But not before the Pavlovian faithful start chanting their pre-emptive counter spells.
Maybe you want to help this person out, now that you've done your duty.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Once Again Blocks Java 7 Web Plug-in
- Thread starter MacRumors
- Start date
- Sort by reaction score
But not before the Pavlovian faithful start chanting their pre-emptive counter spells.
Maybe you want to help this person out, now that you've done your duty.
They are also blocking Apple Java 1.6! Don't know where XProtect.meta.plist screenshot is from, but that is not what Apple pushed out this morning.
Here's what it really is!
To re-enable Apple Java 1.6:
or
To re-enable Oracle Java 1.7u11 edit the "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist" using vi in Terminal and change:
to:
I posted the block on Twitter when I noticed it this morning.
https://twitter.com/sonynair/status/296935103383347201
Hope that helps someone!
Here's what it really is!
Code:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>JavaWebComponentVersionMinimum</key>
<string>1.6.0_37-b06-435</string>
<key>LastModification</key>
<string>Thu, 31 Jan 2013 04:41:14 GMT</string>
<key>PlugInBlacklist</key>
<dict>
<key>10</key>
<dict>
<key>com.macromedia.Flash Player.plugin</key>
<dict>
<key>MinimumPlugInBundleVersion</key>
<string>11.3.300.271</string>
</dict>
<key>com.oracle.java.JavaAppletPlugin</key>
<dict>
<key>MinimumPlugInBundleVersion</key>
<string>1.7.11.22</string>
</dict>
</dict>
</dict>
<key>Version</key>
<integer>2028</integer>
</dict>
</plist>To re-enable Apple Java 1.6:
Code:
sudo /usr/libexec/PlistBuddy -c "Delete :JavaWebComponentVersionMinimum" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plistor
Code:
sudo defaults write /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist JavaWebComponentVersionMinimum \"1.6.0_37-b06-434\"To re-enable Oracle Java 1.7u11 edit the "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist" using vi in Terminal and change:
Code:
<string>1.7.11.22</string>
Code:
<string>1.7.11.19</string>I posted the block on Twitter when I noticed it this morning.
https://twitter.com/sonynair/status/296935103383347201
Hope that helps someone!
Java is just one tiny part of the BankID security system. I wish they'd ditch it, but that's not going to happen quickly. The layers of security beyond Java aren't threatened by the Java holes, apparently, and they claim there's no threat from Java in the way it's implemented into a bigger solution. I don't know the technicalities, just that for better or worse, we need it.
The current vulnerability is probably not very different from the previous, so it can be just a question of hours before it suddenly appears in ads on "reputable sites" like it did with the previous version.
However, your point about Windows machine is good. I haven't heard of any actual attacks on OS X in the wild yet - anyone?
----------
The silly PHBs of BankId completely miss the point! It's not about BankID security, it's about forcing all computer users in an entire nation to leave Java enabled in their browsers and thus making their computers far more vulnerable than they would have been if those PHBs hadn't insisted on implementing an applet where none is needed
We have the same problem in Denmark, ours is called NemID..pretty much everything is based on NemID when you need to get in contact with local authorities, banking services..etc
About NemID
Btw: Important hint to Norwegian users: Many banks (at least this applies to giant DnB) will deactivate your BankID if you ask them to. Their web apps will then run much faster and smoother since you don't have to load that silly applet
Also would like to know. Tried Firefox with no success.
I downloaded the current version and installed several times but that didn't work. Finally closed all browsers before installing again and took a look at Firefox's Tools/Ad-in's menu to make sure Java is still enabled. Then I tried the work site I need to use and this time it finally worked (also saw a Firefox warning asking me if I wanted to enable Java (although I thought it already was enabled). Strange. Anyway it finally worked.
Totally agree with some of the comments here. Totally irresponsible for Apple to block this critical function without commenting on it or advising on a workaround, override, etc. I need Java so I can work at home and access my work PC (I work for a large bank). This is the only way I can work remotely.
...Except that a standalone Java app would not be affected in any way whatsoever by disabling the Java web plugin.
as much as I hate apple doing this..you need to move to pc if that's the case.
Just got a warning notification from a mod.
What could that be about?
If I suddenly disap
Oh yeah its really "professional" to leave your users vulnerable to crippling attack, privacy invasion, etc. etc.
THAT is the Microsoft definition of "professionalism". The moment you turn it on, you're at risk of losing everything.
Could not agree more.
I was just on my 401k website attempting to make changes.
Now I know why I could not do it.
I see a lot of java required sites in my business of finance; I guess we are the only ones who use it heavily?
Whatever the reason, it is making my life difficult.
This is a real pain. I work for a school district and the software we use for the online gradebook uses Java. So now teachers can't update their grades. Plus, it's not that easy just to switch software platforms.
I understand Apple wanting to keep its platform secure and not degrade its good name, but users & companies really need the option to easily override these blocks.
I understand Apple wanting to keep its platform secure and not degrade its good name, but users & companies really need the option to easily override these blocks.
= TrollWhy can't Apple just pop up a dialogue window that says Java may have security issues instead of disabling it?
Now, we are having trouble processing checks. If this keeps up, we will be forced to send someone to the bank with a stack of checks in a bag.
