrumors regular

macrumors 65816

Attachments

macrumors 68020

macrumors 65816

macrumors newbie

macrumors newbie

macrumors 603

macrumors member

macrumors 68020

macrumors 68020

macrumors member

macrumors 68020

macrumors 6502a

macrumors 6502

macrumors 68000

macrumors Core

macrumors member

macrumors regular

Cancelled

macrumors regular

Our Staff