Apple Blocks Java 7 Plug-in on OS X to Address Widespread Security Threat

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Jan 11, 2013.

  1. macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    As noted by ZDNet, a major security vulnerability in Java 7 has been discovered, with the vulnerability currently being exploited in the wild by malicious parties. In response to threat, the U.S. Department of Homeland Security has recommended that users disable the Java 7 browser plug-in entirely until a patch is made available by Oracle.
    Apple has, however, apparently already moved quickly to address the issue, disabling the Java 7 plug-in on Macs where it is already installed. Apple has achieved this by updating its "Xprotect.plist" blacklist to require a minimum of an as-yet unreleased 1.7.0_10-b19 version of Java 7. With the current publicly-available version of Java 7 being 1.7.0_10-b18, all systems running Java 7 are failing to pass the check initiated through the anti-malware system built into OS X.

    [​IMG]
    Apple's updated plug-in blacklist requiring an unreleased version of Java 7
    Apple historically provided its own support for Java on OS X, but in October 2010 began pushing support for Java back to Oracle, with Steve Jobs noting that the previous arrangement resulted in Apple's Java always being a version behind that available to other platforms through Oracle. Consequently, Jobs acknowledged that having Apple responsible for Java "may not be the best way to do it."

    It wasn't until last August that the transition was essentially complete, with Oracle officially launching Java 7 for OS X. Java 7 does not ship by default on Mac systems, meaning that many users are not affected this latest issue or other recent ones, but those users who have manually installed Java 7 may be experiencing issues with their systems.

    There is no word yet on when an updated version of Java addressing the issue will be made available by Oracle.

    Update: As detailed in the National Vulnerability Database, the issue affects not only the Java 7 plug-in, but at least some versions of Java 4 through 7.

    Article Link: Apple Blocks Java 7 Plug-in on OS X to Address Widespread Security Threat
     
  2. needfx, Jan 11, 2013
    Last edited: Jan 11, 2013

    macrumors 68030

    needfx

    Joined:
    Aug 10, 2010
    Location:
    macrumors apparently
    #2
    bad java. baaaad java
     
  3. macrumors 6502a

    Joined:
    Mar 15, 2009
    #3
    Weird. I started getting DNS about 30 minutes ago lol. Was bugging me. Now I know why
     
  4. xionxiox, Jan 11, 2013
    Last edited: Jan 11, 2013

    macrumors regular

    xionxiox

    Joined:
    Jul 20, 2010
    Location:
    Hell
    #4
    Java is the worst thing ever. Always buggy and slow. Oracle doesn't give a damn about Macs.
     
  5. macrumors G4

    wrldwzrd89

    Joined:
    Jun 6, 2003
    Location:
    Solon, OH
    #5
    This only affects the Java plug-in, right? That being blocked I can deal with. If the entire JDK/JRE is blocked, that is more problematic.
     
  6. macrumors member

    Joined:
    Mar 19, 2008
    #6
    Wow. The Apple fix for this is both elegant and scary - I tested it on mine and I definitely get the popup that Java is unsecure and out of date, and blocked - but I didn't have to do anything to get that update to xprotect.plist. No software update, no nothing. That's rather scary.

    I suppose at this point I'm willing to trade the 0-day security for Apple's ability to reach in and tweak settings.
     
  7. macrumors G4

    wrldwzrd89

    Joined:
    Jun 6, 2003
    Location:
    Solon, OH
    #7
    The Xprotect background silent update feature was added to OS X back in Lion 10.7.3. It got extended in Mountain Lion to cover some other things, too - but even I do not know what all those are.
     
  8. macrumors Pentium

    KnightWRX

    Joined:
    Jan 28, 2009
    Location:
    Quebec, Canada
    #8
    com.oracle.java.JavaAppletPlugin = Browser plug-in.

    Apple has not blocked Java 7 on OS X.

    Please correct the headline ASAP before this thread becomes a major flamewar.
     
  9. Administrator/Editor

    WildCowboy

    Staff Member

    Joined:
    Jan 20, 2005
    #9
    OS X systems check for an updated version of that file on a daily basis. It's primarily used for malware definitions, but can also be used to require minimum versions of certain plugins, as with Flash and Java.