Welcome back to the 20th Century.
Welcome back to the 20th Century.
The article by MacRumors states that it's unknown why Apple took this step. I received an email advisory from MS-ISAC on January 28th which spoke of a new vulnerability. I am pasting it below.
--
MS-ISAC ADVISORY NUMBER:
2013-008 - UPDATED
DATE(S) ISSUED:
01/28/2013
SUBJECT:
Security Bypass Vulnerability in Oracle Java Runtime Environment Could Allow Remote Code Execution
OVERVIEW:
A vulnerability has been discovered in Oracle Java Runtime Environment (JRE) that can lead to remote code execution. The Java Runtime Environment is used to enhance the user experience when visiting websites and is installed on mostdesktops and servers. This vulnerability may be exploited if a user visits or is redirected to a specifically crafted web page. Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the JRE application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts will likely result in denial-of-service conditions.
SYSTEM AFFECTED:
Oracle JRE 1.7.0 Update 10, prior versions may also be affected.
UPDATED SYSTEM AFFECTED:
Oracle JRE 1.7.0 Update 11, prior versions may also be affected.
RISK:
Government:
Large and medium government entities: High
Small government entities: High
Businesses:
Large and medium business entities: High
Small business entities: High
Home users:High
DESCRIPTION:
A vulnerability has been discovered in Oracle Java Runtime Environment that can lead to remote code execution. In order to exploit this vulnerability, an attacker must first create a web page with a specially crafted applet designed to leverage this issue. When the web page is visited, the attacker suppliedcode is run in the context of the affected application.
Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the JRE application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attemptswill likely result in denial-of-service conditions.
Please note that there is no patch available from Oracle to mitigate this vulnerability at this time and this vulnerability is being sold in the underground markets.
RECOMMENDATIONS:
We recommend the following actions be taken:
Apply the patch from Oracle, after appropriate testing, as soon as one becomes available.
Consider disabling Java completely on all systems until a patch is available.
Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
Remind users not to open e-mail attachments from unknown users or suspicious e-mails from trusted sources.
REFERENCES:
Security Focus:
http://www.securityfocus.com/bid/57563
Full Disclosure:
http://seclists.org/fulldisclosure/2013/Jan/241
Multi-State Information Sharing and Analysis Center
31 Tech Valley Drive, Suite 2
East Greenbush, NY 12061
(518) 266-3460
1-866-787-4722
soc@msisac.org
--
MS-ISAC ADVISORY NUMBER:
2013-008 - UPDATED
DATE(S) ISSUED:
01/28/2013
SUBJECT:
Security Bypass Vulnerability in Oracle Java Runtime Environment Could Allow Remote Code Execution
OVERVIEW:
A vulnerability has been discovered in Oracle Java Runtime Environment (JRE) that can lead to remote code execution. The Java Runtime Environment is used to enhance the user experience when visiting websites and is installed on mostdesktops and servers. This vulnerability may be exploited if a user visits or is redirected to a specifically crafted web page. Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the JRE application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts will likely result in denial-of-service conditions.
SYSTEM AFFECTED:
Oracle JRE 1.7.0 Update 10, prior versions may also be affected.
UPDATED SYSTEM AFFECTED:
Oracle JRE 1.7.0 Update 11, prior versions may also be affected.
RISK:
Government:
Large and medium government entities: High
Small government entities: High
Businesses:
Large and medium business entities: High
Small business entities: High
Home users:High
DESCRIPTION:
A vulnerability has been discovered in Oracle Java Runtime Environment that can lead to remote code execution. In order to exploit this vulnerability, an attacker must first create a web page with a specially crafted applet designed to leverage this issue. When the web page is visited, the attacker suppliedcode is run in the context of the affected application.
Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the JRE application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attemptswill likely result in denial-of-service conditions.
Please note that there is no patch available from Oracle to mitigate this vulnerability at this time and this vulnerability is being sold in the underground markets.
RECOMMENDATIONS:
We recommend the following actions be taken:
Apply the patch from Oracle, after appropriate testing, as soon as one becomes available.
Consider disabling Java completely on all systems until a patch is available.
Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
Remind users not to open e-mail attachments from unknown users or suspicious e-mails from trusted sources.
REFERENCES:
Security Focus:
http://www.securityfocus.com/bid/57563
Full Disclosure:
http://seclists.org/fulldisclosure/2013/Jan/241
Multi-State Information Sharing and Analysis Center
31 Tech Valley Drive, Suite 2
East Greenbush, NY 12061
(518) 266-3460
1-866-787-4722
soc@msisac.org
This is unacceptable silent communication or rather lack of communication.
There should be at least be visible hints/error messages and there should be a way to manually override this for experienced users.
Many online brokers use Java and WebStart. There are people trading with lots of $ who couldn't start their broker applications today.
There was no way to find this error easily unless you go into the console, this is complete mis-communication on Apple's part.
There should be at least be visible hints/error messages and there should be a way to manually override this for experienced users.
Many online brokers use Java and WebStart. There are people trading with lots of $ who couldn't start their broker applications today.
There was no way to find this error easily unless you go into the console, this is complete mis-communication on Apple's part.