Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

sseaton1971

macrumors 6502
Feb 9, 2012
431
11
You an disable the Xprotect auto updates under system preferences - security - general - advanced - untick automatically update safe download list

But that also affects the list of malware in XProtect.plist, correct? The solution I use only disables the Flash and Java blocks in XProtect.meta.plist. I don't want to stop Apple from updating the list of malware.
 

iVoid

macrumors 65816
Jan 9, 2007
1,145
190
What worries me the most is that unlike the last Java block, this one is affecting Snow Leopard users.

And as far as I can see, Oracle only supports 1.7.2+ with Java 7.

So Snow Leopard users are completely out of luck for Java plug-ins now unless the hack the xprotect file?
 

doelcm82

macrumors 68040
Feb 11, 2012
3,737
2,757
Florida, USA
Then you don't really need OS X to do it, so you can work around it. :)

(I'd also seriously reconsider anything that makes me depend on a Java applet without providing a more accessible method of access.)

I did work around it by downloading Firefox.

I prefer OS X, and I prefer Safari. But if I can't do my job with them, I'll use something else. You are right that I don't need Apple products. You are so very, very right.
 

Tiger8

macrumors 68020
May 23, 2011
2,479
649
I still think that's a dumb and vulnerable approach, but I understand that it's frustrating that you can't get work done as a result.

:confused: I'm sorry, but I don't think you get it. For high interactivity applications JRE or a variation of it is the way to go. Your other web-only choices are limited to:
- Microsoft ActiveX (horrible)
- Flash (check out the late Mr Jobs about Flash)
- (Recently) HTML5 - which anyway requires JQuery or some sort of a backend technology to support it.

Otherwise, you need to develop native applications which is so 1999 for desktops (I know it is hot in mobile world). Enterprise is moving to zero footprint web-only applications.

Java was fine before Oracle, they went downhill since Oracle bought Sun
 

patchfp86

macrumors newbie
Oct 9, 2011
7
0
Out with the old

Ya know, I am actually surprised at the number of online courses/test preps that still rely on Java applets. I just sat down to take a practice MCAT and I obviously cannot. Companies need to kick Java and start looking at HTML5/modern coding that allows easy access. This Java business is getting insane. It has nothing to do with Apple either. They dropped it cause it sucks and is archaic. While its not fun, some companies need to get with the program.
 

PaulKemp

macrumors 6502a
Jun 2, 2009
568
124
Norway
Java is essential for the joint Norwegian bank login system BankID. If Apple has disabled this without a way of switching it back on, we are all locked out of our bank accounts!

This is ridiculous. Apple is blocking all Norwegian Mac users from using their online banking system. Nad everybody younger than 70 years is using. Online banking in Norway had 50% user penetration - in 2007!

Chrome is neither a option.
 

bryanzak

macrumors member
Feb 27, 2002
92
14
Have you found a way to disable XProtect (Automatically update safe downloads list) through command line means? I cannot seem to find what plist this is modifying. This has been driving me nuts for weeks.

Yeah I've been trying to find out how to do this too. We could use login scripts or something along those lines, but would rather not for a number of reasons.

I have been completely unable to find out what bits on the disk are changed when toggling the auto update safe downloads option.
 

TylerL

macrumors regular
Jan 2, 2002
207
291
Best of Both Worlds

At my school district, we want to use Java 1.6 for a single Gradebook app, but we also want to keep XProtect running (in case there's a malware outbreak of another kind).
So, I've tweaked the /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist file with some of sonynair's fancy PlistBuddy snippet.
This way, whenever XProtect gets updated on any of our computers, it gets patched immediately and automatically.

Code:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>StartInterval</key>
	<integer>86400</integer>
	<key>Label</key>
	<string>com.apple.xprotectupdater</string>
	<key>ProgramArguments</key>
	<array>
                <string>sh</string>
                <string>-c</string>
                <string>/usr/libexec/XProtectUpdater ; /usr/libexec/PlistBuddy -c "Delete :JavaWebComponentVersionMinimum" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
</dict>
</plist>
 

RayK

macrumors 6502
Oct 13, 2005
345
15
Yeah I've been trying to find out how to do this too. We could use login scripts or something along those lines, but would rather not for a number of reasons.

I have been completely unable to find out what bits on the disk are changed when toggling the auto update safe downloads option.

What TylerL does is similar to mine. I just unload the updater. It unchecks the box in System Preferences.

The script below reenables the java plugin after you install Apple's Java update 2012-006. I updated it to kill XProtect.

Here's my script:

Code:
do shell script "rm /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
rm /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist
sudo /usr/libexec/XProtectUpdater
launchctl unload -w /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist" with administrator privileges
do shell script "rm -r -f /Library/Internet\\ Plug-Ins/disabled
mkdir -p /Library/Internet\\ Plug-Ins/disabled
mv /Library/Internet\\ Plug-Ins/JavaAppletPlugin.plugin /Library/Internet\\ Plug-Ins/disabled
ln -sf /System/Library/Java/Support/Deploy.bundle/Contents/Resources/JavaPlugin2_NPAPI.plugin /Library/Internet\\ Plug-Ins/JavaAppletPlugin.plugin
ln -sf /System/Library/Frameworks/JavaVM.framework/Commands/javaws /usr/bin/javaws
/usr/libexec/PlistBuddy -c 'Delete :JavaWebComponentVersionMinimum' /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
" with administrator privileges
activate
display dialog "Java 6 Web Plug-In should now function! XProtect is now disabled." buttons {"OK"} default button "OK"
 

MagnusVonMagnum

macrumors 603
Jun 18, 2007
5,193
1,442
I've had Java disabled in my browser for the last several years, and I don't miss it at all. I think in all that time I have re-enabled it maybe once because there was an applet I actually wanted to run.

Just leave it turned off.

How nice for you. Some people actually need Java for their work or other uses. Hell, some people even paid Pogo.com to use their gaming site ad-free for the year and Apple comes along and makes it UNUSABLE without some dancing about workarounds that NO ONE should have to bother with. How about a freaking WARNING and a simple override button. At what point does being treated like kindergarten students become unacceptable? I don't use Java anywhere else except for my Brother printer management software, so I think a single exception to a trusted web site shouldn't be such a huge issue, really.

On the other hand, I just tested Java SE7 Update 11 in both Safari and Firefox and it still works in both here (A security warning comes up and asks me if I want to run the app in question but when I click run it still runs including Pogo.com) so I have to wonder about the accuracy of this article.

Apple seems to be clueless when it comes to their business customers.

This is really ridiculous. This causes as much damage for some as a potential virus attack.

You got my up-vote. That is a PERFECT way of describing their interference. They are doing more damage than any hacker out there because it's to ALL systems, not just one visiting a bad site that gets click approved by a clueless user. Yeah, I want to run that "StealMyIdentity" Java App I found on a random web site! CLICK YES! Whoops! What happened? :rolleyes:

Flash, Java, what's next? Internet access to Apple approved sites only?

No, I think access only to Apple approved applications will be next on the list using Gatekeeper and the App Store to enforce it. The writing has been on the wall for a long time now and since most Apple users just roll over and take it any time Apple does something unacceptable I'm sure they'll never make a stink about it like they did with the iPhone's antenna reception since obviously moving your finger to get reception to work in some cases is SO much worse than not being able to access your bank account. :rolleyes:
 
Last edited:

gazonk

macrumors member
Jan 1, 2009
57
6
This is ridiculous. Apple is blocking all Norwegian Mac users from using their online banking system. Nad everybody younger than 70 years is using. Online banking in Norway had 50% user penetration - in 2007!

Chrome is neither a option.

The right way to view this is that BankID is blocking all Norwegian computer users from using their machines in a reasonably safe way.

But fortunately, if you're not using one of the banks that have implemented the banking interface itself as a java applet, give them a call and ask them to deactivate your BankID. I did a couple of weeks ago - what a relief to get rid of the junk!
 

DaveTheRave

macrumors 6502a
May 22, 2003
782
368
Your Banks IT department should be aware and should have notified you.

You would also think that a Bank is particularly security conscious and would provide you with a remote access solution that did not rely on Java.

The exploit is serious.

Oh...so you think Apple contacted my company's IT department to tell them they were going to disable Java?
 

derek

macrumors member
Aug 3, 2001
71
98
Syracuse, NY
Avoid Java In All Cases; Kill It Off The Internet; Oracle Sucks

They are also blocking Apple Java 1.6! Don't know where XProtect.meta.plist screenshot is from, but that is not what Apple pushed out this morning.

Here's what it really is! . . .

Hope that helps someone!

I hope that doesn't get someone's Mac PWNed.

Most likely, all of us here are responsible users, as opposed to LUSERS. Nonetheless, I don't want anyone, except those in dire need or who know how to responsibly avoid malware, knowing how to bypass Apple's wisdom here.

Yes, Apple want to maintain a reputation as being proactive against Apple-user targeted malware. They also don't want any LUSER lawsuits against them. But I also believe Oracle is too stupid and lazy to ever take their severe Java security hell seriously.

Therefore, the sooner Java is killed off the Internet, the better for everyone.

Conspiracy theorists who think they're being shoved into another Apple proprietary 'walled garden' can bite themselves. Computer security takes precedence over your paranoia or ignorance.
 
Last edited:

Mike1984

macrumors member
Oct 21, 2010
39
15
Apple should just buy Java.

Exactly.
If they're such control freaks, they should be in the user community fixing the issues.
And developing support for Retina display and add Java classes for native functionality.

----------

How does HTTPS have anything to do with Java Applets?

Conversely, I could create a dummy web site, use HTTPS, and write a 'rogue' java applet which takes over your machine.

Then you'd be a hacker with a REGISTERED Certificate for your server.
Whereby you could be held liable for your damage.
You wouldn't be anonymous.
 

pmjoe

macrumors 6502
Mar 27, 2009
468
36
Companies need to kick Java and start looking at HTML5/modern coding that allows easy access.
HTML5 + JavaScript + whatever is on the server backend is hardly "modern coding", it's a sad, arcane state that hopefully the software industry will find a way to grow past.
 

sectime

macrumors 6502a
Jul 29, 2007
530
0
This is too funny


I went to www.icloud.com to make some changes to my account - which for some reason, the icloud site uses JavaScript!

Of course Safari blocks access to it. The screenshot was from Safari.

(I think MacRumors uses Java to submit reply's too.....)
You know Java exploit and Javascript in Safari are two different things? Javascript is not blocked by Apple. At least on the ten machines at my workplace.
 

snoop92679

macrumors newbie
Feb 11, 2008
9
0
No One is Asking Why Apple is Blocking Java...

I'm totally guessing, but this remote blocking of JAVA on end user computers without any notice is based on national security. My bet is that Anonymous has been able to break into Justice Department and other US computer systems as revenge for the death of Aaron Swartz. What the prosecutor did to that guy is so outrageous and shameful - it makes me sick to my stomach to have Obama and his jack booted goons as our president.
 

haruhiko

macrumors 604
Sep 29, 2009
6,529
5,874
This is ridiculous. Apple is blocking all Norwegian Mac users from using their online banking system. Nad everybody younger than 70 years is using. Online banking in Norway had 50% user penetration - in 2007!

Chrome is neither a option.

It seems to me that relying on a third party platform like Java for crucial systems like online banking is not a very great idea. The user interface should be transparent to the user and doesn't require any plug-ins. Most online banking / transaction system here in Hong Kong completely ditched the requirement of Java browser plug-in recently.
 

Tech198

Cancelled
Mar 21, 2011
15,915
2,151
I agree, it is ridiculous that Apple is cleaning up someone else's continuous mess, in this case (Oracle's)

Could't Apple do its own Java.... period ? That way only they will control it, and most importantly, it will always be more secure. It can't be any less secure than what we currently have.
 

pmz

macrumors 68000
Nov 18, 2009
1,949
0
NJ
Nothing about your post is accurate.

Right exactly, disabling a major threat to a user's computer is somehow LESS professional than knowingly leaving users open to exploits > viruses > loss of data.

Gotcha. Accuracy.
 

MacMan988

macrumors 6502a
Jul 7, 2012
832
116
How do they block and unblock ? Do they send any updates through App Store? I did not get any kind of updates from Apple.
 

McSev2010

macrumors newbie
Jan 31, 2013
2
0
I have been stewing about this all day. And this is probably one of the few posts I'll ever make to a forum.

I don't understand how Apple can just flip the switch with NO notification to the user. I own my Mac -- and I paid for my o/s. If Microsoft did such a thing, people would be outraged about infringement of their personal liberties. Why does Apple think I am so stupid that I can't turn off Java myself if I want to?
 

derek

macrumors member
Aug 3, 2001
71
98
Syracuse, NY
Exactly.
If they're such control freaks, they should be in the user community fixing the issues.

Apple IS in the user community, contributing to the Mac version of the JRE. You're ignorant.

And since when does attention to Mac user security = being 'control freaks'? You're ignorant.

This is a security issue, not your personal problems issue.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.