Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Once Again Blocks Java 7 Web Plug-in

M

Mike1984

macrumors member
Oct 21, 2010
39
15
sectime said:
What could the risk be using Java to access your bank account?
Click to expand...

Exactly None.
Apple should NOT BE BLOCKING HTTPS web sites that use Java Plugins.
Especially as Java 7 now has Java FX, with better Table handling and Charts.
It looks like Apple Envy, attempt to Force People to HTML5,
vs. a superior Technology: Java 7.
 
T

Thunderhawks

Suspended
Feb 17, 2009
4,057
2,118
SmileyBlast! said:
So Apple is actively trying to stop your computer from being exploited by hackers and you think that is unacceptable?

What would you say if they did nothing and your machine got hacked?
Click to expand...

Not the point.

As a user I should be asked. (Don't care about the wording)

Nobody comes to your house without permission and blocks one of your TV channels, saying you don't need it because it's dangerous.
 
Rocketman

Rocketman

macrumors 603
Dec 2, 2001
6,191
1,186
Claremont, The intellectual capitol of the world.
sseaton1971 said:
I am still using 10.6 on my personal laptop, and several of the laptops I deploy in our school district still are at 10.6. Both Java and the browser plugin are working fine. Did the standalone Java app you are using get updated? Perhaps it requires a newer version?
Click to expand...
After reading this thread and reviewing my error messages, I am wondering if the change that bothers me is on the server side. It is a standalone Java app that logs into a server to provide very extensive financial data.

On 1-11-13 it suddenly choked on my Java version. It is not upgradable at all.

Rocketman
 

Attachments

  • Picture 28a.png
    Picture 28a.png
    54.6 KB · Views: 105
Last edited:
Serelus

Serelus

macrumors 6502a
Aug 11, 2009
673
132
Vm9pZA
Thunderhawks said:
Not the point.

As a user I should be asked. (Don't care about the wording)

Nobody comes to your house without permission and blocks one of your TV channels, saying you don't need it because it's dangerous.
Click to expand...

You should ask for protection? It's called Prevention. Do you ask to police to protect you when you're being robbed or beaten? No they just do because it's their goddamn job. What kind of dumb logic is this.
 
R

Ralf The Dog

macrumors regular
May 1, 2008
192
0
The real question is, "Why do banks and other organizations continue to use Java?" I get that it is cross platform. Are they using some Java based encryption? If so, I would think, they would be safer to require a native browser plugin.
 
Y

yg17

macrumors Pentium
Aug 1, 2004
15,027
3,002
St. Louis, MO
notjustjay said:
OK, OK, I'm sorry, I'm sorry.

I don't work with business/finance/banking software. I didn't realize that apparently a lot of it relies on Java applets that run in your browser.

I still think that's a dumb and vulnerable approach, but I understand that it's frustrating that you can't get work done as a result.

So, business environments aside, there is no real reason for your average Joe to need Java applets when browsing the web on a day-to-day basis, and for security reasons, they should leave it off.
Click to expand...

My credit union's two-factor authentication requires Java to log in to online banking. It's not the best system, but I'm not about to leave my CU that I really like over a Java requirement.
 
sseaton1971

sseaton1971

macrumors 6502
Feb 9, 2012
431
11
Rocketman said:
After reading this thread and reviewing my error messages, I am wondering if the change that bothers me is on the server side. It is a standalone Java app that logs into a server to provide very extensive financial data.

On 1-11-13 it suddenly choked on my Java version. It is not upgradable at all.

Rocketman
Click to expand...

That could be... just as frustrating, though!
 
SmileyBlast!

SmileyBlast!

macrumors 6502a
Mar 1, 2011
654
43
DaveTheRave said:
Have you been reading the other posts? Part of our frustration is that Apple has not communicated what they did. Protecting computers is OK, but they need to tell us what they did and give those of us rely on it (yes, some of us who work for banks, etc have to have it) a way to continue to use it if despite the risk. My company is not going to hack me. I shouldn't have to go to a rumor site to find out why my remote access doesn't work.
Click to expand...

Your Banks IT department should be aware and should have notified you.

You would also think that a Bank is particularly security conscious and would provide you with a remote access solution that did not rely on Java.

The exploit is serious.
 
sseaton1971

sseaton1971

macrumors 6502
Feb 9, 2012
431
11
sonynair said:
They are also blocking Apple Java 1.6! Don't know where XProtect.meta.plist screenshot is from, but that is not what Apple pushed out this morning.

Here's what it really is!

Code: 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>JavaWebComponentVersionMinimum</key>
	<string>1.6.0_37-b06-435</string>
	<key>LastModification</key>
	<string>Thu, 31 Jan 2013 04:41:14 GMT</string>
	<key>PlugInBlacklist</key>
	<dict>
		<key>10</key>
		<dict>
			<key>com.macromedia.Flash Player.plugin</key>
			<dict>
				<key>MinimumPlugInBundleVersion</key>
				<string>11.3.300.271</string>
			</dict>
			<key>com.oracle.java.JavaAppletPlugin</key>
			<dict>
				<key>MinimumPlugInBundleVersion</key>
				<string>1.7.11.22</string>
			</dict>
		</dict>
	</dict>
	<key>Version</key>
	<integer>2028</integer>
</dict>
</plist>

To re-enable Apple Java 1.6:

Code: 
sudo /usr/libexec/PlistBuddy -c "Delete :JavaWebComponentVersionMinimum" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

or

Code: 
sudo defaults write /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist JavaWebComponentVersionMinimum \"1.6.0_37-b06-434\"

To re-enable Oracle Java 1.7u11 edit the "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist" using vi in Terminal and change:

Code: 
<string>1.7.11.22</string>
to:
Code: 
<string>1.7.11.19</string>

I posted the block on Twitter when I noticed it this morning.
https://twitter.com/sonynair/status/296935103383347201

Hope that helps someone!
Click to expand...

This will work until the next Xprotect update. I have a logout script on some of our laptops that removes the keys for both Java and Flash. So, when a user can't use one of them (because of an Xprotect update), the user simply logs out and back in. This isn't always a safe and practical solution for all users, though.
 
T

Thunderhawks

Suspended
Feb 17, 2009
4,057
2,118
Serelus said:
You should ask for protection? It's called Prevention. Do you ask to police to protect you when you're being robbed or beaten? No they just do because it's their goddamn job. What kind of dumb logic is this.
Click to expand...

Simple logic that you don't want to follow maybe?

The police "as prevention" may say do not go down that dark alley in this neighborhood, you may be robbed.

You can then decide if you go or not. You may want to go there , because your stuff is in a shed down there and you have not had any incidents.

The police will not block the access to that dark alley, so you can't go down there and get your stuff.

A pop up saying:

WARNING using JAVA is insecure to use or so

with an

I understand the risks (not that people do) continue

or

Cancel

This notification can be turned off in the preferences file.

Nobody here says that we do not appreciate actions by Apple to make our user experiences as safe as possible.

But, when somebody switches something off in my computer, I'd like to know.

Al Franken will get on this very shortly and the government will get involved.
Not necessarily a good thing, just wait and see:)
 
sseaton1971

sseaton1971

macrumors 6502
Feb 9, 2012
431
11
Mike1984 said:
Exactly None.
Apple should NOT BE BLOCKING HTTPS web sites that use Java Plugins.
Especially as Java 7 now has Java FX, with better Table handling and Charts.
It looks like Apple Envy, attempt to Force People to HTML5,
vs. a superior Technology: Java 7.
Click to expand...

Since Java is not installed by default on the latest version of OS X, I don't think Apple should be blocking it at all. If a user wants to use Java, he or she should be able to do so. If a user wants to be protected, perhaps he or she can install some sort of malware app that also checks for possible Java exploits. I can see why Apple would use Xprotect for their own in-house version of Java, but this is not their baby anymore.

----------
Thunderhawks said:
Simple logic that you don't want to follow maybe?

The police "as prevention" may say do not go down that dark alley in this neighborhood, you may be robbed.

You can then decide if you go or not. You may want to go there , because your stuff is in a shed down there and you have not had any incidents.

The police will not block the access to that dark alley, so you can't go down there and get your stuff.

A pop up saying:

WARNING using JAVA is insecure to use or so

with an

I understand the risks (not that people do) continue

or

Cancel

This notification can be turned off in the preferences file.

Nobody here says that we do not appreciate actions by Apple to make our user experiences as safe as possible.

But, when somebody switches something off in my computer, I'd like to know.

Al Franken will get on this very shortly and the government will get involved.
Not necessarily a good thing, just wait and see:)
Click to expand...

Thank you... I agree wholeheartedly! I don't need Apple babysitting me. I hope this all gets resolved very soon.
 
ConCat

ConCat

macrumors 6502a
Jul 27, 2012
722
0
In an ethereal plane of existence.
till213 said:
In business environments...



... you (your admin) should really know how to enable it again, after Apple has blocked it! Otherwise you really don't need it...

Given the fact that Mac computers are probably used by a majority of home users what Apple does is good practise here. All other people - including Power Users(tm) - know anyway how to circumvent Apple's settings.
Click to expand...

Certainly it's easy to fix the issue. I could do it easily. The point is, they shouldn't be disabling things in a person's computer without their consent. It's downright intrusive! If they want to force people to upgrade to the newest version because of a security issue I can understand it, but there isn't even a newer version out yet! They have no business stranding users who use the Java plugin but aren't computer-savvy enough to figure out how to enable it again. It's extremely un-apple to be quite frank.
 
sseaton1971

sseaton1971

macrumors 6502
Feb 9, 2012
431
11
till213 said:
In business environments...



... you (your admin) should really know how to enable it again, after Apple has blocked it! Otherwise you really don't need it...

Given the fact that Mac computers are probably used by a majority of home users what Apple does is good practise here. All other people - including Power Users(tm) - know anyway how to circumvent Apple's settings.
Click to expand...

Macs are used by a lot of users in schools, too. I have plenty of knowledge about how to fix this problem, but it becomes a major pain in the ass when I get blindsided by a bunch of students and staff complaining that their wordle.net projects aren't working anymore! It is hard to fix hundreds of computers immediately. Apple could at least give us a freakin' heads up!
 
bbeagle

bbeagle

macrumors 68040
Oct 19, 2010
3,541
2,981
Buffalo, NY
Mike1984 said:
Exactly None.
Apple should NOT BE BLOCKING HTTPS web sites that use Java Plugins.
Especially as Java 7 now has Java FX, with better Table handling and Charts.
It looks like Apple Envy, attempt to Force People to HTML5,
vs. a superior Technology: Java 7.
Click to expand...

How does HTTPS have anything to do with Java Applets?

If a bank uses a java applet, the applet is not necessarily insecure just because it's java. Only a PROGRAMMER who is developing the CODE to write the java applet can make a particular java applet 'rogue' to take over your Mac. If you trust a company, say, Bank Of America, then there is no reason to think the java applet would be 'rogue'.

Conversely, I could create a dummy web site, use HTTPS, and write a 'rogue' java applet which takes over your machine.

I'm a developer, and I laugh at your comment that Java 7 is better than HTML5. Not for the web. HTML5 is far superior. For back-end development, Java is the way to go though.
 
J

jk1002

macrumors member
Jun 18, 2008
63
2
sseaton1971 said:
This will work until the next Xprotect update. I have a logout script on some of our laptops that removes the keys for both Java and Flash. So, when a user can't use one of them (because of an Xprotect update), the user simply logs out and back in. This isn't always a safe and practical solution for all users, though.
Click to expand...

You an disable the Xprotect auto updates under system preferences - security - general - advanced - untick automatically update safe download list
 
T

topmike

macrumors member
Feb 18, 2009
33
0
spazzcat said:
JavaScript does not equal Java. They have similar names, but they are not even kinda like each other....
Click to expand...

Doh! My lack of developer skills just showed.....

Thanks.

----------
Serelus said:
You're clearly not a developer, there's a difference between a Java Based - plugin and JavaScript, they are 2 different languages, thus not the same thing.



JavaScript is too basic to block out in it's entirety as too much of the web works on JavaScript. A Java plugin on the other hand is alot less common and isn't required as much as Javascript nor is it as easily exploitable by another end-user. As the JRE(runtime) can give external users complete remote control, where with Javascript this is technically possible but alot harder to achieve.

Besides security is security, leaving any of them is irresponsible and leaving it there is not an excuse nor is it in anyway professional.
Click to expand...

You are absolutely right! After reading your comment, I actually spent time researching this. I have confused the two for years, and never understood why I needed both Java and JavaScript. Boy, do I feel stupid! :D

Anyway- thanks for keeping me honest!

So is JavaScript OK to enable by default?
 
inkswamp

inkswamp

macrumors 68030
Jan 26, 2003
2,953
1,278
notjustjay said:
I've had Java disabled in my browser for the last several years, and I don't miss it at all. I think in all that time I have re-enabled it maybe once because there was an applet I actually wanted to run.

Just leave it turned off.
Click to expand...

I'm glad that works for you but why would you assume your situation should be applicable to everyone else?

The problem is that a lot of business users (including me) are occasionally forced to use browser-based programs that rely on Java to get their work done. When Apple blocks things like this without notice, it becomes a serious impediment to getting work done. Just disabling something out of the blue can cause serious headaches for some users and doing so without issuing any notice or way to undo it is just a bad and annoying idea.
 
J

JHankwitz

macrumors 68000
Oct 31, 2005
1,911
58
Wisconsin
ConCat said:
Some people actually need it Java) in certain business environments. Apple really should quit doing this, and I mean now. If we want it disabled, we can disable it ourselves. How hard would it be to push the update to computers after Oracle updates Java with the security patch, not before?
Click to expand...

Like our government, Apple feels that it's their job to protect us from ourselves. It's unfortunately needed in too many cases.
 
R

RayK

macrumors 6502
Oct 13, 2005
345
15
sonynair said:
They are also blocking Apple Java 1.6! Don't know where XProtect.meta.plist screenshot is from, but that is not what Apple pushed out this morning.

Here's what it really is!

Code: 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>JavaWebComponentVersionMinimum</key>
	<string>1.6.0_37-b06-435</string>
	<key>LastModification</key>
	<string>Thu, 31 Jan 2013 04:41:14 GMT</string>
	<key>PlugInBlacklist</key>
	<dict>
		<key>10</key>
		<dict>
			<key>com.macromedia.Flash Player.plugin</key>
			<dict>
				<key>MinimumPlugInBundleVersion</key>
				<string>11.3.300.271</string>
			</dict>
			<key>com.oracle.java.JavaAppletPlugin</key>
			<dict>
				<key>MinimumPlugInBundleVersion</key>
				<string>1.7.11.22</string>
			</dict>
		</dict>
	</dict>
	<key>Version</key>
	<integer>2028</integer>
</dict>
</plist>

To re-enable Apple Java 1.6:

Code: 
sudo /usr/libexec/PlistBuddy -c "Delete :JavaWebComponentVersionMinimum" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

or

Code: 
sudo defaults write /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist JavaWebComponentVersionMinimum \"1.6.0_37-b06-434\"

To re-enable Oracle Java 1.7u11 edit the "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist" using vi in Terminal and change:

Code: 
<string>1.7.11.22</string>
to:
Code: 
<string>1.7.11.19</string>

I posted the block on Twitter when I noticed it this morning.
https://twitter.com/sonynair/status/296935103383347201

Hope that helps someone!
Click to expand...

Have you found a way to disable XProtect (Automatically update safe downloads list) through command line means? I cannot seem to find what plist this is modifying. This has been driving me nuts for weeks.

----------
sseaton1971 said:
This will work until the next Xprotect update. I have a logout script on some of our laptops that removes the keys for both Java and Flash. So, when a user can't use one of them (because of an Xprotect update), the user simply logs out and back in. This isn't always a safe and practical solution for all users, though.
Click to expand...

Why not have it update on login then just remove the lines? That sounds like the best method to me.
 
J

jonatron

macrumors member
Jun 18, 2007
76
47
Leeds, UK
SmileyBlast! said:
So Apple is actively trying to stop your computer from being exploited by hackers and you think that is unacceptable?

What would you say if they did nothing and your machine got hacked?
Click to expand...

I think you're missing the point and being very naive. I have no problem with Apple securing system at all. Its great they are proactively making updates. However to force this on people with no explanation is plain unnacceptable. I spent a long time trying to work out what was wrong with no error or guidance from Apple.

A lot of people use business systems that rely on Java. Software companies cannot simply turn around compatible updates at the drop of a hat. We are going to have to use a brand new version of java that is unsupported for using our finance system.

The choice here is that if Apple continues to do this then we will be moving away from the mac platform from for a number of our users as we cannot afford to have obstacles such as this in our way.

I'm not asking them to do nothing just behave in a controlled and mature way.

At the very least all they had to do was say we're going to disable this in X days and I would have been able to come up with a workaround. Instead I have had an entire department lose a days work.

Whats even more frustrating is Im going to have to disable the safe downloads completely for all of our users which means they are going to miss out on future updates to this list. Ultimately making us less secure. Great.
 
Y

york2600

Cancelled
Jul 24, 2002
274
288
Portland, OR
It's really annoying to have it blocked when you use Citrix load balancers. The entire UI for the load balancers is one giant (and awful) applet. Without it I can't really do my job.

notjustjay said:
I've had Java disabled in my browser for the last several years, and I don't miss it at all. I think in all that time I have re-enabled it maybe once because there was an applet I actually wanted to run.

Just leave it turned off.
Click to expand...
 
T

Tech198

Cancelled
Mar 21, 2011
15,915
2,151
wow... twice in one month....

(What are the odds of that happening)

If Apple's is constantly blocking the web plugin as quickly as Oracle patches it, then something is seriously wrong.

Maybe its time for Oracle to do better in this department. I always thought Adobe was number 1 on the list here.....

Obviously I was wrong, but its probably a close 2nd.

JHankwitz said:
Like our government, Apple feels that it's their job to protect us from ourselves. It's unfortunately needed in too many cases.
Click to expand...

Thanks, but no thanks. I don't need help .... I protect my own stuff.. Java is disabled on my machine anyway, and i only use it when needed, then disable it afterwards.

Unfortunately, i feel for those that must use it..
 
Last edited:
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom