Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old Jan 31, 2013, 08:48 AM   #1
MacRumors
macrumors bot
 
Join Date: Apr 2001
Apple Once Again Blocks Java 7 Web Plug-in




Earlier this month, Apple took the unusual step of remotely blocking Oracle's Java 7 browser plug-in due to a major security vulnerability, using the "Xprotect" anti-malware system built into OS X to enforce a minimum version number that had yet to be released. Within days, Oracle updated Java to address the issue, with the new version number making the Java plug-in usable on OS X systems once more.

As noted by French site MacGeneration [Google translation] and the Apple discussion forums, Apple has once again blocked the Java 7 plug-in using Xprotect.

The updated blacklist enforces a minimum Java plug-in version of 1.7.0_11-b22, while the latest version of the plug-in is 1.7.0_11-b21.

The exact reason for Apple's renewed block on the Java plug-in is unknown although reports immediately following the release of Update 11 earlier this month indicated that it fixed only one of the two bugs that contributed to the security vulnerability. In the wake of that news, cybersecurity officials recommended that most users disable Java even with the up-to-date plug-in installed.
Quote:
Oracle Security Alert CVE-2013-0422 states that Java 7 Update 11 addresses this (CVE-2013-0422) and an equally severe, but distinct vulnerability (CVE-2012-3174). Immunity has indicated that only the reflection vulnerability has been fixed and that the JMX MBean vulnerability remains. Java 7u11 sets the default Java security settings to "High" so that users will be prompted before running unsigned or self-signed Java applets.

Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future.
If this continued issue is indeed the reason for the new block by Apple, it is unclear why the company waited several weeks to update its plug-in blacklist.

Article Link: Apple Once Again Blocks Java 7 Web Plug-in
MacRumors is offline   0 Reply With Quote
Old Jan 31, 2013, 08:50 AM   #2
FakeWozniak
macrumors 6502
 
Join Date: Nov 2007
It would be nice to know WHY stuff stops working.

Does anyone know how to see what is added regularly from Apple? I don't really feel like monitoring the blacklist file. I suppose the people who write the malware do though :-(

I use a Java based 'meeting' program from work and I don't know if it is the program or Java or the network...

Anyone know if Flash is in blacklist file? :-)
FakeWozniak is offline   2 Reply With Quote
Old Jan 31, 2013, 11:16 AM   #3
sseaton1971
macrumors 6502
 
Join Date: Feb 2012
Quote:
Originally Posted by FakeWozniak View Post
It would be nice to know WHY stuff stops working.

Does anyone know how to see what is added regularly from Apple? I don't really feel like monitoring the blacklist file. I suppose the people who write the malware do though :-(

I use a Java based 'meeting' program from work and I don't know if it is the program or Java or the network...

Anyone know if Flash is in blacklist file? :-)
As far as I know, the only two browser plugins that are being "protected" by Xprotect are Flash and Java. I agree, it would be nice if there was at least some sort of warning.
sseaton1971 is offline   0 Reply With Quote
Old Jan 31, 2013, 08:51 AM   #4
notjustjay
macrumors 603
 
notjustjay's Avatar
 
Join Date: Sep 2003
Location: Canada, eh?
I've had Java disabled in my browser for the last several years, and I don't miss it at all. I think in all that time I have re-enabled it maybe once because there was an applet I actually wanted to run.

Just leave it turned off.

Edit: OK, before you hit "reply" and rip into me saying "well, I'm glad that works for YOU, but what about...", please note that I've acknowledged this further in the thread, and I'm sorry if your business/bank/whatever forces you to use Java applets in your browser.
__________________
.

Last edited by notjustjay; Jan 31, 2013 at 04:06 PM.
notjustjay is offline   5 Reply With Quote
Old Jan 31, 2013, 08:54 AM   #5
Tiger8
macrumors 68000
 
Join Date: May 2011
Oracle bought all those companies and products that they have absolutely no clue how to support or further develop.

I do work in two used-to-be-great enterprise software packages, both went downhill since the original company was bought by Oracle.
Tiger8 is online now   4 Reply With Quote
Old Jan 31, 2013, 08:55 AM   #6
iphone495
macrumors member
 
Join Date: Sep 2012
The bad news never stops with Java. Not that I would use it anyways.
iphone495 is offline   2 Reply With Quote
Old Jan 31, 2013, 09:03 AM   #7
BornAgainMac
macrumors 601
 
BornAgainMac's Avatar
 
Join Date: Feb 2004
Location: Florida Resident
Java makes more sense on the server application and not as a client. I have had nothing but problems with Java applications after Java 7 came out. I even have applications that are not supported with later updates of Java 6 that are lower than other applications that need a higher update level.
BornAgainMac is offline   1 Reply With Quote
Old Jan 31, 2013, 09:11 AM   #8
carl0sian
macrumors regular
 
Join Date: Oct 2011
And the anti Apple comments will begin right about now...
carl0sian is offline   3 Reply With Quote
Old Jan 31, 2013, 10:59 AM   #9
Mike1984
macrumors newbie
 
Join Date: Oct 2010
Selective Security Restriction

Quote:
Originally Posted by iphone495 View Post
The bad news never stops with Java. Not that I would use it anyways.
Can't wait for Apple to Blow Away it's own JavaScript libraries when those security flaws come out. No Wait, they NEVER DO.

----------

Quote:
Originally Posted by Serelus View Post
You can keep saying this, but to just leave the vulnerability there would be just as unprofessional. It's not argument to leave people at risk, just for the sake of those who can't use certain things properly anymore. Apple claims safety first, troubleshoot later.
Selective Security.
Apply IGNORES JavaScript Security issues, it depends on Java script.
Mike1984 is offline   0 Reply With Quote
Old Jan 31, 2013, 10:21 AM   #10
dexx0008
macrumors member
 
Join Date: Sep 2007
Quote:
Originally Posted by Tiger8 View Post
Oracle bought all those companies and products that they have absolutely no clue how to support or further develop.

I do work in two used-to-be-great enterprise software packages, both went downhill since the original company was bought by Oracle.
this.
dexx0008 is offline   2 Reply With Quote
Old Feb 1, 2013, 02:47 PM   #11
Blu-ray1972
macrumors newbie
 
Join Date: Feb 2013
Quote:
Originally Posted by Tiger8 View Post
Oracle bought all those companies and products that they have absolutely no clue how to support or further develop.

I do work in two used-to-be-great enterprise software packages, both went downhill since the original company was bought by Oracle.
I am in the same boat. I'm also quite displeased in their lack of Mac support for some of their programs for supporting DBs.
Blu-ray1972 is offline   0 Reply With Quote
Old Feb 1, 2013, 09:26 PM   #12
Tiger8
macrumors 68000
 
Join Date: May 2011
Quote:
Originally Posted by Blu-ray1972 View Post
I am in the same boat. I'm also quite displeased in their lack of Mac support for some of their programs for supporting DBs.
We need a 'oracle ruined it' support group
Tiger8 is online now   0 Reply With Quote
Old Jan 31, 2013, 08:55 AM   #13
ConCat
Banned
 
Join Date: Jul 2012
Location: In an ethereal plane of existence.
Quote:
Originally Posted by notjustjay View Post
I've had Java disabled in my browser for the last several years, and I don't miss it at all. I think in all that time I have re-enabled it maybe once because there was an applet I actually wanted to run.

Just leave it turned off.
Some people actually need it in certain business environments. Apple really should quit doing this, and I mean now. If we want it disabled, we can disable it ourselves. How hard would it be to push the update to computers after Oracle updates Java with the security patch, not before?
ConCat is offline   12 Reply With Quote
Old Jan 31, 2013, 10:25 AM   #14
till213
macrumors regular
 
Join Date: Jul 2011
Quote:
Originally Posted by ConCat View Post
Some people actually need it in certain business environments.
In business environments...

Quote:
Originally Posted by ConCat View Post
Apple really should quit doing this, and I mean now. If we want it disabled, we can disable it ourselves.
... you (your admin) should really know how to enable it again, after Apple has blocked it! Otherwise you really don't need it...

Given the fact that Mac computers are probably used by a majority of home users what Apple does is good practise here. All other people - including Power Users(tm) - know anyway how to circumvent Apple's settings.
till213 is offline   3 Reply With Quote
Old Jan 31, 2013, 10:28 AM   #15
NYmacAttack
macrumors 6502
 
Join Date: Dec 2005
Location: NY
Quote:
Originally Posted by till213 View Post
In business environments...



... you (your admin) should really know how to enable it again, after Apple has blocked it! Otherwise you really don't need it...

Given the fact that Mac computers are probably used by a majority of home users what Apple does is good practise here. All other people - including Power Users(tm) - know anyway how to circumvent Apple's settings.
That may be true however when Apple does this without warning any admins all these remote "home users" are stuck.

Its very unprofessional no warning just *BAM*
__________________
Black MB C2D 2.16
NYmacAttack is offline   3 Reply With Quote
Old Jan 31, 2013, 10:34 AM   #16
derbladerunner
macrumors regular
 
Join Date: Sep 2005
Quote:
Originally Posted by till213 View Post
Given the fact that Mac computers are probably used by a majority of home users what Apple does is good practise here. All other people - including Power Users(tm) - know anyway how to circumvent Apple's settings.
But ask how many people (including me) searched for an hour if not longer finding the cause(s) for this issue.

There is no clear communication from either Apple or in the UI (error message/pop-up).

I kept searching in Java Preferences and Console trying to find out why my apps don't work properly
derbladerunner is offline   2 Reply With Quote
Old Jan 31, 2013, 10:42 AM   #17
SamEdwards
macrumors newbie
 
Join Date: Mar 2010
Totally Frustrating

I am sysadmin for a San and the Fibre Channel switch requires Java in a browser to setup and monitor. It can take hours to work around Apple's security. Why not just pop up a dialog box and allow the user to decide on a case by case basis if they want to block Java?
Thanks to those who posted work arounds.
It's moments like this that I understand the Apple haters.
Sam
SamEdwards is offline   3 Reply With Quote
Old Jan 31, 2013, 11:57 AM   #18
ConCat
Banned
 
Join Date: Jul 2012
Location: In an ethereal plane of existence.
Quote:
Originally Posted by till213 View Post
In business environments...



... you (your admin) should really know how to enable it again, after Apple has blocked it! Otherwise you really don't need it...

Given the fact that Mac computers are probably used by a majority of home users what Apple does is good practise here. All other people - including Power Users(tm) - know anyway how to circumvent Apple's settings.
Certainly it's easy to fix the issue. I could do it easily. The point is, they shouldn't be disabling things in a person's computer without their consent. It's downright intrusive! If they want to force people to upgrade to the newest version because of a security issue I can understand it, but there isn't even a newer version out yet! They have no business stranding users who use the Java plugin but aren't computer-savvy enough to figure out how to enable it again. It's extremely un-apple to be quite frank.
ConCat is offline   2 Reply With Quote
Old Jan 31, 2013, 12:05 PM   #19
sseaton1971
macrumors 6502
 
Join Date: Feb 2012
Quote:
Originally Posted by till213 View Post
In business environments...



... you (your admin) should really know how to enable it again, after Apple has blocked it! Otherwise you really don't need it...

Given the fact that Mac computers are probably used by a majority of home users what Apple does is good practise here. All other people - including Power Users(tm) - know anyway how to circumvent Apple's settings.
Macs are used by a lot of users in schools, too. I have plenty of knowledge about how to fix this problem, but it becomes a major pain in the ass when I get blindsided by a bunch of students and staff complaining that their wordle.net projects aren't working anymore! It is hard to fix hundreds of computers immediately. Apple could at least give us a freakin' heads up!
sseaton1971 is offline   2 Reply With Quote
Old Jan 31, 2013, 12:28 PM   #20
JHankwitz
macrumors 65816
 
Join Date: Oct 2005
Location: Wisconsin
Send a message via AIM to JHankwitz
Quote:
Originally Posted by ConCat View Post
Some people actually need it Java) in certain business environments. Apple really should quit doing this, and I mean now. If we want it disabled, we can disable it ourselves. How hard would it be to push the update to computers after Oracle updates Java with the security patch, not before?
Like our government, Apple feels that it's their job to protect us from ourselves. It's unfortunately needed in too many cases.
JHankwitz is offline   0 Reply With Quote
Old Jan 31, 2013, 09:23 AM   #21
jonatron
macrumors member
 
Join Date: Jun 2007
Location: Leeds, UK
Quote:
Originally Posted by notjustjay View Post
I've had Java disabled in my browser for the last several years, and I don't miss it at all. I think in all that time I have re-enabled it maybe once because there was an applet I actually wanted to run.

Just leave it turned off.
Classic if it doesnt affect me its not important.

This has stopped by company from using its finance system and staff are currently sat around twiddling their thumbs. Plus it took me an entire morning to work out what the issue was as there was no notification from Apple.

Thanks for your really useful advice!

I re-iterate what some others have said. THIS IS NOT ACCEPTABLE BEHAVIOUR from Apple and they need to sort this out pronto.
jonatron is offline   15 Reply With Quote
Old Jan 31, 2013, 09:32 AM   #22
Steve121178
macrumors 68000
 
Steve121178's Avatar
 
Join Date: Apr 2010
Location: Bedfordshire, UK
Quote:
Originally Posted by jonatron View Post
Classic if it doesnt affect me its not important.

This has stopped by company from using its finance system and staff are currently sat around twiddling their thumbs. Plus it took me an entire morning to work out what the issue was as there was no notification from Apple.

Thanks for your really useful advice!

I re-iterate what some others have said. THIS IS NOT ACCEPTABLE BEHAVIOUR from Apple and they need to sort this out pronto.
I feel your pain! This is totally and utterly unprofessional. Apple must stop playing 'God' by interfering like this.

Microsoft realise that doing stuff like this can cripple businesses, that's why they issue security bulletins and put the onus on users/Administrators to call the shots.
__________________
13" rMBP Haswell i5/16GB/512GB (Late '13) 21.5" iMac i5/16GB/1TB Fusion (Late '12) iPhone 5s 32GB iPad rMini 32GB
Steve121178 is offline   3 Reply With Quote
Old Jan 31, 2013, 09:37 AM   #23
LlamaLarry
macrumors member
 
Join Date: Oct 2008
Location: Northern VA
Send a message via AIM to LlamaLarry
Quote:
Originally Posted by Steve121178 View Post
Microsoft realise that doing stuff like this can cripple businesses, that's why they issue security bulletins and put the onus on users/Administrators to call the shots.
The downside being relative platform insecurity.
__________________
Early 2011 17" MBP - Early 2011 13" MBP - Mid 2011 11" MBA - 2 x 2009 MB - iPhone --> iPhone 5; iPad, iPad v2
LlamaLarry is offline   0 Reply With Quote
Old Jan 31, 2013, 10:08 AM   #24
koban4max
macrumors 65816
 
Join Date: Aug 2011
Quote:
Originally Posted by Steve121178 View Post
I feel your pain! This is totally and utterly unprofessional. Apple must stop playing 'God' by interfering like this.

Microsoft realise that doing stuff like this can cripple businesses, that's why they issue security bulletins and put the onus on users/Administrators to call the shots.
as much as I hate apple doing this..you need to move to pc if that's the case.
koban4max is offline   0 Reply With Quote
Old Jan 31, 2013, 10:15 AM   #25
guzhogi
macrumors 68020
 
guzhogi's Avatar
 
Join Date: Aug 2003
Location: Wherever my feet take me…
This is a real pain. I work for a school district and the software we use for the online gradebook uses Java. So now teachers can't update their grades. Plus, it's not that easy just to switch software platforms.

I understand Apple wanting to keep its platform secure and not degrade its good name, but users & companies really need the option to easily override these blocks.
guzhogi is offline   3 Reply With Quote

Reply
MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 08:37 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC