Apple Blocks Java 7 Plug-in on OS X to Address Widespread Security Threat

Discussion in ' News Discussion' started by MacRumors, Jan 11, 2013.

  1. macrumors bot



    As noted by ZDNet, a major security vulnerability in Java 7 has been discovered, with the vulnerability currently being exploited in the wild by malicious parties. In response to threat, the U.S. Department of Homeland Security has recommended that users disable the Java 7 browser plug-in entirely until a patch is made available by Oracle.
    Apple has, however, apparently already moved quickly to address the issue, disabling the Java 7 plug-in on Macs where it is already installed. Apple has achieved this by updating its "Xprotect.plist" blacklist to require a minimum of an as-yet unreleased 1.7.0_10-b19 version of Java 7. With the current publicly-available version of Java 7 being 1.7.0_10-b18, all systems running Java 7 are failing to pass the check initiated through the anti-malware system built into OS X.

    Apple's updated plug-in blacklist requiring an unreleased version of Java 7
    Apple historically provided its own support for Java on OS X, but in October 2010 began pushing support for Java back to Oracle, with Steve Jobs noting that the previous arrangement resulted in Apple's Java always being a version behind that available to other platforms through Oracle. Consequently, Jobs acknowledged that having Apple responsible for Java "may not be the best way to do it."

    It wasn't until last August that the transition was essentially complete, with Oracle officially launching Java 7 for OS X. Java 7 does not ship by default on Mac systems, meaning that many users are not affected this latest issue or other recent ones, but those users who have manually installed Java 7 may be experiencing issues with their systems.

    There is no word yet on when an updated version of Java addressing the issue will be made available by Oracle.

    Update: As detailed in the National Vulnerability Database, the issue affects not only the Java 7 plug-in, but at least some versions of Java 4 through 7.

    Article Link: Apple Blocks Java 7 Plug-in on OS X to Address Widespread Security Threat
  2. needfx, Jan 11, 2013
    Last edited: Jan 11, 2013

    macrumors demi-god


    bad java. baaaad java
  3. macrumors 6502a

    Weird. I started getting DNS about 30 minutes ago lol. Was bugging me. Now I know why
  4. xionxiox, Jan 11, 2013
    Last edited: Jan 11, 2013

    macrumors regular


    Java is the worst thing ever. Always buggy and slow. Oracle doesn't give a damn about Macs.
  5. macrumors demi-god


    This only affects the Java plug-in, right? That being blocked I can deal with. If the entire JDK/JRE is blocked, that is more problematic.
  6. macrumors member

    Wow. The Apple fix for this is both elegant and scary - I tested it on mine and I definitely get the popup that Java is unsecure and out of date, and blocked - but I didn't have to do anything to get that update to xprotect.plist. No software update, no nothing. That's rather scary.

    I suppose at this point I'm willing to trade the 0-day security for Apple's ability to reach in and tweak settings.
  7. macrumors demi-god


    The Xprotect background silent update feature was added to OS X back in Lion 10.7.3. It got extended in Mountain Lion to cover some other things, too - but even I do not know what all those are.
  8. macrumors Pentium


    #8 = Browser plug-in.

    Apple has not blocked Java 7 on OS X.

    Please correct the headline ASAP before this thread becomes a major flamewar.
  9. Administrator/Editor


    Staff Member

    OS X systems check for an updated version of that file on a daily basis. It's primarily used for malware definitions, but can also be used to require minimum versions of certain plugins, as with Flash and Java.

    You are of course correct, and I've updated accordingly to make things more clear.
  10. macrumors newbie

    apple should provide option to switch to java 6

    apple should provide an easy option to switch back to java 6
  11. macrumors 65816

    Agreed, headline makes it sounds like Java as a platform has been blocked on the Mac OS X System rather than just the browser plugin.
  12. Administrator

    Doctor Q

    Staff Member

    Thanks for the fast action, Apple. Although it shows the tradeoff we've had to accept, that keeping up with the latest version can produce situations like this, with a discovered vulnerability for which there is no patch yet. Ironically, when Apple was a version behind, bleeding edge security issues would have been addressed by the time we Mac users got a Java release from Apple.
  13. macrumors 6502

    This is strange because Ellison and Jobs were supposedly good friends.


    Of course, unpatched security flaws from the previous release went a lot longer before they were fixed, so
  14. macrumors 68030


  15. macrumors G4

    Rodimus Prime

    well to be fair it was a good trade off as Apple was piss poor on it and tend to lag months behind Java and left holes open for a lot longer. I expect a patch will be out pretty soon from Oracle to fix it.
  16. macrumors 601


    With every passing week my life becomes more difficult.:mad:
  17. macrumors 6502

    Sadly, Java runtime for Windows is not much better...

    Perhaps, Oracle just hates the world?
  18. macrumors 601


    All Oracle versions have been insecure. I'd rather have stability and security over latest and certainly not greatest. Lot's of stuff won't even run on 7 plug.
  19. macrumors newbie

    I thought I read that previous versions of Java had the same vulnerability. Or maybe I'm thinking of the Ruby on Rails exploit. Hard to keep track nowadays.
  20. macrumors 6502

    Or perhaps Java just plain sucks.
  21. macrumors 65816


    "Keep your grubby hands off my iMac Apple!"

  22. macrumors Pentium


    Phew, thanks for the prompt response. ;) 600 post thread crisis about how "Java sucks! Nyuh it doesn't! Yes it does! You're confusing the runtime with the plugin" adverted.
  23. macrumors 603


    Tell us why 'Java Sucks'?

  24. macrumors Pentium


    Java 7 is not released by Apple, it is a direct download from Oracle. Apple has stopped all development and distribution of their own Java runtime and plug-in with version 6.
  25. krravi, Jan 11, 2013
    Last edited: Jan 11, 2013

    macrumors 65816

    As a middleware and server platform Java is great. But when it comes to front end, it sucks like a tornado. Their widgets and the slow response times are horrible. Java was trying to be a "all in one" solution but it never got accepted.

    I know the Mars rover interface is Java. But NASA engineers could have chosen the easy way out, you know run it on Linux and throw Java on top of it. Easy out of the box solution. I believe Android is based on such a platform, but I am not sure. No wonder it's so glitchy and jerky.

Share This Page