Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old Jan 11, 2013, 12:34 PM   #1
MacRumors
macrumors bot
 
Join Date: Apr 2001
Apple Blocks Java 7 Plug-in on OS X to Address Widespread Security Threat




As noted by ZDNet, a major security vulnerability in Java 7 has been discovered, with the vulnerability currently being exploited in the wild by malicious parties. In response to threat, the U.S. Department of Homeland Security has recommended that users disable the Java 7 browser plug-in entirely until a patch is made available by Oracle.
Quote:
Hackers have discovered a weakness in Java 7 security that could allow the installation of malicious software and malware on machines that could increase the chance of identity theft, or the unauthorized participation in a botnet that could bring down networks or be used to carry out denial-of-service attacks against Web sites.

"We are currently unaware of a practical solution to this problem," said the DHS' Computer Emergency Readiness Team (CERT) in a post on its Web site on Thursday evening. "This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available."
Apple has, however, apparently already moved quickly to address the issue, disabling the Java 7 plug-in on Macs where it is already installed. Apple has achieved this by updating its "Xprotect.plist" blacklist to require a minimum of an as-yet unreleased 1.7.0_10-b19 version of Java 7. With the current publicly-available version of Java 7 being 1.7.0_10-b18, all systems running Java 7 are failing to pass the check initiated through the anti-malware system built into OS X.

Apple's updated plug-in blacklist requiring an unreleased version of Java 7
Apple historically provided its own support for Java on OS X, but in October 2010 began pushing support for Java back to Oracle, with Steve Jobs noting that the previous arrangement resulted in Apple's Java always being a version behind that available to other platforms through Oracle. Consequently, Jobs acknowledged that having Apple responsible for Java "may not be the best way to do it."

It wasn't until last August that the transition was essentially complete, with Oracle officially launching Java 7 for OS X. Java 7 does not ship by default on Mac systems, meaning that many users are not affected this latest issue or other recent ones, but those users who have manually installed Java 7 may be experiencing issues with their systems.

There is no word yet on when an updated version of Java addressing the issue will be made available by Oracle.

Update: As detailed in the National Vulnerability Database, the issue affects not only the Java 7 plug-in, but at least some versions of Java 4 through 7.

Article Link: Apple Blocks Java 7 Plug-in on OS X to Address Widespread Security Threat
MacRumors is offline   2 Reply With Quote
Old Jan 11, 2013, 12:35 PM   #2
needfx
macrumors 68020
 
needfx's Avatar
 
Join Date: Aug 2010
Location: macrumors apparently
bad java. baaaad java
__________________
flickr, amphipolis

Last edited by needfx; Jan 11, 2013 at 04:49 PM. Reason: change of heart
needfx is offline   5 Reply With Quote
Old Jan 11, 2013, 12:38 PM   #3
gigapocket1
macrumors 6502a
 
Join Date: Mar 2009
Send a message via AIM to gigapocket1 Send a message via Yahoo to gigapocket1
Weird. I started getting DNS about 30 minutes ago lol. Was bugging me. Now I know why
gigapocket1 is offline   0 Reply With Quote
Old Jan 11, 2013, 12:40 PM   #4
xionxiox
macrumors regular
 
Join Date: Jul 2010
Location: Hell
Java is the worst thing ever. Always buggy and slow. Oracle doesn't give a damn about Macs.
__________________
I am an Apple Lover & I require cookies.
Blue iPod Shuffle 2012, iPhone 5 (White), Macbook Unibody (Pre-Pro), On my 6th Magsafe charging cord.

Last edited by xionxiox; Jan 11, 2013 at 12:45 PM.
xionxiox is offline   19 Reply With Quote
Old Jan 11, 2013, 12:41 PM   #5
wrldwzrd89
macrumors G4
 
wrldwzrd89's Avatar
 
Join Date: Jun 2003
Location: Solon, OH
This only affects the Java plug-in, right? That being blocked I can deal with. If the entire JDK/JRE is blocked, that is more problematic.
__________________
iMac Intel (Rev H, 27"), 1TB HDD, 16GB RAM, 10.8.4
wrldwzrd89 is offline   4 Reply With Quote
Old Jan 11, 2013, 12:41 PM   #6
mreed911
macrumors member
 
Join Date: Mar 2008
Wow. The Apple fix for this is both elegant and scary - I tested it on mine and I definitely get the popup that Java is unsecure and out of date, and blocked - but I didn't have to do anything to get that update to xprotect.plist. No software update, no nothing. That's rather scary.

I suppose at this point I'm willing to trade the 0-day security for Apple's ability to reach in and tweak settings.
mreed911 is offline   14 Reply With Quote
Old Jan 11, 2013, 12:43 PM   #7
wrldwzrd89
macrumors G4
 
wrldwzrd89's Avatar
 
Join Date: Jun 2003
Location: Solon, OH
Quote:
Originally Posted by mreed911 View Post
Wow. The Apple fix for this is both elegant and scary - I tested it on mine and I definitely get the popup that Java is unsecure and out of date, and blocked - but I didn't have to do anything to get that update to xprotect.plist. No software update, no nothing. That's rather scary.
The Xprotect background silent update feature was added to OS X back in Lion 10.7.3. It got extended in Mountain Lion to cover some other things, too - but even I do not know what all those are.
__________________
iMac Intel (Rev H, 27"), 1TB HDD, 16GB RAM, 10.8.4
wrldwzrd89 is offline   4 Reply With Quote
Old Jan 11, 2013, 12:44 PM   #8
KnightWRX
macrumors Pentium
 
KnightWRX's Avatar
 
Join Date: Jan 2009
Location: Quebec, Canada
com.oracle.java.JavaAppletPlugin = Browser plug-in.

Apple has not blocked Java 7 on OS X.

Please correct the headline ASAP before this thread becomes a major flamewar.
__________________
"What you leave behind is not what is engraved in stone monuments, but what is woven into the lives of others."
-- Pericles
KnightWRX is offline   23 Reply With Quote
Old Jan 11, 2013, 12:45 PM   #9
WildCowboy
Administrator/Editor
 
WildCowboy's Avatar
 
Join Date: Jan 2005
Quote:
Originally Posted by mreed911 View Post
I tested it on mine and I definitely get the popup that Java is unsecure and out of date, and blocked - but I didn't have to do anything to get that update to xprotect.plist. No software update, no nothing. That's rather scary.
OS X systems check for an updated version of that file on a daily basis. It's primarily used for malware definitions, but can also be used to require minimum versions of certain plugins, as with Flash and Java.


Quote:
Originally Posted by KnightWRX View Post
com.oracle.java.JavaAppletPlugin = Browser plug-in.

Apple has not blocked Java 7 on OS X.

Please correct the headline ASAP before this thread becomes a major flamewar.
You are of course correct, and I've updated accordingly to make things more clear.
__________________
Editor in Chief, MacRumors
WildCowboy is offline   8 Reply With Quote
Old Jan 11, 2013, 12:45 PM   #10
ajovanov
macrumors newbie
 
Join Date: Jan 2013
apple should provide option to switch to java 6

apple should provide an easy option to switch back to java 6
ajovanov is offline   0 Reply With Quote
Old Jan 11, 2013, 12:46 PM   #11
Diseal3
macrumors 65816
 
Join Date: Jun 2008
Quote:
Originally Posted by KnightWRX View Post
com.oracle.java.JavaAppletPlugin = Browser plug-in.

Apple has not blocked Java 7 on OS X.

Please correct the headline ASAP before this thread becomes a major flamewar.
Agreed, headline makes it sounds like Java as a platform has been blocked on the Mac OS X System rather than just the browser plugin.
Diseal3 is offline   2 Reply With Quote
Old Jan 11, 2013, 12:46 PM   #12
Doctor Q
Administrator
 
Doctor Q's Avatar
 
Join Date: Sep 2002
Location: Los Angeles
Thanks for the fast action, Apple. Although it shows the tradeoff we've had to accept, that keeping up with the latest version can produce situations like this, with a discovered vulnerability for which there is no patch yet. Ironically, when Apple was a version behind, bleeding edge security issues would have been addressed by the time we Mac users got a Java release from Apple.
__________________
Oh do pay attention 007. In the wrong hands, this cylindrical 12-core Mac Pro with three 4K displays, FirePro graphics, and Thunderbolt 2 could be very dangerous.
Doctor Q is offline   3 Reply With Quote
Old Jan 11, 2013, 12:48 PM   #13
camnchar
macrumors 6502
 
Join Date: Jan 2006
Location: SLC, Utah
Send a message via AIM to camnchar
Quote:
Originally Posted by xionxiox View Post
Java is the worst thing ever. Always buggy and slow. Oracle doesn't give a damn about Macs.
This is strange because Ellison and Jobs were supposedly good friends.

----------

Quote:
Originally Posted by Doctor Q View Post
Ironically, when Apple was a version behind, bleeding edge security issues would have been addressed by the time we Mac users got a Java release from Apple.
Of course, unpatched security flaws from the previous release went a lot longer before they were fixed, so
__________________
Apple //c, 1 MHz, 128k RAM, 5.25" floppy drive, 1-button mouse
camnchar is offline   2 Reply With Quote
Old Jan 11, 2013, 12:48 PM   #14
macs4nw
macrumors 68020
 
macs4nw's Avatar
 
Join Date: Sep 2010
Location: On Safari…..
Quote:
Originally Posted by MacRumors View Post
Apple has, however, apparently already moved quickly to address the issue, disabling the Java 7 plugin on Macs where it is already installed.

Article Link: Apple Blocks Java 7 on OS X to Address Widespread Security Threat
Always glad to hear those magical 11 words!
macs4nw is online now   2 Reply With Quote
Old Jan 11, 2013, 12:49 PM   #15
Rodimus Prime
Banned
 
Join Date: Oct 2006
Quote:
Originally Posted by Doctor Q View Post
Thanks for the fast action, Apple. Although it shows the tradeoff we've had to accept, that keeping up with the latest version can produce situations like this, with a discovered vulnerability for which there is no patch yet. Ironically, when Apple was a version behind, bleeding edge security issues would have been addressed by the time we Mac users got a Java release from Apple.
well to be fair it was a good trade off as Apple was piss poor on it and tend to lag months behind Java and left holes open for a lot longer. I expect a patch will be out pretty soon from Oracle to fix it.
Rodimus Prime is offline   1 Reply With Quote
Old Jan 11, 2013, 12:49 PM   #16
derbothaus
macrumors 601
 
derbothaus's Avatar
 
Join Date: Jul 2010
With every passing week my life becomes more difficult.
__________________
Mac Pro W3680, GTX 680, 12GB DDR3, SSD; MBP, 2.6GHz Core i7, 16GB DDR3, SSD; Eizo fs2333
derbothaus is offline   2 Reply With Quote
Old Jan 11, 2013, 12:50 PM   #17
Yujenisis
macrumors 6502
 
Join Date: May 2002
Send a message via AIM to Yujenisis
Quote:
Originally Posted by xionxiox View Post
Java is the worst thing ever. Always buggy and slow. Oracle doesn't give a damn about Macs.
Sadly, Java runtime for Windows is not much better...

Perhaps, Oracle just hates the world?
Yujenisis is offline   0 Reply With Quote
Old Jan 11, 2013, 12:51 PM   #18
derbothaus
macrumors 601
 
derbothaus's Avatar
 
Join Date: Jul 2010
Quote:
Originally Posted by Rodimus Prime View Post
well to be fair it was a good trade off as Apple was piss poor on it and tend to lag months behind Java and left holes open for a lot longer. I expect a patch will be out pretty soon from Oracle to fix it.
All Oracle versions have been insecure. I'd rather have stability and security over latest and certainly not greatest. Lot's of stuff won't even run on 7 plug.
__________________
Mac Pro W3680, GTX 680, 12GB DDR3, SSD; MBP, 2.6GHz Core i7, 16GB DDR3, SSD; Eizo fs2333
derbothaus is offline   1 Reply With Quote
Old Jan 11, 2013, 12:51 PM   #19
c.mac 3600
macrumors newbie
 
Join Date: May 2009
Quote:
Originally Posted by ajovanov View Post
apple should provide an easy option to switch back to java 6
I thought I read that previous versions of Java had the same vulnerability. Or maybe I'm thinking of the Ruby on Rails exploit. Hard to keep track nowadays.
c.mac 3600 is offline   0 Reply With Quote
Old Jan 11, 2013, 12:51 PM   #20
camnchar
macrumors 6502
 
Join Date: Jan 2006
Location: SLC, Utah
Send a message via AIM to camnchar
Quote:
Originally Posted by Yujenisis View Post
Sadly, Java runtime for Windows is not much better...

Perhaps, Oracle just hates the world?
Or perhaps Java just plain sucks.
__________________
Apple //c, 1 MHz, 128k RAM, 5.25" floppy drive, 1-button mouse
camnchar is offline   6 Reply With Quote
Old Jan 11, 2013, 12:54 PM   #21
Eduardo1971
macrumors 65816
 
Eduardo1971's Avatar
 
Join Date: Jun 2006
Location: Lost Angeles, Ca. usa
"Keep your grubby hands off my iMac Apple!"


__________________
Mid-2011 27 inch, 3.4 Ghz, 12GB RAM, i7 iMac
Fight On!
Eduardo1971 is offline   3 Reply With Quote
Old Jan 11, 2013, 12:54 PM   #22
KnightWRX
macrumors Pentium
 
KnightWRX's Avatar
 
Join Date: Jan 2009
Location: Quebec, Canada
Quote:
Originally Posted by WildCowboy View Post
You are of course correct, and I've updated accordingly to make things more clear.
Phew, thanks for the prompt response. 600 post thread crisis about how "Java sucks! Nyuh it doesn't! Yes it does! You're confusing the runtime with the plugin" adverted.
__________________
"What you leave behind is not what is engraved in stone monuments, but what is woven into the lives of others."
-- Pericles
KnightWRX is offline   2 Reply With Quote
Old Jan 11, 2013, 12:54 PM   #23
Stella
macrumors 603
 
Stella's Avatar
 
Join Date: Apr 2003
Location: Canada
Quote:
Originally Posted by camnchar View Post
Or perhaps Java just plain sucks.
Tell us why 'Java Sucks'?

Thanks.
__________________
Hardware / Software: The right tools for the job - be it Apple or otherwise.
Stella is offline   2 Reply With Quote
Old Jan 11, 2013, 12:55 PM   #24
KnightWRX
macrumors Pentium
 
KnightWRX's Avatar
 
Join Date: Jan 2009
Location: Quebec, Canada
Quote:
Originally Posted by Doctor Q View Post
by the time we Mac users got a Java release from Apple.
Java 7 is not released by Apple, it is a direct download from Oracle. Apple has stopped all development and distribution of their own Java runtime and plug-in with version 6.
__________________
"What you leave behind is not what is engraved in stone monuments, but what is woven into the lives of others."
-- Pericles
KnightWRX is offline   2 Reply With Quote
Old Jan 11, 2013, 01:01 PM   #25
krravi
macrumors 65816
 
Join Date: Nov 2010
Quote:
Originally Posted by Stella View Post
Tell us why 'Java Sucks'?

Thanks.
As a middleware and server platform Java is great. But when it comes to front end, it sucks like a tornado. Their widgets and the slow response times are horrible. Java was trying to be a "all in one" solution but it never got accepted.

I know the Mars rover interface is Java. But NASA engineers could have chosen the easy way out, you know run it on Linux and throw Java on top of it. Easy out of the box solution. I believe Android is based on such a platform, but I am not sure. No wonder it's so glitchy and jerky.
__________________
Lots of Apple,Sony and other gadgets.

Last edited by krravi; Jan 11, 2013 at 01:12 PM.
krravi is offline   3 Reply With Quote

Reply
MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Apple Releases New Java 6 Updates With Enhanced Security, Uninstalls Apple-Provided Java Applet Plug-in MacRumors Mac Blog Discussion 49 Oct 22, 2013 09:58 AM
Apple Releases Safari and Java Updates With Plug-In and Security Improvements MacRumors MacRumors.com News Discussion 77 Apr 23, 2013 03:09 PM
Apple Once Again Blocks Java 7 Web Plug-in MacRumors MacRumors.com News Discussion 151 Mar 29, 2013 11:56 AM
Oracle Releases Java 7 Update 13 to Address Security Issues, Reenable Web Plug-in on OS X MacRumors MacRumors.com News Discussion 134 Feb 17, 2013 12:40 PM
Oracle Updates Java 7 to Address Security Vulnerability MacRumors MacRumors.com News Discussion 72 Jan 19, 2013 11:00 AM

Forum Jump

All times are GMT -5. The time now is 03:22 PM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC