Apple Once Again Blocks Java 7 Web Plug-in

MacRumors · Jan 31, 2013

Earlier this month, Apple took the unusual step of remotely blocking Oracle's Java 7 browser plug-in due to a major security vulnerability, using the "Xprotect" anti-malware system built into OS X to enforce a minimum version number that had yet to be released. Within days, Oracle updated Java to address the issue, with the new version number making the Java plug-in usable on OS X systems once more.

As noted by French site MacGeneration [Google translation] and the Apple discussion forums, Apple has once again blocked the Java 7 plug-in using Xprotect.

The updated blacklist enforces a minimum Java plug-in version of 1.7.0_11-b22, while the latest version of the plug-in is 1.7.0_11-b21.

The exact reason for Apple's renewed block on the Java plug-in is unknown although reports immediately following the release of Update 11 earlier this month indicated that it fixed only one of the two bugs that contributed to the security vulnerability. In the wake of that news, cybersecurity officials recommended that most users disable Java even with the up-to-date plug-in installed.

Oracle Security Alert CVE-2013-0422 states that Java 7 Update 11 addresses this (CVE-2013-0422) and an equally severe, but distinct vulnerability (CVE-2012-3174). Immunity has indicated that only the reflection vulnerability has been fixed and that the JMX MBean vulnerability remains. Java 7u11 sets the default Java security settings to "High" so that users will be prompted before running unsigned or self-signed Java applets.

Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future.

If this continued issue is indeed the reason for the new block by Apple, it is unclear why the company waited several weeks to update its plug-in blacklist.

Article Link: Apple Once Again Blocks Java 7 Web Plug-in

FakeWozniak · Jan 31, 2013

It would be nice to know WHY stuff stops working.

Does anyone know how to see what is added regularly from Apple? I don't really feel like monitoring the blacklist file. I suppose the people who write the malware do though :-(

I use a Java based 'meeting' program from work and I don't know if it is the program or Java or the network...

Anyone know if Flash is in blacklist file?

notjustjay · Jan 31, 2013

I've had Java disabled in my browser for the last several years, and I don't miss it at all. I think in all that time I have re-enabled it maybe once because there was an applet I actually wanted to run.

Just leave it turned off.

Edit: OK, before you hit "reply" and rip into me saying "well, I'm glad that works for YOU, but what about...", please note that I've acknowledged this further in the thread, and I'm sorry if your business/bank/whatever forces you to use Java applets in your browser.

Tiger8 · Jan 31, 2013

Oracle bought all those companies and products that they have absolutely no clue how to support or further develop.

I do work in two used-to-be-great enterprise software packages, both went downhill since the original company was bought by Oracle.

ConCat · Jan 31, 2013

notjustjay said:
I've had Java disabled in my browser for the last several years, and I don't miss it at all. I think in all that time I have re-enabled it maybe once because there was an applet I actually wanted to run.

Just leave it turned off.

Some people actually need it in certain business environments. Apple really should quit doing this, and I mean now. If we want it disabled, we can disable it ourselves. How hard would it be to push the update to computers after Oracle updates Java with the security patch, not before?

iphone495 · Jan 31, 2013

The bad news never stops with Java. Not that I would use it anyways.

Rocketman · Jan 31, 2013

Java on 10.6 and before stopped working entirely. I have a standalone Java app I use on 10.4.11 and one day it just up and stopped working. Java says Apple is responsible for updating and of course Apple has not updated it either. This is a black hole because something that worked and was trusted by being rare and obscure, no longer works and I had no choice to "opt out."

Unless someone here has a suggestion.

Rocketman

AppleGuesser · Jan 31, 2013

Again?? Well....this is inconvenient....

vmachiel · Jan 31, 2013

I only use Java for Minecraft. I've never used the browser plugin, i've had it disabled for about a year now.

BornAgainMac · Jan 31, 2013

Java makes more sense on the server application and not as a client. I have had nothing but problems with Java applications after Java 7 came out. I even have applications that are not supported with later updates of Java 6 that are lower than other applications that need a higher update level.

carl0sian · Jan 31, 2013

And the anti Apple comments will begin right about now...

AndyUnderscoreR · Jan 31, 2013

How do I turn it back on?

(oh, and spare me the preaching, I'm aware of the tiny theoretical risk involved, and it's massively outweighed by 100% chance of me not being able to use my computer to do most of the things I want to do today)

I would have thought Apple would have learned from iOS Maps, iOS Youtube and iTunes 11 not to break stuff that was working until they had a replacement that was usable?

DaveTheRave · Jan 31, 2013

I urgently need it now so I got it work using Firefox. Couldn't figure out a way to do it with Safari.

jonatron · Jan 31, 2013

notjustjay said:
I've had Java disabled in my browser for the last several years, and I don't miss it at all. I think in all that time I have re-enabled it maybe once because there was an applet I actually wanted to run.

Just leave it turned off.

Classic if it doesnt affect me its not important.

This has stopped by company from using its finance system and staff are currently sat around twiddling their thumbs. Plus it took me an entire morning to work out what the issue was as there was no notification from Apple.

Thanks for your really useful advice!

I re-iterate what some others have said. THIS IS NOT ACCEPTABLE BEHAVIOUR from Apple and they need to sort this out pronto.

gazonk · Jan 31, 2013

AndyUnderscoreR said:
(oh, and spare me the preaching, I'm aware of the tiny theoretical risk involved, and it's massively outweighed by 100% chance of me not being able to use my computer to do most of the things I want to do today)

Tiny theoretical risk? Yes, if you don't visit web pages at all.

jwkay · Jan 31, 2013

Java is essential for the joint Norwegian bank login system BankID. If Apple has disabled this without a way of switching it back on, we are all locked out of our bank accounts!

AndyUnderscoreR · Jan 31, 2013

DaveTheRave said:
I urgently need it now so I got it work using Firefox...

How?

LlamaLarry · Jan 31, 2013

Pretty sure that if you just use any browser besides Safari and you're good to go.

If your company really sat around twiddling their thumbs without trying another browser then you're likely exactly who Apple disallowed the Safari plugin for.

RMo · Jan 31, 2013

AndyUnderscoreR said:
... it's massively outweighed by 100% chance of me not being able to use my computer to do most of the things I want to do today

Do you really do most of the work on your computer with Java plug-in applets? My understanding is that, like last time, regular desktop applications (JARs, including those launched as part of a packaged APP bundle) will work fine.

Steve121178 · Jan 31, 2013

jonatron said:
Classic if it doesnt affect me its not important.

This has stopped by company from using its finance system and staff are currently sat around twiddling their thumbs. Plus it took me an entire morning to work out what the issue was as there was no notification from Apple.

Thanks for your really useful advice!

I re-iterate what some others have said. THIS IS NOT ACCEPTABLE BEHAVIOUR from Apple and they need to sort this out pronto.

I feel your pain! This is totally and utterly unprofessional. Apple must stop playing 'God' by interfering like this.

Microsoft realise that doing stuff like this can cripple businesses, that's why they issue security bulletins and put the onus on users/Administrators to call the shots.

NYmacAttack · Jan 31, 2013

AndyUnderscoreR said:
How?

Also would like to know. Tried Firefox with no success.

sectime · Jan 31, 2013

jwkay said:
Java is essential for the joint Norwegian bank login system BankID. If Apple has disabled this without a way of switching it back on, we are all locked out of our bank accounts!

What could the risk be using Java to access your bank account?

yusukeaoki · Jan 31, 2013

Already disabled Java days ago.
Never missed it and never will.

jonatron · Jan 31, 2013

LlamaLarry said:
Pretty sure that if you just use any browser besides Safari and you're good to go.

If your company really sat around twiddling their thumbs without trying another browser then you're likely exactly who Apple disallowed the Safari plugin for.

Thats not true. If you use a java web start application it wont launch. Even using Firefox.

You may be able to reconfigure the app somehow to not use safari to launch. Should I really be expected to to that?

AndyUnderscoreR · Jan 31, 2013

gazonk said:
Tiny theoretical risk? Yes, if you don't visit web pages at all.

Do you have even the tiniest shred of evidence that the current vulnerability is being exploited in the wild, by reputable sites, with a payload that isn't aimed purely at windows machines?

If you do, let me know, and I'll be sure not to click the 'are you sure' dialogue box that I wouldn't click anyway.

Apple Once Again Blocks Java 7 Web Plug-in

macrumors bot

macrumors 6502

macrumors 603

macrumors 68020

macrumors 6502a

macrumors member

macrumors 603

macrumors regular

macrumors 68000

macrumors 604

macrumors regular

macrumors 6502

macrumors 6502a

macrumors member

macrumors member

macrumors regular

macrumors 6502

macrumors regular

macrumors 65816

macrumors 603

macrumors 6502

macrumors 6502a

macrumors 68030

macrumors member

macrumors 6502

Our Staff