Apple Blocks Java 7 Plug-in on OS X to Address Widespread Security Threat

[derbothaus]

Quote:

Originally Posted by Rodimus Prime

Apple versions were always worse and left holes open a lot longer. Normally MONTHS after Oracle patch them.
I am not talking about the latest and greatest. In terms of security Apple version lag way behind. If you want security and good security Apple is not your best choice.

I don't know about "always". I do know that this recent Apple/ Oracle hand shake leaves the most users shaking their heads and machines that have been updated unable to run what they need at work. Mainly because they are both involved in a more active way. Personally I'd rather be able to run stuff insecure than be left high and dry as some are now. Apple cut and ran and handed off to the parent company who is showing they are not up to the task yet. Apple should have left us at 6 with prefs and granularity. A full 7 upgrade then from Oracle with proper uninstallers should have happened.

[MCroft]

On my mac, this change is in XProtect.meta.plist, not XProtect.plist.

[KnightWRX]

Quote:

Originally Posted by krravi

Apple used to release that SDK like XCode for a while and have now stopped it. Wonder why....

It was because they didn't have to support and release software that belonged to Oracle. Same reason they used to release Flash and X11 themselves. The history of the practice dates back to the darker days of OS X market share, back when Apple didn't want vendors to ignore its platform in favor of Windows. Thus they supported, packaged and released many 3rd party components themselves.

Since OS X is now much better supported by vendors, Apple sees no advantage in releasing their own packages for the popular 3rd party software suites, letting these 3rd parties do the leg work themselves. This results in users getting more quicker updates (Apple was slow to update each and everyone of these components compared to the likes of Oracle/Sun, Adobe and the XQuartz project).

[krravi]

Quote:

Originally Posted by KnightWRX

Which widgets are you talking about ? AWT ? Swing ? The Cocoa Java Bridge bindings ? GTK+/QT bindings on Windows or Linux ?

As for slow response time, this has been a non-issue since Java 1.3 and the introduction of the HotSpot JVM as default.



How is that easier than using QT or GTK+ toolkits and other Linux native APIs/languages ? Heck, why not go for TCL/TK or simple Perl TK ?

The reason they chose Java is because as a language, Java was probably the best fit for the job they wanted to accomplish. There are plenty of features in both J2SE and J2EE which are very well implemented, robust and mature. Things you want for software that will be executing where no man can reach in case it fails.

Android is based on Davlik over a Linux kernel. Which part do you think makes it "glitchy" and "jerky" ?

And Eclipse is written in? Terrible response times! Almost puts you to sleep looking at the IDE.

There are plenty of features in both J2SE and J2EE which are very well implemented, robust and mature. Things you want for software that will be executing where no man can reach in case it fails.

That's exactly why it was an easy out of the box solution.

As I said I am not sure about the Android platform but I had a Motorola Droid the UI was terrible!

[Rodimus Prime]

Quote:

Originally Posted by derbothaus

I don't know about "always". I do know that this recent Apple/ Oracle hand shake leaves the most users shaking their heads and machines that have been updated unable to run what they need at work. Mainly because they are both involved in a more active way. Personally I'd rather be able to run stuff insecure than be left high and dry as some are now. Apple cut and ran and handed off to the parent company who is showing they are not up to the task yet. Apple should have left us at 6 with prefs and granularity. A full 7 upgrade then from Oracle with proper uninstallers should have happened.

Apple screwed over its users big time. It sounds like they decided to drop support and NOT tell Oracle about it until the last minute. Never mind the fact it takes a while for another company to spin up the needed resources. First you need to higher or transfer people over and then you have to deal with the learning curve and learning some of the ins and outs for the different platform.
Yet another Apple screwing over their user base.

[jk1002]

This was really a bright move.

Tons of companies are relying on Juniper VPN which use Java and just got disabled.

Rather then having a work loss caused by a potential virus attack Apple just did it themselves.

Congrats Braniacs.

[ibosie]

Quote:

Originally Posted by ajovanov

apple should provide an easy option to switch back to java 6

Not sure if this is what you're looking for.

http://support.apple.com/kb/HT5559?v...S&locale=en_US

[krravi]

Quote:

Originally Posted by KnightWRX

It was because they didn't have to support and release software that belonged to Oracle. Same reason they used to release Flash and X11 themselves. The history of the practice dates back to the darker days of OS X market share, back when Apple didn't want vendors to ignore its platform in favor of Windows. Thus they supported, packaged and released many 3rd party components themselves.

Since OS X is now much better supported by vendors, Apple sees no advantage in releasing their own packages for the popular 3rd party software suites, letting these 3rd parties do the leg work themselves. This results in users getting more quicker updates (Apple was slow to update each and everyone of these components compared to the likes of Oracle/Sun, Adobe and the XQuartz project).

Makes sense. But if that's the cast then why not rewrite the framework based on Mac OSX rather than Java? Mac has a rich development tool in Xcode for desktop or mobile but when it comes to the Web, people are scrambling for XAMP or LAMP or whatever they can get a hold of. Why the step child treatment for the Web? They made a fortune connecting devices using the web and selling products and services over the web!

[Arcsylver]

Just checked my safari settings on my rMBP and it had both Java and Javascript turned on!!

I run with Java disabled on all my macs and only have Javascript enabled ever since the last series of Java exploits made the rounds. WTF!!

So it seems that being connected to the internet is not a guarantee that you will get this update if the settings are effected at all.

Double check your settings to be safe.

FYI this was on Mountain Lion, my other MBP running Snow Leopard and my G4 iMac running Tiger were not showing Java enabled in Safari.

[IJ Reilly]

Everyone should open their Security System Preferences panel, open the lock, and uncheck, then re-check "Automatically update safe downloads list." This worked for me.

All of this geeky debate about the merits of Java is not useful to anyone who is actually trying to deal with this security threat. Reports that it was addressed automatically by Apple are not true. I can post my Terminal results if anyone disbelieves me. So if the tech-heads who are currently arguing about Java could instead address their comments to how the current problem can be solved, a real service could be provided.

[nagromme]

In other news, nagromme blocks Java 7... Java anything... everywhere, as always. Almost never useful in the browser.

I have similar fears about Flash, but I don't totally block it (ClickToFlash!) because it actually does some useful things for me.

[SockRolid]

I make sure the Java plugin is disabled on Safari. Have been doing so for at least a year now:

Safari Preferences -> Security tab -> un-check "Enable Java"

Just that simple. Very few sites I ever visit need Java anyway.

[bbeagle]

Quote:

Originally Posted by Rodimus Prime

Apple screwed over its users big time.

How so? Please stop your Apple bashing and enlighten us.

This is a Java bug that is also in WINDOWS and UNIX - wherever the java runtime is installed. It seems that you want to blame Apple for everything wrong in the world.

This is simply a 3rd party application that you must install yourself (it's not installed automatically). I guess Apple is now responsible if you install Google Chrome and that does something bad.

----------

Quote:

Originally Posted by Arcsylver

I run with Java disabled on all my macs and only have Javascript enabled ever since the last series of Java exploits made the rounds.

Javascript has nothing to do with Java, except the similarity in the name, just like Koala Bears have nothing to do with regular Bears.

[KnightWRX]

Quote:

Originally Posted by krravi

As I said I am not sure about the Android platform but I had a Motorola Droid the UI was terrible!

What version of Android ? Google started work on the hardware accelerated UI only in very recent releases in the 4.x branch and I think for some limited features in the 2.3 branch.

This has nothing to do with Davlik or the JIT compilation scheme.

[xgman]

I hate java anything now, but a lot of companies use it exclusively for certain things like programing TV remotes over computers etc. Makes it a pain to work around.

[KnightWRX]

Quote:

Originally Posted by bbeagle

How so? Please stop your Apple bashing and enlighten us.

This is a Java bug that is also in WINDOWS and UNIX - wherever the java runtime is installed. It seems that you want to blame Apple for everything wrong in the world.

This is simply a 3rd party application that you must install yourself (it's not installed automatically). I guess Apple is now responsible if you install Google Chrome and that does something bad.[COLOR="#808080"]

Relax. Rodimus was referring to when Apple was doing their own releases of 3rd party software packages including Java. It screwed with users as often Apple would be late compared to the original vendors in shipping new releases with security fixes and general bug fixes. So while Unix and Windows had fixes, OS X would be left vulnerable, sometimes for quite a few weeks.

This is also in part why Apple decided to drop its own packaging and support for 3rd party software like Java, X11 and Flash.

Rodimus is not talking about the current Java 7 bug. That is all on Oracle since they have been in charge of Java 7 on OS X since day 1.

[macidiot]

Quote:

Originally Posted by Rodimus Prime

Apple screwed over its users big time. It sounds like they decided to drop support and NOT tell Oracle about it until the last minute. Never mind the fact it takes a while for another company to spin up the needed resources. First you need to higher or transfer people over and then you have to deal with the learning curve and learning some of the ins and outs for the different platform.
Yet another Apple screwing over their user base.

Perhaps.

But the fact remains that Java support isn't that great, for Windows. These vulnerabilities exist on all platforms. And how long has Oracle had resources set up for Windows?

So while your argument makes sense, the fact that Oracle is poor in dealing with vulnerabilities on ALL platforms suggests it has nothing to do with a learning curve or dealing with a new platform.

FYI, this vulnerability is old, first reported last August. Oracle did release a patch fairly quickly. Unfortunately, it didn't actually fix the vulnerability. So, yeah.

This is hardly Apple's fault. This is hardly Apple screwing over the user base when the US government is recommending disabling Java. Blame Oracle for half-assed responses to real threats.

[bbeagle]

Quote:

Originally Posted by KnightWRX

Rodimus was referring to when Apple was doing their own releases of 3rd party software packages including Java......

Rodimus is not talking about the current Java 7 bug.

I don't see where he said that, or why he chose to bring up old history.

[macidiot]

Quote:

Originally Posted by jk1002

This was really a bright move.

Tons of companies are relying on Juniper VPN which use Java and just got disabled.

Rather then having a work loss caused by a potential virus attack Apple just did it themselves.

Congrats Braniacs.

And every one of those companies should be on the phone right now with Oracle screaming WTF is your malfunction in dealing with major vulnerabilities.

Because I'm sure those companies would just love to have all sorts of fun things like keyloggers installed on their client machines. You know, just so they can get their work done. :/

[rekhyt]

Quote:

Originally Posted by Wheelie4

Here you go.
How to re-enable the Apple-provided Java SE 6 applet plug-in and Web Start functionality

Useful for those who play Java-based games (They're quite rare now, aren't they?) in web browsers. (RuneScape, Minecraft, ...)

[bbeagle]

Quote:

Originally Posted by jk1002

This was really a bright move.

Tons of companies are relying on Juniper VPN which use Java and just got disabled.

Rather then having a work loss caused by a potential virus attack Apple just did it themselves.

Congrats Braniacs.

This is why most smart companies don't use the latest technology - they stay a version behind.

Smart companies that are still using Java 1.6 are not affected.

[Yujenisis]

Quote:

Originally Posted by camnchar

Or perhaps Java just plain sucks.

I'll take that as an alternate theory.

[hayesk]

Quote:

Originally Posted by krravi

BTW the whole object oriented web application framework was started by Apple called "WebObjects" (based on JAVA)before .NET or others came along.

FYI, WebObjects was first based in Objective-C. Apple switched it to Java to follow a trend.

[WildCowboy]

Quote:

Originally Posted by IJ Reilly

Actually, no. Researching this issue myself, I found these instructions for determining when my Plugin Black List was last updated:

http://osxdaily.com/2011/06/02/check...n-list-update/

Following these instructions, I came up with 12 Dec 2012. Following the instructions to force updating, it now results in 10 Jan 2013. I presume I will need to repeat this method of all of my Macs, since very clearly automatic is not the answer, at least not for everybody.

Your system simply hadn't gotten around to running its daily check yet. Prior to the change late yesterday that added Java to the blacklist, the last update to the file was indeed on December 12. Unless of course you manually turned off the daily checks.

[KnightWRX]

Quote:

Originally Posted by bbeagle

I don't see where he said that, or why he chose to bring up old history.

The sub-thread in which he responded should provide the appropriate context. You jumped into the middle of a conversation.