    You are of course correct, and I've updated accordingly to make things more clear.
     
  10. macrumors newbie

    Joined:
    Jan 11, 2013
    #10
    apple should provide option to switch to java 6

    apple should provide an easy option to switch back to java 6
     
  11. macrumors 65816

    Joined:
    Jun 29, 2008
    #11
    Agreed, headline makes it sounds like Java as a platform has been blocked on the Mac OS X System rather than just the browser plugin.
     
  12. Administrator

    Doctor Q

    Staff Member

    Joined:
    Sep 19, 2002
    Location:
    Los Angeles
    #12
    Thanks for the fast action, Apple. Although it shows the tradeoff we've had to accept, that keeping up with the latest version can produce situations like this, with a discovered vulnerability for which there is no patch yet. Ironically, when Apple was a version behind, bleeding edge security issues would have been addressed by the time we Mac users got a Java release from Apple.
     
  13. macrumors 6502

    Joined:
    Jan 26, 2006
    Location:
    SLC, Utah
    #13
    This is strange because Ellison and Jobs were supposedly good friends.

    ----------

    Of course, unpatched security flaws from the previous release went a lot longer before they were fixed, so
     
  14. macrumors 68030

    macs4nw

    #14
  15. macrumors G4

    Rodimus Prime

    Joined:
    Oct 9, 2006
    #15
    well to be fair it was a good trade off as Apple was piss poor on it and tend to lag months behind Java and left holes open for a lot longer. I expect a patch will be out pretty soon from Oracle to fix it.
     
  16. macrumors 601

    derbothaus

    Joined:
    Jul 17, 2010
    #16
    With every passing week my life becomes more difficult.:mad:
     
  17. macrumors 6502

    Joined:
    May 30, 2002
    #17
    Sadly, Java runtime for Windows is not much better...

    Perhaps, Oracle just hates the world?
     
  18. macrumors 601

    derbothaus

    Joined:
    Jul 17, 2010
    #18
    All Oracle versions have been insecure. I'd rather have stability and security over latest and certainly not greatest. Lot's of stuff won't even run on 7 plug.
     
  19. macrumors newbie

    Joined:
    May 29, 2009
    #19
    I thought I read that previous versions of Java had the same vulnerability. Or maybe I'm thinking of the Ruby on Rails exploit. Hard to keep track nowadays.
     
  20. macrumors 6502

    Joined:
    Jan 26, 2006
    Location:
    SLC, Utah
    #20
    Or perhaps Java just plain sucks.
     
  21. macrumors 65816

    Eduardo1971

    Joined:
    Jun 16, 2006
    Location:
    Lost Angeles, Ca. usa
    #21
    "Keep your grubby hands off my iMac Apple!"


    ;)
     
  22. macrumors Pentium

    KnightWRX

    Joined:
    Jan 28, 2009
    Location:
    Quebec, Canada
    #22
    Phew, thanks for the prompt response. ;) 600 post thread crisis about how "Java sucks! Nyuh it doesn't! Yes it does! You're confusing the runtime with the plugin" adverted.
     
  23. macrumors 603

    Stella

    Joined:
    Apr 21, 2003
    Location:
    Canada
    #23
    Tell us why 'Java Sucks'?

    Thanks.
     
  24. macrumors Pentium

    KnightWRX

    Joined:
    Jan 28, 2009
    Location:
    Quebec, Canada
    #24
    Java 7 is not released by Apple, it is a direct download from Oracle. Apple has stopped all development and distribution of their own Java runtime and plug-in with version 6.
     
  25. krravi, Jan 11, 2013
    Last edited: Jan 11, 2013

    macrumors 65816

    Joined:
    Nov 30, 2010
    #25
    As a middleware and server platform Java is great. But when it comes to front end, it sucks like a tornado. Their widgets and the slow response times are horrible. Java was trying to be a "all in one" solution but it never got accepted.

    I know the Mars rover interface is Java. But NASA engineers could have chosen the easy way out, you know run it on Linux and throw Java on top of it. Easy out of the box solution. I believe Android is based on such a platform, but I am not sure. No wonder it's so glitchy and jerky.
     

Share This Page