Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old Jan 31, 2013, 09:37 AM   #26
Bubba Satori
macrumors 68040
 
Bubba Satori's Avatar
 
Join Date: Feb 2008
Location: B'ham
Quote:
Originally Posted by carl0sian View Post
And the anti Apple comments will begin right about now...
But not before the Pavlovian faithful start chanting their pre-emptive counter spells.

Maybe you want to help this person out, now that you've done your duty.

Quote:
Originally Posted by jwkay View Post
Java is essential for the joint Norwegian bank login system BankID. If Apple has disabled this without a way of switching it back on, we are all locked out of our bank accounts!
Bubba Satori is offline   4 Reply With Quote
Old Jan 31, 2013, 09:37 AM   #27
LlamaLarry
macrumors member
 
Join Date: Oct 2008
Location: Northern VA
Send a message via AIM to LlamaLarry
Quote:
Originally Posted by Steve121178 View Post
Microsoft realise that doing stuff like this can cripple businesses, that's why they issue security bulletins and put the onus on users/Administrators to call the shots.
The downside being relative platform insecurity.
__________________
Early 2011 17" MBP - Early 2011 13" MBP - Mid 2011 11" MBA - 2 x 2009 MB - iPhone --> iPhone 5; iPad, iPad v2
LlamaLarry is offline   0 Reply With Quote
Old Jan 31, 2013, 09:41 AM   #28
sonynair
macrumors newbie
 
Join Date: Jun 2012
They are also blocking Apple Java 1.6! Don't know where XProtect.meta.plist screenshot is from, but that is not what Apple pushed out this morning.

Here's what it really is!

Code:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>JavaWebComponentVersionMinimum</key>
	<string>1.6.0_37-b06-435</string>
	<key>LastModification</key>
	<string>Thu, 31 Jan 2013 04:41:14 GMT</string>
	<key>PlugInBlacklist</key>
	<dict>
		<key>10</key>
		<dict>
			<key>com.macromedia.Flash Player.plugin</key>
			<dict>
				<key>MinimumPlugInBundleVersion</key>
				<string>11.3.300.271</string>
			</dict>
			<key>com.oracle.java.JavaAppletPlugin</key>
			<dict>
				<key>MinimumPlugInBundleVersion</key>
				<string>1.7.11.22</string>
			</dict>
		</dict>
	</dict>
	<key>Version</key>
	<integer>2028</integer>
</dict>
</plist>
To re-enable Apple Java 1.6:

Code:
sudo /usr/libexec/PlistBuddy -c "Delete :JavaWebComponentVersionMinimum" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
or

Code:
sudo defaults write /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist JavaWebComponentVersionMinimum \"1.6.0_37-b06-434\"
To re-enable Oracle Java 1.7u11 edit the "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist" using vi in Terminal and change:

Code:
<string>1.7.11.22</string>
to:
Code:
<string>1.7.11.19</string>
I posted the block on Twitter when I noticed it this morning.
https://twitter.com/sonynair/status/296935103383347201

Hope that helps someone!
sonynair is offline   7 Reply With Quote
Old Jan 31, 2013, 09:45 AM   #29
jwkay
macrumors member
 
Join Date: Sep 2004
Location: Bergen, Norway
Quote:
Originally Posted by sectime View Post
What could the risk be using Java to access your bank account?
Java is just one tiny part of the BankID security system. I wish they'd ditch it, but that's not going to happen quickly. The layers of security beyond Java aren't threatened by the Java holes, apparently, and they claim there's no threat from Java in the way it's implemented into a bigger solution. I don't know the technicalities, just that for better or worse, we need it.
jwkay is offline   0 Reply With Quote
Old Jan 31, 2013, 09:45 AM   #30
AppleScruff1
macrumors 603
 
AppleScruff1's Avatar
 
Join Date: Feb 2011
Flash, Java, what's next? Internet access to Apple approved sites only?
AppleScruff1 is offline   9 Reply With Quote
Old Jan 31, 2013, 09:54 AM   #31
gazonk
macrumors newbie
 
Join Date: Jan 2009
Quote:
Originally Posted by AndyUnderscoreR View Post
Do you have even the tiniest shred of evidence that the current vulnerability is being exploited in the wild, by reputable sites, with a payload that isn't aimed purely at windows machines?
The current vulnerability is probably not very different from the previous, so it can be just a question of hours before it suddenly appears in ads on "reputable sites" like it did with the previous version.

However, your point about Windows machine is good. I haven't heard of any actual attacks on OS X in the wild yet - anyone?

----------

Quote:
Originally Posted by jwkay View Post
Java is just one tiny part of the BankID security system. I wish they'd ditch it, but that's not going to happen quickly. The layers of security beyond Java aren't threatened by the Java holes, apparently, and they claim there's no threat from Java in the way it's implemented into a bigger solution. I don't know the technicalities, just that for better or worse, we need it.
The silly PHBs of BankId completely miss the point! It's not about BankID security, it's about forcing all computer users in an entire nation to leave Java enabled in their browsers and thus making their computers far more vulnerable than they would have been if those PHBs hadn't insisted on implementing an applet where none is needed
gazonk is offline   4 Reply With Quote
Old Jan 31, 2013, 10:00 AM   #32
edvj
macrumors newbie
 
Join Date: Aug 2011
Location: Fredensborg
Quote:
Originally Posted by jwkay View Post
Java is essential for the joint Norwegian bank login system BankID. If Apple has disabled this without a way of switching it back on, we are all locked out of our bank accounts!
We have the same problem in Denmark, ours is called NemID..pretty much everything is based on NemID when you need to get in contact with local authorities, banking services..etc
About NemID
edvj is offline   1 Reply With Quote
Old Jan 31, 2013, 10:00 AM   #33
gazonk
macrumors newbie
 
Join Date: Jan 2009
Quote:
Originally Posted by gazonk View Post

The silly PHBs of BankId completely miss the point! It's not about BankID security, it's about forcing all computer users in an entire nation to leave Java enabled in their browsers and thus making their computers far more vulnerable than they would have been if those PHBs hadn't insisted on implementing an applet where none is needed
Btw: Important hint to Norwegian users: Many banks (at least this applies to giant DnB) will deactivate your BankID if you ask them to. Their web apps will then run much faster and smoother since you don't have to load that silly applet
gazonk is offline   1 Reply With Quote
Old Jan 31, 2013, 10:03 AM   #34
DaveTheRave
macrumors 6502
 
Join Date: May 2003
Quote:
Originally Posted by NYmacAttack View Post
Also would like to know. Tried Firefox with no success.
I downloaded the current version and installed several times but that didn't work. Finally closed all browsers before installing again and took a look at Firefox's Tools/Ad-in's menu to make sure Java is still enabled. Then I tried the work site I need to use and this time it finally worked (also saw a Firefox warning asking me if I wanted to enable Java (although I thought it already was enabled). Strange. Anyway it finally worked.

Totally agree with some of the comments here. Totally irresponsible for Apple to block this critical function without commenting on it or advising on a workaround, override, etc. I need Java so I can work at home and access my work PC (I work for a large bank). This is the only way I can work remotely.
DaveTheRave is offline   2 Reply With Quote
Old Jan 31, 2013, 10:05 AM   #35
doelcm82
macrumors 6502a
 
Join Date: Feb 2012
Location: Texas, USA
Quote:
Originally Posted by RMo View Post
Do you really do most of the work on your computer with Java plug-in applets? My understanding is that, like last time, regular desktop applications (JARs, including those launched as part of a packaged APP bundle) will work fine.
Yes. Yes I do.

Next question?
doelcm82 is offline   3 Reply With Quote
Old Jan 31, 2013, 10:06 AM   #36
JetLaw
macrumors newbie
 
Join Date: Jan 2009
Quote:
Originally Posted by Rocketman View Post
Java on 10.6 and before stopped working entirely. I have a standalone Java app I use on 10.4.11 and one day it just up and stopped working. Java says Apple is responsible for updating and of course Apple has not updated it either. This is a black hole because something that worked and was trusted by being rare and obscure, no longer works and I had no choice to "opt out."

Unless someone here has a suggestion.

Rocketman
...Except that a standalone Java app would not be affected in any way whatsoever by disabling the Java web plugin.
JetLaw is offline   1 Reply With Quote
Old Jan 31, 2013, 10:07 AM   #37
AppleInTheMud
macrumors regular
 
Join Date: Jun 2012
Location: Vojens Denmark
SOOOO IRRITATING APPLE YOU ****

Thank god I also have Windows on my iMac
AppleInTheMud is offline   0 Reply With Quote
Old Jan 31, 2013, 10:08 AM   #38
koban4max
macrumors 65816
 
Join Date: Aug 2011
Quote:
Originally Posted by Steve121178 View Post
I feel your pain! This is totally and utterly unprofessional. Apple must stop playing 'God' by interfering like this.

Microsoft realise that doing stuff like this can cripple businesses, that's why they issue security bulletins and put the onus on users/Administrators to call the shots.
as much as I hate apple doing this..you need to move to pc if that's the case.
koban4max is offline   0 Reply With Quote
Old Jan 31, 2013, 10:10 AM   #39
pmz
Banned
 
Join Date: Nov 2009
Location: NJ
Difference between Java plug-in and Java run-time environment on the Mac.

They are not the same thing.

Java plugins in Safari: blocked.
Photoshop CS3: still works fine

Wake me up when Apple starts blocking up-to-date Flash.
pmz is offline   1 Reply With Quote
Old Jan 31, 2013, 10:11 AM   #40
Bubba Satori
macrumors 68040
 
Bubba Satori's Avatar
 
Join Date: Feb 2008
Location: B'ham
Quote:
Originally Posted by AppleScruff1 View Post
Flash, Java, what's next? Internet access to Apple approved sites only?


Just got a warning notification from a mod.

What could that be about?

If I suddenly disap
Bubba Satori is offline   1 Reply With Quote
Old Jan 31, 2013, 10:11 AM   #41
pmz
Banned
 
Join Date: Nov 2009
Location: NJ
Quote:
Originally Posted by Steve121178 View Post
I feel your pain! This is totally and utterly unprofessional. Apple must stop playing 'God' by interfering like this.

Microsoft realise that doing stuff like this can cripple businesses, that's why they issue security bulletins and put the onus on users/Administrators to call the shots.
Oh yeah its really "professional" to leave your users vulnerable to crippling attack, privacy invasion, etc. etc.

THAT is the Microsoft definition of "professionalism". The moment you turn it on, you're at risk of losing everything.
pmz is offline   5 Reply With Quote
Old Jan 31, 2013, 10:11 AM   #42
tigres
macrumors 68040
 
tigres's Avatar
 
Join Date: Aug 2007
Location: Land of the Free-Waiting for Term Limits
Quote:
Originally Posted by jonatron View Post
Classic if it doesnt affect me its not important.

This has stopped by company from using its finance system and staff are currently sat around twiddling their thumbs. Plus it took me an entire morning to work out what the issue was as there was no notification from Apple.

I re-iterate what some others have said. THIS IS NOT ACCEPTABLE BEHAVIOUR from Apple and they need to sort this out pronto.
Could not agree more.
I was just on my 401k website attempting to make changes.
Now I know why I could not do it.

I see a lot of java required sites in my business of finance; I guess we are the only ones who use it heavily?

Whatever the reason, it is making my life difficult.
__________________
Quicker than two shakes of a lambs tail
tigres is offline   2 Reply With Quote
Old Jan 31, 2013, 10:15 AM   #43
guzhogi
macrumors 68020
 
guzhogi's Avatar
 
Join Date: Aug 2003
Location: Wherever my feet take me…
This is a real pain. I work for a school district and the software we use for the online gradebook uses Java. So now teachers can't update their grades. Plus, it's not that easy just to switch software platforms.

I understand Apple wanting to keep its platform secure and not degrade its good name, but users & companies really need the option to easily override these blocks.
guzhogi is offline   3 Reply With Quote
Old Jan 31, 2013, 10:16 AM   #44
markcres
macrumors regular
 
Join Date: Mar 2006
Location: Southport, UK
= Troll
markcres is offline   1 Reply With Quote
Old Jan 31, 2013, 10:19 AM   #45
supham
macrumors newbie
 
Join Date: Mar 2010
What a pain in the ass. Who cares that we use ADP for our time off / scheduling....
supham is offline   0 Reply With Quote
Old Jan 31, 2013, 10:19 AM   #46
unplugme71
macrumors 65816
 
Join Date: May 2011
Why can't Apple just pop up a dialogue window that says Java may have security issues instead of disabling it?
unplugme71 is offline   3 Reply With Quote
Old Jan 31, 2013, 10:20 AM   #47
Ralf The Dog
macrumors regular
 
Join Date: May 2008
Now, we are having trouble processing checks. If this keeps up, we will be forced to send someone to the bank with a stack of checks in a bag.

Welcome back to the 20th Century.
Ralf The Dog is offline   1 Reply With Quote
Old Jan 31, 2013, 10:21 AM   #48
randallking
macrumors newbie
 
Join Date: Sep 2009
The article by MacRumors states that it's unknown why Apple took this step. I received an email advisory from MS-ISAC on January 28th which spoke of a new vulnerability. I am pasting it below.

--

MS-ISAC ADVISORY NUMBER:
2013-008 - UPDATED

DATE(S) ISSUED:
01/28/2013

SUBJECT:
Security Bypass Vulnerability in Oracle Java Runtime Environment Could Allow Remote Code Execution

OVERVIEW:
A vulnerability has been discovered in Oracle Java Runtime Environment (JRE) that can lead to remote code execution. The Java Runtime Environment is used to enhance the user experience when visiting websites and is installed on mostdesktops and servers. This vulnerability may be exploited if a user visits or is redirected to a specifically crafted web page. Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the JRE application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts will likely result in denial-of-service conditions.

SYSTEM AFFECTED:
Oracle JRE 1.7.0 Update 10, prior versions may also be affected.

UPDATED SYSTEM AFFECTED:
Oracle JRE 1.7.0 Update 11, prior versions may also be affected.

RISK:

Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users:High

DESCRIPTION:
A vulnerability has been discovered in Oracle Java Runtime Environment that can lead to remote code execution. In order to exploit this vulnerability, an attacker must first create a web page with a specially crafted applet designed to leverage this issue. When the web page is visited, the attacker suppliedcode is run in the context of the affected application.

Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the JRE application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attemptswill likely result in denial-of-service conditions.

Please note that there is no patch available from Oracle to mitigate this vulnerability at this time and this vulnerability is being sold in the underground markets.

RECOMMENDATIONS:
We recommend the following actions be taken:

Apply the patch from Oracle, after appropriate testing, as soon as one becomes available.
Consider disabling Java completely on all systems until a patch is available.
Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
Remind users not to open e-mail attachments from unknown users or suspicious e-mails from trusted sources.

REFERENCES:

Security Focus:
http://www.securityfocus.com/bid/57563

Full Disclosure:
http://seclists.org/fulldisclosure/2013/Jan/241

Multi-State Information Sharing and Analysis Center
31 Tech Valley Drive, Suite 2
East Greenbush, NY 12061
(518) 266-3460
1-866-787-4722
soc@msisac.org
randallking is offline   5 Reply With Quote
Old Jan 31, 2013, 10:21 AM   #49
dexx0008
macrumors member
 
Join Date: Sep 2007
Quote:
Originally Posted by Tiger8 View Post
Oracle bought all those companies and products that they have absolutely no clue how to support or further develop.

I do work in two used-to-be-great enterprise software packages, both went downhill since the original company was bought by Oracle.
this.
dexx0008 is offline   2 Reply With Quote
Old Jan 31, 2013, 10:22 AM   #50
derbladerunner
macrumors regular
 
Join Date: Sep 2005
This is unacceptable silent communication or rather lack of communication.

There should be at least be visible hints/error messages and there should be a way to manually override this for experienced users.

Many online brokers use Java and WebStart. There are people trading with lots of $ who couldn't start their broker applications today.

There was no way to find this error easily unless you go into the console, this is complete mis-communication on Apple's part.
derbladerunner is offline   2 Reply With Quote

Reply
MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Apple Releases New Java 6 Updates With Enhanced Security, Uninstalls Apple-Provided Java Applet Plug-in MacRumors Mac Blog Discussion 49 Oct 22, 2013 09:58 AM
Apple Again Blocks Older Versions of Java Over Vulnerability MacRumors Mac Blog Discussion 27 Sep 2, 2013 02:40 PM
Apple Releases Safari and Java Updates With Plug-In and Security Improvements MacRumors MacRumors.com News Discussion 77 Apr 23, 2013 03:09 PM
Oracle Releases Java 7 Update 13 to Address Security Issues, Reenable Web Plug-in on OS X MacRumors MacRumors.com News Discussion 134 Feb 17, 2013 12:40 PM
Apple Blocks Java 7 Plug-in on OS X to Address Widespread Security Threat MacRumors MacRumors.com News Discussion 247 Jan 19, 2013 02:22 PM

Forum Jump

All times are GMT -5. The time now is 06:37 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC