Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,290
30,375



As noted by ZDNet, a major security vulnerability in Java 7 has been discovered, with the vulnerability currently being exploited in the wild by malicious parties. In response to threat, the U.S. Department of Homeland Security has recommended that users disable the Java 7 browser plug-in entirely until a patch is made available by Oracle.
Hackers have discovered a weakness in Java 7 security that could allow the installation of malicious software and malware on machines that could increase the chance of identity theft, or the unauthorized participation in a botnet that could bring down networks or be used to carry out denial-of-service attacks against Web sites.

"We are currently unaware of a practical solution to this problem," said the DHS' Computer Emergency Readiness Team (CERT) in a post on its Web site on Thursday evening. "This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available."
Apple has, however, apparently already moved quickly to address the issue, disabling the Java 7 plug-in on Macs where it is already installed. Apple has achieved this by updating its "Xprotect.plist" blacklist to require a minimum of an as-yet unreleased 1.7.0_10-b19 version of Java 7. With the current publicly-available version of Java 7 being 1.7.0_10-b18, all systems running Java 7 are failing to pass the check initiated through the anti-malware system built into OS X.

java_7_blacklist.jpg
Apple's updated plug-in blacklist requiring an unreleased version of Java 7
Apple historically provided its own support for Java on OS X, but in October 2010 began pushing support for Java back to Oracle, with Steve Jobs noting that the previous arrangement resulted in Apple's Java always being a version behind that available to other platforms through Oracle. Consequently, Jobs acknowledged that having Apple responsible for Java "may not be the best way to do it."

It wasn't until last August that the transition was essentially complete, with Oracle officially launching Java 7 for OS X. Java 7 does not ship by default on Mac systems, meaning that many users are not affected this latest issue or other recent ones, but those users who have manually installed Java 7 may be experiencing issues with their systems.

There is no word yet on when an updated version of Java addressing the issue will be made available by Oracle.

Update: As detailed in the National Vulnerability Database, the issue affects not only the Java 7 plug-in, but at least some versions of Java 4 through 7.

Article Link: Apple Blocks Java 7 Plug-in on OS X to Address Widespread Security Threat
 

gigapocket1

macrumors 68020
Mar 15, 2009
2,236
1,720
Weird. I started getting DNS about 30 minutes ago lol. Was bugging me. Now I know why
 

xionxiox

macrumors regular
Jul 20, 2010
227
0
Hell
Java is the worst thing ever. Always buggy and slow. Oracle doesn't give a damn about Macs.
 
Last edited:

wrldwzrd89

macrumors G5
Jun 6, 2003
12,110
77
Solon, OH
This only affects the Java plug-in, right? That being blocked I can deal with. If the entire JDK/JRE is blocked, that is more problematic.
 

mreed911

macrumors member
Mar 19, 2008
52
0
Wow. The Apple fix for this is both elegant and scary - I tested it on mine and I definitely get the popup that Java is unsecure and out of date, and blocked - but I didn't have to do anything to get that update to xprotect.plist. No software update, no nothing. That's rather scary.

I suppose at this point I'm willing to trade the 0-day security for Apple's ability to reach in and tweak settings.
 

wrldwzrd89

macrumors G5
Jun 6, 2003
12,110
77
Solon, OH
Wow. The Apple fix for this is both elegant and scary - I tested it on mine and I definitely get the popup that Java is unsecure and out of date, and blocked - but I didn't have to do anything to get that update to xprotect.plist. No software update, no nothing. That's rather scary.
The Xprotect background silent update feature was added to OS X back in Lion 10.7.3. It got extended in Mountain Lion to cover some other things, too - but even I do not know what all those are.
 

KnightWRX

macrumors Pentium
Jan 28, 2009
15,046
4
Quebec, Canada
com.oracle.java.JavaAppletPlugin = Browser plug-in.

Apple has not blocked Java 7 on OS X.

Please correct the headline ASAP before this thread becomes a major flamewar.
 

WildCowboy

Administrator/Editor
Staff member
Jan 20, 2005
18,375
2,801
I tested it on mine and I definitely get the popup that Java is unsecure and out of date, and blocked - but I didn't have to do anything to get that update to xprotect.plist. No software update, no nothing. That's rather scary.

OS X systems check for an updated version of that file on a daily basis. It's primarily used for malware definitions, but can also be used to require minimum versions of certain plugins, as with Flash and Java.


com.oracle.java.JavaAppletPlugin = Browser plug-in.

Apple has not blocked Java 7 on OS X.

Please correct the headline ASAP before this thread becomes a major flamewar.
You are of course correct, and I've updated accordingly to make things more clear.
 

ajovanov

macrumors newbie
Jan 11, 2013
6
0
apple should provide option to switch to java 6

apple should provide an easy option to switch back to java 6
 

Diseal3

macrumors 65816
Jun 29, 2008
1,072
95
com.oracle.java.JavaAppletPlugin = Browser plug-in.

Apple has not blocked Java 7 on OS X.

Please correct the headline ASAP before this thread becomes a major flamewar.

Agreed, headline makes it sounds like Java as a platform has been blocked on the Mac OS X System rather than just the browser plugin.
 

Doctor Q

Administrator
Staff member
Sep 19, 2002
39,777
7,498
Los Angeles
Thanks for the fast action, Apple. Although it shows the tradeoff we've had to accept, that keeping up with the latest version can produce situations like this, with a discovered vulnerability for which there is no patch yet. Ironically, when Apple was a version behind, bleeding edge security issues would have been addressed by the time we Mac users got a Java release from Apple.
 

camnchar

macrumors 6502
Jan 26, 2006
434
415
Java is the worst thing ever. Always buggy and slow. Oracle doesn't give a damn about Macs.

This is strange because Ellison and Jobs were supposedly good friends.

----------

Ironically, when Apple was a version behind, bleeding edge security issues would have been addressed by the time we Mac users got a Java release from Apple.

Of course, unpatched security flaws from the previous release went a lot longer before they were fixed, so
 

Rodimus Prime

macrumors G4
Oct 9, 2006
10,136
4
Thanks for the fast action, Apple. Although it shows the tradeoff we've had to accept, that keeping up with the latest version can produce situations like this, with a discovered vulnerability for which there is no patch yet. Ironically, when Apple was a version behind, bleeding edge security issues would have been addressed by the time we Mac users got a Java release from Apple.

well to be fair it was a good trade off as Apple was piss poor on it and tend to lag months behind Java and left holes open for a lot longer. I expect a patch will be out pretty soon from Oracle to fix it.
 

derbothaus

macrumors 601
Jul 17, 2010
4,093
30
well to be fair it was a good trade off as Apple was piss poor on it and tend to lag months behind Java and left holes open for a lot longer. I expect a patch will be out pretty soon from Oracle to fix it.

All Oracle versions have been insecure. I'd rather have stability and security over latest and certainly not greatest. Lot's of stuff won't even run on 7 plug.
 

krravi

macrumors 65816
Nov 30, 2010
1,173
0
Tell us why 'Java Sucks'?

Thanks.

As a middleware and server platform Java is great. But when it comes to front end, it sucks like a tornado. Their widgets and the slow response times are horrible. Java was trying to be a "all in one" solution but it never got accepted.

I know the Mars rover interface is Java. But NASA engineers could have chosen the easy way out, you know run it on Linux and throw Java on top of it. Easy out of the box solution. I believe Android is based on such a platform, but I am not sure. No wonder it's so glitchy and jerky.
 
Last edited:
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.