Apple Once Again Blocks Java 7 Web Plug-in

[MacRumors]

Earlier this month, Apple took the unusual step of remotely blocking Oracle's Java 7 browser plug-in due to a major security vulnerability, using the "Xprotect" anti-malware system built into OS X to enforce a minimum version number that had yet to be released. Within days, Oracle updated Java to address the issue, with the new version number making the Java plug-in usable on OS X systems once more.

As noted by French site MacGeneration [Google translation] and the Apple discussion forums, Apple has once again blocked the Java 7 plug-in using Xprotect.

The updated blacklist enforces a minimum Java plug-in version of 1.7.0_11-b22, while the latest version of the plug-in is 1.7.0_11-b21.

The exact reason for Apple's renewed block on the Java plug-in is unknown although reports immediately following the release of Update 11 earlier this month indicated that it fixed only one of the two bugs that contributed to the security vulnerability. In the wake of that news, cybersecurity officials recommended that most users disable Java even with the up-to-date plug-in installed.

Quote:

Oracle Security Alert CVE-2013-0422 states that Java 7 Update 11 addresses this (CVE-2013-0422) and an equally severe, but distinct vulnerability (CVE-2012-3174). Immunity has indicated that only the reflection vulnerability has been fixed and that the JMX MBean vulnerability remains. Java 7u11 sets the default Java security settings to "High" so that users will be prompted before running unsigned or self-signed Java applets.

Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future.

If this continued issue is indeed the reason for the new block by Apple, it is unclear why the company waited several weeks to update its plug-in blacklist.

Article Link: Apple Once Again Blocks Java 7 Web Plug-in

[FakeWozniak]

It would be nice to know WHY stuff stops working.

Does anyone know how to see what is added regularly from Apple? I don't really feel like monitoring the blacklist file. I suppose the people who write the malware do though :-(

I use a Java based 'meeting' program from work and I don't know if it is the program or Java or the network...

Anyone know if Flash is in blacklist file? :-)

[sseaton1971]

Quote:

Originally Posted by FakeWozniak

It would be nice to know WHY stuff stops working.

Does anyone know how to see what is added regularly from Apple? I don't really feel like monitoring the blacklist file. I suppose the people who write the malware do though :-(

I use a Java based 'meeting' program from work and I don't know if it is the program or Java or the network...

Anyone know if Flash is in blacklist file? :-)

As far as I know, the only two browser plugins that are being "protected" by Xprotect are Flash and Java. I agree, it would be nice if there was at least some sort of warning.

[notjustjay]

I've had Java disabled in my browser for the last several years, and I don't miss it at all. I think in all that time I have re-enabled it maybe once because there was an applet I actually wanted to run.

Just leave it turned off.

Edit: OK, before you hit "reply" and rip into me saying "well, I'm glad that works for YOU, but what about...", please note that I've acknowledged this further in the thread, and I'm sorry if your business/bank/whatever forces you to use Java applets in your browser.

[Tiger8]

Oracle bought all those companies and products that they have absolutely no clue how to support or further develop.

I do work in two used-to-be-great enterprise software packages, both went downhill since the original company was bought by Oracle.

[iphone495]

The bad news never stops with Java. Not that I would use it anyways.

[BornAgainMac]

Java makes more sense on the server application and not as a client. I have had nothing but problems with Java applications after Java 7 came out. I even have applications that are not supported with later updates of Java 6 that are lower than other applications that need a higher update level.

[carl0sian]

And the anti Apple comments will begin right about now...

[Mike1984]

Quote:

Originally Posted by iphone495

The bad news never stops with Java. Not that I would use it anyways.

Can't wait for Apple to Blow Away it's own JavaScript libraries when those security flaws come out. No Wait, they NEVER DO.

----------

Quote:

Originally Posted by Serelus

You can keep saying this, but to just leave the vulnerability there would be just as unprofessional. It's not argument to leave people at risk, just for the sake of those who can't use certain things properly anymore. Apple claims safety first, troubleshoot later.

Selective Security.
Apply IGNORES JavaScript Security issues, it depends on Java script.

[dexx0008]

Quote:

Originally Posted by Tiger8

Oracle bought all those companies and products that they have absolutely no clue how to support or further develop.

I do work in two used-to-be-great enterprise software packages, both went downhill since the original company was bought by Oracle.

this.

[Blu-ray1972]

Quote:

Originally Posted by Tiger8

Oracle bought all those companies and products that they have absolutely no clue how to support or further develop.

I do work in two used-to-be-great enterprise software packages, both went downhill since the original company was bought by Oracle.

I am in the same boat. I'm also quite displeased in their lack of Mac support for some of their programs for supporting DBs.

[Tiger8]

Quote:

Originally Posted by Blu-ray1972

I am in the same boat. I'm also quite displeased in their lack of Mac support for some of their programs for supporting DBs.

We need a 'oracle ruined it' support group

[ConCat]

Quote:

Originally Posted by notjustjay

I've had Java disabled in my browser for the last several years, and I don't miss it at all. I think in all that time I have re-enabled it maybe once because there was an applet I actually wanted to run.

Just leave it turned off.

Some people actually need it in certain business environments. Apple really should quit doing this, and I mean now. If we want it disabled, we can disable it ourselves. How hard would it be to push the update to computers after Oracle updates Java with the security patch, not before?

[till213]

Quote:

Originally Posted by ConCat

Some people actually need it in certain business environments.

In business environments...

Quote:

Originally Posted by ConCat

Apple really should quit doing this, and I mean now. If we want it disabled, we can disable it ourselves.

... you (your admin) should really know how to enable it again, after Apple has blocked it! Otherwise you really don't need it...

Given the fact that Mac computers are probably used by a majority of home users what Apple does is good practise here. All other people - including Power Users(tm) - know anyway how to circumvent Apple's settings.

[NYmacAttack]

Quote:

Originally Posted by till213

In business environments...



... you (your admin) should really know how to enable it again, after Apple has blocked it! Otherwise you really don't need it...

Given the fact that Mac computers are probably used by a majority of home users what Apple does is good practise here. All other people - including Power Users(tm) - know anyway how to circumvent Apple's settings.

That may be true however when Apple does this without warning any admins all these remote "home users" are stuck.

Its very unprofessional no warning just *BAM*

[derbladerunner]

Quote:

Originally Posted by till213

Given the fact that Mac computers are probably used by a majority of home users what Apple does is good practise here. All other people - including Power Users(tm) - know anyway how to circumvent Apple's settings.

But ask how many people (including me) searched for an hour if not longer finding the cause(s) for this issue.

There is no clear communication from either Apple or in the UI (error message/pop-up).

I kept searching in Java Preferences and Console trying to find out why my apps don't work properly

[SamEdwards]

I am sysadmin for a San and the Fibre Channel switch requires Java in a browser to setup and monitor. It can take hours to work around Apple's security. Why not just pop up a dialog box and allow the user to decide on a case by case basis if they want to block Java?
Thanks to those who posted work arounds.
It's moments like this that I understand the Apple haters.
Sam

[ConCat]

Quote:

Originally Posted by till213

In business environments...



... you (your admin) should really know how to enable it again, after Apple has blocked it! Otherwise you really don't need it...

Given the fact that Mac computers are probably used by a majority of home users what Apple does is good practise here. All other people - including Power Users(tm) - know anyway how to circumvent Apple's settings.

Certainly it's easy to fix the issue. I could do it easily. The point is, they shouldn't be disabling things in a person's computer without their consent. It's downright intrusive! If they want to force people to upgrade to the newest version because of a security issue I can understand it, but there isn't even a newer version out yet! They have no business stranding users who use the Java plugin but aren't computer-savvy enough to figure out how to enable it again. It's extremely un-apple to be quite frank.

[sseaton1971]

Quote:

Originally Posted by till213

In business environments...



... you (your admin) should really know how to enable it again, after Apple has blocked it! Otherwise you really don't need it...

Given the fact that Mac computers are probably used by a majority of home users what Apple does is good practise here. All other people - including Power Users(tm) - know anyway how to circumvent Apple's settings.

Macs are used by a lot of users in schools, too. I have plenty of knowledge about how to fix this problem, but it becomes a major pain in the ass when I get blindsided by a bunch of students and staff complaining that their wordle.net projects aren't working anymore! It is hard to fix hundreds of computers immediately. Apple could at least give us a freakin' heads up!

[JHankwitz]

Quote:

Originally Posted by ConCat

Some people actually need it Java) in certain business environments. Apple really should quit doing this, and I mean now. If we want it disabled, we can disable it ourselves. How hard would it be to push the update to computers after Oracle updates Java with the security patch, not before?

Like our government, Apple feels that it's their job to protect us from ourselves. It's unfortunately needed in too many cases.

[jonatron]

Quote:

Originally Posted by notjustjay

I've had Java disabled in my browser for the last several years, and I don't miss it at all. I think in all that time I have re-enabled it maybe once because there was an applet I actually wanted to run.

Just leave it turned off.

Classic if it doesnt affect me its not important.

This has stopped by company from using its finance system and staff are currently sat around twiddling their thumbs. Plus it took me an entire morning to work out what the issue was as there was no notification from Apple.

Thanks for your really useful advice!

I re-iterate what some others have said. THIS IS NOT ACCEPTABLE BEHAVIOUR from Apple and they need to sort this out pronto.

[Steve121178]

Quote:

Originally Posted by jonatron

Classic if it doesnt affect me its not important.

This has stopped by company from using its finance system and staff are currently sat around twiddling their thumbs. Plus it took me an entire morning to work out what the issue was as there was no notification from Apple.

Thanks for your really useful advice!

I re-iterate what some others have said. THIS IS NOT ACCEPTABLE BEHAVIOUR from Apple and they need to sort this out pronto.

I feel your pain! This is totally and utterly unprofessional. Apple must stop playing 'God' by interfering like this.

Microsoft realise that doing stuff like this can cripple businesses, that's why they issue security bulletins and put the onus on users/Administrators to call the shots.

[LlamaLarry]

Quote:

Originally Posted by Steve121178

Microsoft realise that doing stuff like this can cripple businesses, that's why they issue security bulletins and put the onus on users/Administrators to call the shots.

The downside being relative platform insecurity.

[koban4max]

Quote:

Originally Posted by Steve121178

I feel your pain! This is totally and utterly unprofessional. Apple must stop playing 'God' by interfering like this.

Microsoft realise that doing stuff like this can cripple businesses, that's why they issue security bulletins and put the onus on users/Administrators to call the shots.

as much as I hate apple doing this..you need to move to pc if that's the case.

[guzhogi]

This is a real pain. I work for a school district and the software we use for the online gradebook uses Java. So now teachers can't update their grades. Plus, it's not that easy just to switch software platforms.

I understand Apple wanting to keep its platform secure and not degrade its good name, but users & companies really need the option to easily override these blocks.