Apple Once Again Blocks Java 7 Web Plug-in

[Bubba Satori]

Quote:

Originally Posted by carl0sian

And the anti Apple comments will begin right about now...

But not before the Pavlovian faithful start chanting their pre-emptive counter spells.

Maybe you want to help this person out, now that you've done your duty.

Quote:

Originally Posted by jwkay

Java is essential for the joint Norwegian bank login system BankID. If Apple has disabled this without a way of switching it back on, we are all locked out of our bank accounts!

[LlamaLarry]

Quote:

Originally Posted by Steve121178

Microsoft realise that doing stuff like this can cripple businesses, that's why they issue security bulletins and put the onus on users/Administrators to call the shots.

The downside being relative platform insecurity.

[sonynair]

They are also blocking Apple Java 1.6! Don't know where XProtect.meta.plist screenshot is from, but that is not what Apple pushed out this morning.

Here's what it really is!

Code:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>JavaWebComponentVersionMinimum</key>
	<string>1.6.0_37-b06-435</string>
	<key>LastModification</key>
	<string>Thu, 31 Jan 2013 04:41:14 GMT</string>
	<key>PlugInBlacklist</key>
	<dict>
		<key>10</key>
		<dict>
			<key>com.macromedia.Flash Player.plugin</key>
			<dict>
				<key>MinimumPlugInBundleVersion</key>
				<string>11.3.300.271</string>
			</dict>
			<key>com.oracle.java.JavaAppletPlugin</key>
			<dict>
				<key>MinimumPlugInBundleVersion</key>
				<string>1.7.11.22</string>
			</dict>
		</dict>
	</dict>
	<key>Version</key>
	<integer>2028</integer>
</dict>
</plist>

To re-enable Apple Java 1.6:

Code:

sudo /usr/libexec/PlistBuddy -c "Delete :JavaWebComponentVersionMinimum" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

or

Code:

sudo defaults write /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist JavaWebComponentVersionMinimum \"1.6.0_37-b06-434\"

To re-enable Oracle Java 1.7u11 edit the "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist" using vi in Terminal and change:

Code:

<string>1.7.11.22</string>

to:

Code:

<string>1.7.11.19</string>

I posted the block on Twitter when I noticed it this morning.
https://twitter.com/sonynair/status/296935103383347201

Hope that helps someone!

[jwkay]

Quote:

Originally Posted by sectime

What could the risk be using Java to access your bank account?

Java is just one tiny part of the BankID security system. I wish they'd ditch it, but that's not going to happen quickly. The layers of security beyond Java aren't threatened by the Java holes, apparently, and they claim there's no threat from Java in the way it's implemented into a bigger solution. I don't know the technicalities, just that for better or worse, we need it.

[AppleScruff1]

Flash, Java, what's next? Internet access to Apple approved sites only?

[gazonk]

Quote:

Originally Posted by AndyUnderscoreR

Do you have even the tiniest shred of evidence that the current vulnerability is being exploited in the wild, by reputable sites, with a payload that isn't aimed purely at windows machines?

The current vulnerability is probably not very different from the previous, so it can be just a question of hours before it suddenly appears in ads on "reputable sites" like it did with the previous version.

However, your point about Windows machine is good. I haven't heard of any actual attacks on OS X in the wild yet - anyone?

----------

Quote:

Originally Posted by jwkay

Java is just one tiny part of the BankID security system. I wish they'd ditch it, but that's not going to happen quickly. The layers of security beyond Java aren't threatened by the Java holes, apparently, and they claim there's no threat from Java in the way it's implemented into a bigger solution. I don't know the technicalities, just that for better or worse, we need it.

The silly PHBs of BankId completely miss the point! It's not about BankID security, it's about forcing all computer users in an entire nation to leave Java enabled in their browsers and thus making their computers far more vulnerable than they would have been if those PHBs hadn't insisted on implementing an applet where none is needed

[edvj]

Quote:

Originally Posted by jwkay

Java is essential for the joint Norwegian bank login system BankID. If Apple has disabled this without a way of switching it back on, we are all locked out of our bank accounts!

We have the same problem in Denmark, ours is called NemID..pretty much everything is based on NemID when you need to get in contact with local authorities, banking services..etc
About NemID

[gazonk]

Quote:

Originally Posted by gazonk

The silly PHBs of BankId completely miss the point! It's not about BankID security, it's about forcing all computer users in an entire nation to leave Java enabled in their browsers and thus making their computers far more vulnerable than they would have been if those PHBs hadn't insisted on implementing an applet where none is needed

Btw: Important hint to Norwegian users: Many banks (at least this applies to giant DnB) will deactivate your BankID if you ask them to. Their web apps will then run much faster and smoother since you don't have to load that silly applet

[DaveTheRave]

Quote:

Originally Posted by NYmacAttack

Also would like to know. Tried Firefox with no success.

I downloaded the current version and installed several times but that didn't work. Finally closed all browsers before installing again and took a look at Firefox's Tools/Ad-in's menu to make sure Java is still enabled. Then I tried the work site I need to use and this time it finally worked (also saw a Firefox warning asking me if I wanted to enable Java (although I thought it already was enabled). Strange. Anyway it finally worked.

Totally agree with some of the comments here. Totally irresponsible for Apple to block this critical function without commenting on it or advising on a workaround, override, etc. I need Java so I can work at home and access my work PC (I work for a large bank). This is the only way I can work remotely.

[doelcm82]

Quote:

Originally Posted by RMo

Do you really do most of the work on your computer with Java plug-in applets? My understanding is that, like last time, regular desktop applications (JARs, including those launched as part of a packaged APP bundle) will work fine.

Yes. Yes I do.

Next question?

[JetLaw]

Quote:

Originally Posted by Rocketman

Java on 10.6 and before stopped working entirely. I have a standalone Java app I use on 10.4.11 and one day it just up and stopped working. Java says Apple is responsible for updating and of course Apple has not updated it either. This is a black hole because something that worked and was trusted by being rare and obscure, no longer works and I had no choice to "opt out."

Unless someone here has a suggestion.

Rocketman

...Except that a standalone Java app would not be affected in any way whatsoever by disabling the Java web plugin.

[AppleInTheMud]

SOOOO IRRITATING APPLE YOU ****

Thank god I also have Windows on my iMac

[koban4max]

Quote:

Originally Posted by Steve121178

I feel your pain! This is totally and utterly unprofessional. Apple must stop playing 'God' by interfering like this.

Microsoft realise that doing stuff like this can cripple businesses, that's why they issue security bulletins and put the onus on users/Administrators to call the shots.

as much as I hate apple doing this..you need to move to pc if that's the case.

[pmz]

Difference between Java plug-in and Java run-time environment on the Mac.

They are not the same thing.

Java plugins in Safari: blocked.
Photoshop CS3: still works fine

Wake me up when Apple starts blocking up-to-date Flash.

[Bubba Satori]

Quote:

Originally Posted by AppleScruff1

Flash, Java, what's next? Internet access to Apple approved sites only?

Just got a warning notification from a mod.

What could that be about?

If I suddenly disap

[pmz]

Quote:

Originally Posted by Steve121178

I feel your pain! This is totally and utterly unprofessional. Apple must stop playing 'God' by interfering like this.

Microsoft realise that doing stuff like this can cripple businesses, that's why they issue security bulletins and put the onus on users/Administrators to call the shots.

Oh yeah its really "professional" to leave your users vulnerable to crippling attack, privacy invasion, etc. etc.

THAT is the Microsoft definition of "professionalism". The moment you turn it on, you're at risk of losing everything.

[tigres]

Quote:

Originally Posted by jonatron

Classic if it doesnt affect me its not important.

This has stopped by company from using its finance system and staff are currently sat around twiddling their thumbs. Plus it took me an entire morning to work out what the issue was as there was no notification from Apple.

I re-iterate what some others have said. THIS IS NOT ACCEPTABLE BEHAVIOUR from Apple and they need to sort this out pronto.

Could not agree more.
I was just on my 401k website attempting to make changes.
Now I know why I could not do it.

I see a lot of java required sites in my business of finance; I guess we are the only ones who use it heavily?

Whatever the reason, it is making my life difficult.

[guzhogi]

This is a real pain. I work for a school district and the software we use for the online gradebook uses Java. So now teachers can't update their grades. Plus, it's not that easy just to switch software platforms.

I understand Apple wanting to keep its platform secure and not degrade its good name, but users & companies really need the option to easily override these blocks.

[markcres]

= Troll

[supham]

What a pain in the ass. Who cares that we use ADP for our time off / scheduling....

[unplugme71]

Why can't Apple just pop up a dialogue window that says Java may have security issues instead of disabling it?

[Ralf The Dog]

Now, we are having trouble processing checks. If this keeps up, we will be forced to send someone to the bank with a stack of checks in a bag.

Welcome back to the 20th Century.

[randallking]

The article by MacRumors states that it's unknown why Apple took this step. I received an email advisory from MS-ISAC on January 28th which spoke of a new vulnerability. I am pasting it below.

--

MS-ISAC ADVISORY NUMBER:
2013-008 - UPDATED

DATE(S) ISSUED:
01/28/2013

SUBJECT:
Security Bypass Vulnerability in Oracle Java Runtime Environment Could Allow Remote Code Execution

OVERVIEW:
A vulnerability has been discovered in Oracle Java Runtime Environment (JRE) that can lead to remote code execution. The Java Runtime Environment is used to enhance the user experience when visiting websites and is installed on mostdesktops and servers. This vulnerability may be exploited if a user visits or is redirected to a specifically crafted web page. Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the JRE application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts will likely result in denial-of-service conditions.

SYSTEM AFFECTED:
Oracle JRE 1.7.0 Update 10, prior versions may also be affected.

UPDATED SYSTEM AFFECTED:
• Oracle JRE 1.7.0 Update 11, prior versions may also be affected.

RISK:

Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users:High

DESCRIPTION:
A vulnerability has been discovered in Oracle Java Runtime Environment that can lead to remote code execution. In order to exploit this vulnerability, an attacker must first create a web page with a specially crafted applet designed to leverage this issue. When the web page is visited, the attacker suppliedcode is run in the context of the affected application.

Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the JRE application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attemptswill likely result in denial-of-service conditions.

Please note that there is no patch available from Oracle to mitigate this vulnerability at this time and this vulnerability is being sold in the underground markets.

RECOMMENDATIONS:
We recommend the following actions be taken:

Apply the patch from Oracle, after appropriate testing, as soon as one becomes available.
Consider disabling Java completely on all systems until a patch is available.
Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
Remind users not to open e-mail attachments from unknown users or suspicious e-mails from trusted sources.

REFERENCES:

Security Focus:
http://www.securityfocus.com/bid/57563

Full Disclosure:
http://seclists.org/fulldisclosure/2013/Jan/241

Multi-State Information Sharing and Analysis Center
31 Tech Valley Drive, Suite 2
East Greenbush, NY 12061
(518) 266-3460
1-866-787-4722
soc@msisac.org

[dexx0008]

Quote:

Originally Posted by Tiger8

Oracle bought all those companies and products that they have absolutely no clue how to support or further develop.

I do work in two used-to-be-great enterprise software packages, both went downhill since the original company was bought by Oracle.

this.

[derbladerunner]

This is unacceptable silent communication or rather lack of communication.

There should be at least be visible hints/error messages and there should be a way to manually override this for experienced users.

Many online brokers use Java and WebStart. There are people trading with lots of $ who couldn't start their broker applications today.

There was no way to find this error easily unless you go into the console, this is complete mis-communication on Apple's part.