Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old Jan 31, 2013, 08:48 AM   #1
MacRumors
macrumors bot
 
Join Date: Apr 2001
Apple Once Again Blocks Java 7 Web Plug-in




Earlier this month, Apple took the unusual step of remotely blocking Oracle's Java 7 browser plug-in due to a major security vulnerability, using the "Xprotect" anti-malware system built into OS X to enforce a minimum version number that had yet to be released. Within days, Oracle updated Java to address the issue, with the new version number making the Java plug-in usable on OS X systems once more.

As noted by French site MacGeneration [Google translation] and the Apple discussion forums, Apple has once again blocked the Java 7 plug-in using Xprotect.

The updated blacklist enforces a minimum Java plug-in version of 1.7.0_11-b22, while the latest version of the plug-in is 1.7.0_11-b21.

The exact reason for Apple's renewed block on the Java plug-in is unknown although reports immediately following the release of Update 11 earlier this month indicated that it fixed only one of the two bugs that contributed to the security vulnerability. In the wake of that news, cybersecurity officials recommended that most users disable Java even with the up-to-date plug-in installed.
Quote:
Oracle Security Alert CVE-2013-0422 states that Java 7 Update 11 addresses this (CVE-2013-0422) and an equally severe, but distinct vulnerability (CVE-2012-3174). Immunity has indicated that only the reflection vulnerability has been fixed and that the JMX MBean vulnerability remains. Java 7u11 sets the default Java security settings to "High" so that users will be prompted before running unsigned or self-signed Java applets.

Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future.
If this continued issue is indeed the reason for the new block by Apple, it is unclear why the company waited several weeks to update its plug-in blacklist.

Article Link: Apple Once Again Blocks Java 7 Web Plug-in
MacRumors is offline   0 Reply With Quote
Old Jan 31, 2013, 08:50 AM   #2
FakeWozniak
macrumors 6502
 
Join Date: Nov 2007
It would be nice to know WHY stuff stops working.

Does anyone know how to see what is added regularly from Apple? I don't really feel like monitoring the blacklist file. I suppose the people who write the malware do though :-(

I use a Java based 'meeting' program from work and I don't know if it is the program or Java or the network...

Anyone know if Flash is in blacklist file? :-)
FakeWozniak is offline   2 Reply With Quote
Old Jan 31, 2013, 08:51 AM   #3
notjustjay
macrumors 603
 
notjustjay's Avatar
 
Join Date: Sep 2003
Location: Canada, eh?
I've had Java disabled in my browser for the last several years, and I don't miss it at all. I think in all that time I have re-enabled it maybe once because there was an applet I actually wanted to run.

Just leave it turned off.

Edit: OK, before you hit "reply" and rip into me saying "well, I'm glad that works for YOU, but what about...", please note that I've acknowledged this further in the thread, and I'm sorry if your business/bank/whatever forces you to use Java applets in your browser.
__________________
.

Last edited by notjustjay; Jan 31, 2013 at 04:06 PM.
notjustjay is offline   5 Reply With Quote
Old Jan 31, 2013, 08:54 AM   #4
Tiger8
macrumors 68000
 
Join Date: May 2011
Oracle bought all those companies and products that they have absolutely no clue how to support or further develop.

I do work in two used-to-be-great enterprise software packages, both went downhill since the original company was bought by Oracle.
Tiger8 is offline   4 Reply With Quote
Old Jan 31, 2013, 08:55 AM   #5
ConCat
Banned
 
Join Date: Jul 2012
Location: In an ethereal plane of existence.
Quote:
Originally Posted by notjustjay View Post
I've had Java disabled in my browser for the last several years, and I don't miss it at all. I think in all that time I have re-enabled it maybe once because there was an applet I actually wanted to run.

Just leave it turned off.
Some people actually need it in certain business environments. Apple really should quit doing this, and I mean now. If we want it disabled, we can disable it ourselves. How hard would it be to push the update to computers after Oracle updates Java with the security patch, not before?
ConCat is offline   12 Reply With Quote
Old Jan 31, 2013, 08:55 AM   #6
iphone495
macrumors member
 
Join Date: Sep 2012
The bad news never stops with Java. Not that I would use it anyways.
iphone495 is offline   2 Reply With Quote
Old Jan 31, 2013, 09:00 AM   #7
Rocketman
macrumors 603
 
Rocketman's Avatar
 
Join Date: Dec 2001
Location: Claremont, CA
Java on 10.6 and before stopped working entirely. I have a standalone Java app I use on 10.4.11 and one day it just up and stopped working. Java says Apple is responsible for updating and of course Apple has not updated it either. This is a black hole because something that worked and was trusted by being rare and obscure, no longer works and I had no choice to "opt out."

Unless someone here has a suggestion.

Rocketman
__________________
Think Different-ly!
All 357 R or D House jobs bills over 4 years died in the D Senate, ordered by the D President. Buy a model rocket here: http://v-serv.com/usr/instaship-visual.htm Thanks.
Rocketman is offline   1 Reply With Quote
Old Jan 31, 2013, 09:01 AM   #8
AppleGuesser
macrumors regular
 
Join Date: May 2012
Location: Athens, GA
Again?? Well....this is inconvenient....
__________________
Writer for
www.guessingtheapple.com
AppleGuesser is offline   1 Reply With Quote
Old Jan 31, 2013, 09:02 AM   #9
vmachiel
macrumors 65816
 
Join Date: Feb 2011
Location: Holland
I only use Java for Minecraft. I've never used the browser plugin, i've had it disabled for about a year now.
__________________
2010 MBP, 2.4 GHz i5, 8 GB RAM, 240 GB SSD; 32GB Silver iPhone 5S; 32 GB Wifi iPad (3rd gen)
vmachiel is offline   0 Reply With Quote
Old Jan 31, 2013, 09:03 AM   #10
BornAgainMac
macrumors 601
 
BornAgainMac's Avatar
 
Join Date: Feb 2004
Location: Florida Resident
Java makes more sense on the server application and not as a client. I have had nothing but problems with Java applications after Java 7 came out. I even have applications that are not supported with later updates of Java 6 that are lower than other applications that need a higher update level.
BornAgainMac is offline   1 Reply With Quote
Old Jan 31, 2013, 09:11 AM   #11
carl0sian
macrumors regular
 
Join Date: Oct 2011
And the anti Apple comments will begin right about now...
carl0sian is offline   3 Reply With Quote
Old Jan 31, 2013, 09:20 AM   #12
AndyUnderscoreR
macrumors regular
 
Join Date: Jul 2008
How do I turn it back on?

(oh, and spare me the preaching, I'm aware of the tiny theoretical risk involved, and it's massively outweighed by 100% chance of me not being able to use my computer to do most of the things I want to do today)

I would have thought Apple would have learned from iOS Maps, iOS Youtube and iTunes 11 not to break stuff that was working until they had a replacement that was usable?
AndyUnderscoreR is offline   5 Reply With Quote
Old Jan 31, 2013, 09:22 AM   #13
DaveTheRave
macrumors 6502
 
Join Date: May 2003
I urgently need it now so I got it work using Firefox. Couldn't figure out a way to do it with Safari.
DaveTheRave is offline   0 Reply With Quote
Old Jan 31, 2013, 09:23 AM   #14
jonatron
macrumors member
 
Join Date: Jun 2007
Location: Leeds, UK
Quote:
Originally Posted by notjustjay View Post
I've had Java disabled in my browser for the last several years, and I don't miss it at all. I think in all that time I have re-enabled it maybe once because there was an applet I actually wanted to run.

Just leave it turned off.
Classic if it doesnt affect me its not important.

This has stopped by company from using its finance system and staff are currently sat around twiddling their thumbs. Plus it took me an entire morning to work out what the issue was as there was no notification from Apple.

Thanks for your really useful advice!

I re-iterate what some others have said. THIS IS NOT ACCEPTABLE BEHAVIOUR from Apple and they need to sort this out pronto.
jonatron is offline   15 Reply With Quote
Old Jan 31, 2013, 09:24 AM   #15
gazonk
macrumors newbie
 
Join Date: Jan 2009
Quote:
Originally Posted by AndyUnderscoreR View Post
(oh, and spare me the preaching, I'm aware of the tiny theoretical risk involved, and it's massively outweighed by 100% chance of me not being able to use my computer to do most of the things I want to do today)
Tiny theoretical risk? Yes, if you don't visit web pages at all.
gazonk is offline   1 Reply With Quote
Old Jan 31, 2013, 09:28 AM   #16
jwkay
macrumors member
 
Join Date: Sep 2004
Location: Bergen, Norway
Java is essential for the joint Norwegian bank login system BankID. If Apple has disabled this without a way of switching it back on, we are all locked out of our bank accounts!
jwkay is offline   8 Reply With Quote
Old Jan 31, 2013, 09:31 AM   #17
AndyUnderscoreR
macrumors regular
 
Join Date: Jul 2008
Quote:
Originally Posted by DaveTheRave View Post
I urgently need it now so I got it work using Firefox...
How?
AndyUnderscoreR is offline   0 Reply With Quote
Old Jan 31, 2013, 09:31 AM   #18
LlamaLarry
macrumors member
 
Join Date: Oct 2008
Location: Northern VA
Send a message via AIM to LlamaLarry
Pretty sure that if you just use any browser besides Safari and you're good to go.

If your company really sat around twiddling their thumbs without trying another browser then you're likely exactly who Apple disallowed the Safari plugin for.
__________________
Early 2011 17" MBP - Early 2011 13" MBP - Mid 2011 11" MBA - 2 x 2009 MB - iPhone --> iPhone 5; iPad, iPad v2
LlamaLarry is offline   4 Reply With Quote
Old Jan 31, 2013, 09:32 AM   #19
RMo
macrumors 6502a
 
Join Date: Aug 2007
Location: Iowa, USA
Quote:
Originally Posted by AndyUnderscoreR View Post
... it's massively outweighed by 100% chance of me not being able to use my computer to do most of the things I want to do today
Do you really do most of the work on your computer with Java plug-in applets? My understanding is that, like last time, regular desktop applications (JARs, including those launched as part of a packaged APP bundle) will work fine.
RMo is offline   1 Reply With Quote
Old Jan 31, 2013, 09:32 AM   #20
Steve121178
macrumors 68000
 
Steve121178's Avatar
 
Join Date: Apr 2010
Location: Bedfordshire, UK
Quote:
Originally Posted by jonatron View Post
Classic if it doesnt affect me its not important.

This has stopped by company from using its finance system and staff are currently sat around twiddling their thumbs. Plus it took me an entire morning to work out what the issue was as there was no notification from Apple.

Thanks for your really useful advice!

I re-iterate what some others have said. THIS IS NOT ACCEPTABLE BEHAVIOUR from Apple and they need to sort this out pronto.
I feel your pain! This is totally and utterly unprofessional. Apple must stop playing 'God' by interfering like this.

Microsoft realise that doing stuff like this can cripple businesses, that's why they issue security bulletins and put the onus on users/Administrators to call the shots.
__________________
13" rMBP Haswell i5/16GB/512GB (Late '13) 21.5" iMac i5/16GB/1TB Fusion (Late '12) iPhone 5s 32GB iPad rMini 32GB
Steve121178 is offline   3 Reply With Quote
Old Jan 31, 2013, 09:33 AM   #21
NYmacAttack
macrumors 6502
 
Join Date: Dec 2005
Location: NY
Quote:
Originally Posted by AndyUnderscoreR View Post
How?
Also would like to know. Tried Firefox with no success.
__________________
Black MB C2D 2.16
NYmacAttack is offline   0 Reply With Quote
Old Jan 31, 2013, 09:34 AM   #22
sectime
Banned
 
Join Date: Jul 2007
Quote:
Originally Posted by jwkay View Post
Java is essential for the joint Norwegian bank login system BankID. If Apple has disabled this without a way of switching it back on, we are all locked out of our bank accounts!
What could the risk be using Java to access your bank account?
sectime is offline   1 Reply With Quote
Old Jan 31, 2013, 09:34 AM   #23
yusukeaoki
macrumors 68030
 
yusukeaoki's Avatar
 
Join Date: Mar 2011
Location: Tokyo, Japan
Already disabled Java days ago.
Never missed it and never will.
__________________
17" MacBook Pro (Early 2011), 2.2GHz i7-2720QM, 16GB RAM, 128GB SSD+1TB HDD@5400rpm
11" MacBook Air (Mid 2013), 1.7GHz i7-4650U, 8GB RAM, 512GB Flash
Sony Xperia Z1 (Purple) 32GB
yusukeaoki is offline   0 Reply With Quote
Old Jan 31, 2013, 09:35 AM   #24
jonatron
macrumors member
 
Join Date: Jun 2007
Location: Leeds, UK
Quote:
Originally Posted by LlamaLarry View Post
Pretty sure that if you just use any browser besides Safari and you're good to go.

If your company really sat around twiddling their thumbs without trying another browser then you're likely exactly who Apple disallowed the Safari plugin for.
Thats not true. If you use a java web start application it wont launch. Even using Firefox.

You may be able to reconfigure the app somehow to not use safari to launch. Should I really be expected to to that?
jonatron is offline   2 Reply With Quote
Old Jan 31, 2013, 09:36 AM   #25
AndyUnderscoreR
macrumors regular
 
Join Date: Jul 2008
Quote:
Originally Posted by gazonk View Post
Tiny theoretical risk? Yes, if you don't visit web pages at all.
Do you have even the tiniest shred of evidence that the current vulnerability is being exploited in the wild, by reputable sites, with a payload that isn't aimed purely at windows machines?

If you do, let me know, and I'll be sure not to click the 'are you sure' dialogue box that I wouldn't click anyway.
AndyUnderscoreR is offline   0 Reply With Quote

Reply
MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Apple Releases New Java 6 Updates With Enhanced Security, Uninstalls Apple-Provided Java Applet Plug-in MacRumors Mac Blog Discussion 49 Oct 22, 2013 09:58 AM
Apple Again Blocks Older Versions of Java Over Vulnerability MacRumors Mac Blog Discussion 27 Sep 2, 2013 02:40 PM
Apple Releases Safari and Java Updates With Plug-In and Security Improvements MacRumors MacRumors.com News Discussion 77 Apr 23, 2013 03:09 PM
Oracle Releases Java 7 Update 13 to Address Security Issues, Reenable Web Plug-in on OS X MacRumors MacRumors.com News Discussion 134 Feb 17, 2013 12:40 PM
Apple Blocks Java 7 Plug-in on OS X to Address Widespread Security Threat MacRumors MacRumors.com News Discussion 247 Jan 19, 2013 02:22 PM

Forum Jump

All times are GMT -5. The time now is 11:28 PM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC