Apple Blocks Java 7 Plug-in on OS X to Address Widespread Security Threat - MacRumors Forums
Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old Jan 11, 2013, 12:34 PM   #1
MacRumors
macrumors bot
 
Join Date: Apr 2001
Apple Blocks Java 7 Plug-in on OS X to Address Widespread Security Threat




As noted by ZDNet, a major security vulnerability in Java 7 has been discovered, with the vulnerability currently being exploited in the wild by malicious parties. In response to threat, the U.S. Department of Homeland Security has recommended that users disable the Java 7 browser plug-in entirely until a patch is made available by Oracle.
Quote:
Hackers have discovered a weakness in Java 7 security that could allow the installation of malicious software and malware on machines that could increase the chance of identity theft, or the unauthorized participation in a botnet that could bring down networks or be used to carry out denial-of-service attacks against Web sites.

"We are currently unaware of a practical solution to this problem," said the DHS' Computer Emergency Readiness Team (CERT) in a post on its Web site on Thursday evening. "This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available."
Apple has, however, apparently already moved quickly to address the issue, disabling the Java 7 plug-in on Macs where it is already installed. Apple has achieved this by updating its "Xprotect.plist" blacklist to require a minimum of an as-yet unreleased 1.7.0_10-b19 version of Java 7. With the current publicly-available version of Java 7 being 1.7.0_10-b18, all systems running Java 7 are failing to pass the check initiated through the anti-malware system built into OS X.

Apple's updated plug-in blacklist requiring an unreleased version of Java 7
Apple historically provided its own support for Java on OS X, but in October 2010 began pushing support for Java back to Oracle, with Steve Jobs noting that the previous arrangement resulted in Apple's Java always being a version behind that available to other platforms through Oracle. Consequently, Jobs acknowledged that having Apple responsible for Java "may not be the best way to do it."

It wasn't until last August that the transition was essentially complete, with Oracle officially launching Java 7 for OS X. Java 7 does not ship by default on Mac systems, meaning that many users are not affected this latest issue or other recent ones, but those users who have manually installed Java 7 may be experiencing issues with their systems.

There is no word yet on when an updated version of Java addressing the issue will be made available by Oracle.

Update: As detailed in the National Vulnerability Database, the issue affects not only the Java 7 plug-in, but at least some versions of Java 4 through 7.

Article Link: Apple Blocks Java 7 Plug-in on OS X to Address Widespread Security Threat
MacRumors is offline   2 Reply With Quote
Old Jan 11, 2013, 12:35 PM   #2
needfx
macrumors 68000
 
needfx's Avatar
 
Join Date: Aug 2010
Location: macrumors apparently
bad java. baaaad java

Last edited by needfx; Jan 11, 2013 at 04:49 PM. Reason: change of heart
needfx is offline   5 Reply With Quote
Old Jan 12, 2013, 12:16 PM   #3
Mike1984
macrumors newbie
 
Join Date: Oct 2010
Quote:
Originally Posted by needfx View Post
bad java. baaaad java
If you want REAL SECURITY, you DISABLE all Client Side code, including JavaSCRIPT.
As Cross Site Scripting is the Worst Security Vulnerability out there.

Doing that, however, loses all the "cool" features.

The most secure sites run just JavaEE or Windows ASPX, with No client side libraries.
Nothing.
Mike1984 is offline   0 Reply With Quote
Old Jan 12, 2013, 12:21 PM   #4
Huntn
macrumors 604
 
Huntn's Avatar
 
Join Date: May 2008
Location: The Misty Mountains
Quote:
Originally Posted by Mike1984 View Post
If you want REAL SECURITY, you DISABLE all Client Side code, including JavaSCRIPT.
As Cross Site Scripting is the Worst Security Vulnerability out there.

Doing that, however, loses all the "cool" features.

The most secure sites run just JavaEE or Windows ASPX, with No client side libraries.
Nothing.
What kind of cool features do you lose? I've been using NoScript forever. Can you control java with that?
__________________
The modern business ethos: "I'm worth it, you're not, and I'm a glutton!"
MBP, 2.2 GHz intel i7, Radeon HD 6750M, Bootcamp: W7.
PC: i5 4670k, 8GB RAM, Asus GTX670 (2GB VRAM), W7.
Huntn is offline   0 Reply With Quote
Old Jan 13, 2013, 12:37 AM   #5
Tech198
macrumors 68040
 
Join Date: Mar 2011
Location: Australia, Perth
Quote:
Originally Posted by needfx View Post
bad java. baaaad java

Lol I agree..

Seems this is getting almost as bad as Flash.... (Maybe. More so)

Would this prevent this version from installing since its blacklisted?
__________________
13" MBP-R, i5, 256Gig SDD, 8 Gig Ram, Apple TV (3rd-Gen.), iPhone 5S 16Gig, iPad (4th-Gen.) 16Gig, Mac Mini 2.3Ghz i7, 1TB HD

"There are no stupid questions, just stupid people."
Tech198 is online now   0 Reply With Quote
Old Jan 11, 2013, 12:38 PM   #6
gigapocket1
macrumors 6502a
 
Join Date: Mar 2009
Send a message via AIM to gigapocket1 Send a message via Yahoo to gigapocket1
Weird. I started getting DNS about 30 minutes ago lol. Was bugging me. Now I know why
gigapocket1 is offline   0 Reply With Quote
Old Jan 11, 2013, 12:40 PM   #7
xionxiox
macrumors regular
 
Join Date: Jul 2010
Location: Hell
Java is the worst thing ever. Always buggy and slow. Oracle doesn't give a damn about Macs.
__________________
I am an Apple Lover & I require cookies.
Blue iPod Shuffle 2012, iPhone 5 (White), Macbook Unibody (Pre-Pro), On my 6th Magsafe charging cord.

Last edited by xionxiox; Jan 11, 2013 at 12:45 PM.
xionxiox is offline   19 Reply With Quote
Old Jan 11, 2013, 12:41 PM   #8
wrldwzrd89
macrumors G4
 
wrldwzrd89's Avatar
 
Join Date: Jun 2003
Location: Solon, OH
This only affects the Java plug-in, right? That being blocked I can deal with. If the entire JDK/JRE is blocked, that is more problematic.
__________________
iMac Intel (Rev H, 27"), 1TB HDD, 16GB RAM, 10.8.4
wrldwzrd89 is offline   4 Reply With Quote
Old Jan 12, 2013, 08:03 AM   #9
drspringfield
macrumors newbie
 
Join Date: Dec 2009
Quote:
Originally Posted by wrldwzrd89 View Post
This only affects the Java plug-in, right? That being blocked I can deal with. If the entire JDK/JRE is blocked, that is more problematic.
Correct, and only in Safari.

----------

Quote:
Originally Posted by Solomani View Post
Is there any way to know exactly WHEN Apple makes these "background updates"? Like... does it happen any time I connect to the App Store under the (Checking for) Updates tab? I'm not as paranoid about this, but I am curious to know when files are modified on my Mac.
One per day. You may turn it off in the Security prefpane.
drspringfield is offline   0 Reply With Quote
Old Jan 11, 2013, 12:41 PM   #10
mreed911
macrumors member
 
Join Date: Mar 2008
Wow. The Apple fix for this is both elegant and scary - I tested it on mine and I definitely get the popup that Java is unsecure and out of date, and blocked - but I didn't have to do anything to get that update to xprotect.plist. No software update, no nothing. That's rather scary.

I suppose at this point I'm willing to trade the 0-day security for Apple's ability to reach in and tweak settings.
mreed911 is offline   14 Reply With Quote
Old Jan 11, 2013, 12:43 PM   #11
wrldwzrd89
macrumors G4
 
wrldwzrd89's Avatar
 
Join Date: Jun 2003
Location: Solon, OH
Quote:
Originally Posted by mreed911 View Post
Wow. The Apple fix for this is both elegant and scary - I tested it on mine and I definitely get the popup that Java is unsecure and out of date, and blocked - but I didn't have to do anything to get that update to xprotect.plist. No software update, no nothing. That's rather scary.
The Xprotect background silent update feature was added to OS X back in Lion 10.7.3. It got extended in Mountain Lion to cover some other things, too - but even I do not know what all those are.
__________________
iMac Intel (Rev H, 27"), 1TB HDD, 16GB RAM, 10.8.4
wrldwzrd89 is offline   4 Reply With Quote
Old Jan 13, 2013, 12:20 PM   #12
MacSince1990
macrumors 65816
 
MacSince1990's Avatar
 
Join Date: Oct 2009
Even in 1.4? XD Didn't we have that on OS 9?

Quote:
Originally Posted by wrldwzrd89 View Post
The Xprotect background was added to OS X in 10.7.3. It got extended in ML, too - but even I do not know what all those are.
*GASP*

Not even you?!
__________________
Beige G3 w/1 GHz Sonnet G4, 768 MB, 400 GB HDD + 2x120GB, Radeon Mac Edition, ATA/133 PCI, 4-Port USB 2 PCI, 18x DVDRW, MacOS 10.4.11
15" Mid 2012 2.7 GHz Hi-Res/AG MBP 16 GB RAM, 1 TB 7200RPM 10.9.2
MacSince1990 is offline   0 Reply With Quote
Old Jan 11, 2013, 12:44 PM   #13
KnightWRX
macrumors Pentium
 
KnightWRX's Avatar
 
Join Date: Jan 2009
Location: Quebec, Canada
com.oracle.java.JavaAppletPlugin = Browser plug-in.

Apple has not blocked Java 7 on OS X.

Please correct the headline ASAP before this thread becomes a major flamewar.
__________________
"What you leave behind is not what is engraved in stone monuments, but what is woven into the lives of others."
-- Pericles
KnightWRX is offline   23 Reply With Quote
Old Jan 11, 2013, 12:46 PM   #14
Diseal3
macrumors 65816
 
Join Date: Jun 2008
Quote:
Originally Posted by KnightWRX View Post
com.oracle.java.JavaAppletPlugin = Browser plug-in.

Apple has not blocked Java 7 on OS X.

Please correct the headline ASAP before this thread becomes a major flamewar.
Agreed, headline makes it sounds like Java as a platform has been blocked on the Mac OS X System rather than just the browser plugin.
Diseal3 is offline   2 Reply With Quote
Old Jan 12, 2013, 11:15 AM   #15
LOrion
macrumors newbie
 
Join Date: Jan 2013
Location: California
Quote:
Originally Posted by KnightWRX View Post
com.oracle.java.JavaAppletPlugin = Browser plug-in.

Apple has not blocked Java 7 on OS X.

Please correct the headline ASAP before this thread becomes a major flamewar.
VERY confusing... What was original headline, what is 'current' one.

----------

Both show that you block JAVA by using Safari Preferences Security
and disable the JAVA box. Not the other 3 RIGHT?

Please explain these things in NON TECHY Talk.

Mine was enabled and I have seen no warnings...what is all that warning mumbo jumbo about.

What do we do next and please specifiy for Mountain Lion and Pre ML OSX.
LOrion is offline   0 Reply With Quote
Old Jan 11, 2013, 12:45 PM   #16
WildCowboy
Administrator/Editor
 
WildCowboy's Avatar
 
Join Date: Jan 2005
Quote:
Originally Posted by mreed911 View Post
I tested it on mine and I definitely get the popup that Java is unsecure and out of date, and blocked - but I didn't have to do anything to get that update to xprotect.plist. No software update, no nothing. That's rather scary.
OS X systems check for an updated version of that file on a daily basis. It's primarily used for malware definitions, but can also be used to require minimum versions of certain plugins, as with Flash and Java.


Quote:
Originally Posted by KnightWRX View Post
com.oracle.java.JavaAppletPlugin = Browser plug-in.

Apple has not blocked Java 7 on OS X.

Please correct the headline ASAP before this thread becomes a major flamewar.
You are of course correct, and I've updated accordingly to make things more clear.
__________________
Editor in Chief, MacRumors
WildCowboy is offline   8 Reply With Quote
Old Jan 11, 2013, 12:54 PM   #17
KnightWRX
macrumors Pentium
 
KnightWRX's Avatar
 
Join Date: Jan 2009
Location: Quebec, Canada
Quote:
Originally Posted by WildCowboy View Post
You are of course correct, and I've updated accordingly to make things more clear.
Phew, thanks for the prompt response. 600 post thread crisis about how "Java sucks! Nyuh it doesn't! Yes it does! You're confusing the runtime with the plugin" adverted.
__________________
"What you leave behind is not what is engraved in stone monuments, but what is woven into the lives of others."
-- Pericles
KnightWRX is offline   2 Reply With Quote
Old Jan 11, 2013, 12:46 PM   #18
Doctor Q
Administrator
 
Doctor Q's Avatar
 
Join Date: Sep 2002
Location: Los Angeles
Thanks for the fast action, Apple. Although it shows the tradeoff we've had to accept, that keeping up with the latest version can produce situations like this, with a discovered vulnerability for which there is no patch yet. Ironically, when Apple was a version behind, bleeding edge security issues would have been addressed by the time we Mac users got a Java release from Apple.
__________________
Oh do pay attention 007. In the wrong hands, this 12-core Mac Pro with three 4K displays, FirePro graphics, and Thunderbolt 2 could be very dangerous.
Doctor Q is offline   3 Reply With Quote
Old Jan 11, 2013, 12:49 PM   #19
Rodimus Prime
Banned
 
Join Date: Oct 2006
Quote:
Originally Posted by Doctor Q View Post
Thanks for the fast action, Apple. Although it shows the tradeoff we've had to accept, that keeping up with the latest version can produce situations like this, with a discovered vulnerability for which there is no patch yet. Ironically, when Apple was a version behind, bleeding edge security issues would have been addressed by the time we Mac users got a Java release from Apple.
well to be fair it was a good trade off as Apple was piss poor on it and tend to lag months behind Java and left holes open for a lot longer. I expect a patch will be out pretty soon from Oracle to fix it.
Rodimus Prime is offline   1 Reply With Quote
Old Jan 11, 2013, 12:55 PM   #20
KnightWRX
macrumors Pentium
 
KnightWRX's Avatar
 
Join Date: Jan 2009
Location: Quebec, Canada
Quote:
Originally Posted by Doctor Q View Post
by the time we Mac users got a Java release from Apple.
Java 7 is not released by Apple, it is a direct download from Oracle. Apple has stopped all development and distribution of their own Java runtime and plug-in with version 6.
__________________
"What you leave behind is not what is engraved in stone monuments, but what is woven into the lives of others."
-- Pericles
KnightWRX is offline   2 Reply With Quote
Old Jan 12, 2013, 08:09 AM   #21
Azathoth
macrumors 6502a
 
Join Date: Sep 2009
Quote:
Originally Posted by Doctor Q View Post
Thanks for the fast action, Apple. Although it shows the tradeoff we've had to accept, that keeping up with the latest version can produce situations like this, with a discovered vulnerability for which there is no patch yet. Ironically, when Apple was a version behind, bleeding edge security issues would have been addressed by the time we Mac users got a Java release from Apple.
When Apple was managing Java on OS X, Apple did a piss-poor job and was weeks, months behind on security:
here is one example, though I think there were others in 2011:

https://krebsonsecurity.com/2012/06/...urity-updates/

"Oracle is the official producer of Java, but Apple maintains its own version, and it has consistently lagged months behind Oracle in fixing security bugs. This failure on Apple’s part finally caught up with Mac OS X users earlier this year and turned into a major embarrassment for Apple, when the Flashback malware infected more than 650,000 Mac systems using a vulnerability that Oracle (but not Apple) had patched roughly two months earlier."

The current blocking (seems to only work in Safari, not FF, but ok) is probably good enough for most users.

My bank(s) and the Germany IRS (needed every month to file my taxes as a freelancers), both require Java and on the Mac this has usually sucked badly, tending to run much better (i.e. just work) on my Windows VM.
Azathoth is offline   0 Reply With Quote
Old Jan 11, 2013, 08:07 PM   #22
Solomani
macrumors 65816
 
Solomani's Avatar
 
Join Date: Sep 2012
Quote:
Originally Posted by mreed911 View Post
Wow. The Apple fix for this is both elegant and scary - I tested it on mine and I definitely get the popup that Java is unsecure and out of date, and blocked - but I didn't have to do anything to get that update to xprotect.plist. No software update, no nothing. That's rather scary.

I suppose at this point I'm willing to trade the 0-day security for Apple's ability to reach in and tweak settings.
Is there any way to know exactly WHEN Apple makes these "background updates"? Like... does it happen any time I connect to the App Store under the (Checking for) Updates tab? I'm not as paranoid about this, but I am curious to know when files are modified on my Mac.
Solomani is offline   0 Reply With Quote
Old Jan 11, 2013, 08:36 PM   #23
grahamperrin
macrumors regular
 
Join Date: Jun 2007
a little more about com.apple.xprotectupdater

Code:
macbookpro08-centrim:PreferencePanes gjp22$ sudo launchctl list com.apple.xprotectupdater
{
	"Label" = "com.apple.xprotectupdater";
	"LimitLoadToSessionType" = "System";
	"OnDemand" = true;
	"LastExitStatus" = 0;
	"TimeOut" = 30;
	"ProgramArguments" = (
		"/usr/libexec/XProtectUpdater";
	);
};
macbookpro08-centrim:PreferencePanes gjp22$ defaults read /System/Library/LaunchDaemons/com.apple.xprotectupdater
{
    Label = "com.apple.xprotectupdater";
    ProgramArguments =     (
        "/usr/libexec/XProtectUpdater"
    );
    RunAtLoad = 1;
    StartInterval = 86400;
}
macbookpro08-centrim:PreferencePanes gjp22$
86400 seconds = twenty-four hours.

----------

Quote:
Originally Posted by Hinnenk1amp View Post
… Apple's ability to …
If you prefer less security, please go ahead:

Mac Help: Advanced pane of Security & Privacy preferences

Last edited by grahamperrin; Jan 11, 2013 at 09:36 PM.
grahamperrin is offline   0 Reply With Quote
Old Jan 11, 2013, 12:48 PM   #24
camnchar
macrumors 6502
 
Join Date: Jan 2006
Location: SLC, Utah
Send a message via AIM to camnchar
Quote:
Originally Posted by xionxiox View Post
Java is the worst thing ever. Always buggy and slow. Oracle doesn't give a damn about Macs.
This is strange because Ellison and Jobs were supposedly good friends.

----------

Quote:
Originally Posted by Doctor Q View Post
Ironically, when Apple was a version behind, bleeding edge security issues would have been addressed by the time we Mac users got a Java release from Apple.
Of course, unpatched security flaws from the previous release went a lot longer before they were fixed, so
__________________
Apple //c, 1 MHz, 128k RAM, 5.25" floppy drive, 1-button mouse
camnchar is offline   2 Reply With Quote
Old Jan 12, 2013, 10:15 PM   #25
CharBroiled20s
macrumors member
 
Join Date: Apr 2009
Quote:
Originally Posted by camnchar View Post
This is strange because Ellison and Jobs were supposedly good friends.

----------



Of course, unpatched security flaws from the previous release went a lot longer before they were fixed, so
your statement is especially relevant since this java exploit has been around since java version 4...
CharBroiled20s is offline   1 Reply With Quote

Reply
MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Apple Releases New Java 6 Updates With Enhanced Security, Uninstalls Apple-Provided Java Applet Plug-in MacRumors Mac Blog Discussion 49 Oct 22, 2013 09:58 AM
Apple Releases Safari and Java Updates With Plug-In and Security Improvements MacRumors MacRumors.com News Discussion 77 Apr 23, 2013 03:09 PM
Apple Once Again Blocks Java 7 Web Plug-in MacRumors MacRumors.com News Discussion 151 Mar 29, 2013 11:56 AM
Oracle Releases Java 7 Update 13 to Address Security Issues, Reenable Web Plug-in on OS X MacRumors MacRumors.com News Discussion 134 Feb 17, 2013 12:40 PM
Oracle Updates Java 7 to Address Security Vulnerability MacRumors MacRumors.com News Discussion 72 Jan 19, 2013 11:00 AM

Forum Jump

All times are GMT -5. The time now is 07:40 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC