Apple Blocks Java 7 Plug-in on OS X to Address Widespread Security Threat

by

As noted by ZDNet, a major security vulnerability in Java 7 has been discovered, with the vulnerability currently being exploited in the wild by malicious parties. In response to threat, the U.S. Department of Homeland Security has recommended that users disable the Java 7 browser plug-in entirely until a patch is made available by Oracle.

Hackers have discovered a weakness in Java 7 security that could allow the installation of malicious software and malware on machines that could increase the chance of identity theft, or the unauthorized participation in a botnet that could bring down networks or be used to carry out denial-of-service attacks against Web sites.

"We are currently unaware of a practical solution to this problem," said the DHS' Computer Emergency Readiness Team (CERT) in a post on its Web site on Thursday evening. "This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available."

Apple has, however, apparently already moved quickly to address the issue, disabling the Java 7 plug-in on Macs where it is already installed. Apple has achieved this by updating its "Xprotect.plist" blacklist to require a minimum of an as-yet unreleased 1.7.0_10-b19 version of Java 7. With the current publicly-available version of Java 7 being 1.7.0_10-b18, all systems running Java 7 are failing to pass the check initiated through the anti-malware system built into OS X.

java 7 blacklist
Apple's updated plug-in blacklist requiring an unreleased version of Java 7

Apple historically provided its own support for Java on OS X, but in October 2010 began pushing support for Java back to Oracle, with Steve Jobs noting that the previous arrangement resulted in Apple's Java always being a version behind that available to other platforms through Oracle. Consequently, Jobs acknowledged that having Apple responsible for Java "may not be the best way to do it."

It wasn't until last August that the transition was essentially complete, with Oracle officially launching Java 7 for OS X. Java 7 does not ship by default on Mac systems, meaning that many users are not affected this latest issue or other recent ones, but those users who have manually installed Java 7 may be experiencing issues with their systems.

There is no word yet on when an updated version of Java addressing the issue will be made available by Oracle.

Update: As detailed in the National Vulnerability Database, the issue affects not only the Java 7 plug-in, but at least some versions of Java 4 through 7.

Popular Stories

Apple Shopping Event 2025

Apple Announces 2025 Black Friday Event, Here's What You Can Get

Thursday November 20, 2025 6:28 am PST by
Apple's annual four-day Black Friday through Cyber Monday shopping event is returning on Friday, November 28 through Monday, December 1 in many countries, including the United States, Canada, Australia, New Zealand, France, Germany, Italy, Spain, the United Kingdom, Belgium, the Netherlands, Sweden, Thailand, and others. During the shopping event, customers can get an Apple gift card with...
Read Full Article37 comments
applecare apple care banner

Apple Brings New AppleCare+ Options to India

Tuesday November 18, 2025 8:42 am PST by
Apple today announced an expansion of AppleCare+ coverage in India, with new options for monthly and annual plans, and the addition of Theft and Loss for iPhone for the first time. Options for monthly and annual AppleCare+ plans in India provide more choice and flexibility, allowing users to keep coverage for as long as they require. Apple's vice president of Worldwide iPhone Product...
Read Full Article6 comments
iOS 26

Everything New in iOS 26.2 Beta 3

Monday November 17, 2025 3:20 pm PST by
Apple provided developers with the third beta of an upcoming iOS 26.2 update, and there are still new features that are being added with each beta that we get. We've rounded up all of the changes that Apple made in beta 3. AirDrop Apple added new AirDrop functionality, providing a way for two people to share files temporarily without having to add one another as contacts. iOS 26.2...
Read Full Article24 comments
iPhone 17 Pro Cosmic Orange

10 Reasons to Wait for Next Year's iPhone 18 Pro

Wednesday November 19, 2025 4:00 am PST by
Apple's iPhone development roadmap runs several years into the future and the company is continually working with suppliers on several successive iPhone models at the same time, which is why we often get rumored features months ahead of launch. The iPhone 18 series is no different, and we already have a good idea of what to expect for the iPhone 18 Pro and iPhone 18 Pro Max. One thing worth...
Read Full Article97 comments
ipad mini 7 feature red and blue

iPad Mini 8: Four Major New Features to Expect

Wednesday November 19, 2025 7:50 am PST by
Apple's eighth-generation iPad mini is highly likely to arrive next year, offering a significant refresh of the device with at least four major new features. OLED Display The next-generation version of the iPad mini could feature an OLED display, as part of Apple's plan to expand the display technology across many more of its devices. Apple's first OLED device was the Apple Watch in 2015, ...
Read Full Article64 comments
Apple Wallet ID Illinois

iPhone Driver's License Feature Launching in Illinois

Tuesday November 18, 2025 8:47 am PST by
In select U.S. states, residents can add their driver's license or state ID to the Wallet app on the iPhone and Apple Watch, providing a convenient and contactless way to display proof of identity or age at select airports and businesses, and in select apps. Starting this Wednesday, November 19, the feature will be available to residents of Illinois. The announcement confirmed that the...
Read Full Article69 comments
iPhone 17 Pro and Air N1 Feature

iPhone 17 vs. iPhone 16 Wi-Fi Speeds: New Study Reveals the Winner

Tuesday November 18, 2025 10:53 am PST by
A new study has revealed that the iPhone 17, iPhone 17 Pro, iPhone 17 Pro Max, and iPhone Air achieve significantly faster average Wi-Fi speeds compared to the iPhone 16 series, thanks to Apple's custom-designed N1 chip. The study was conducted by Ookla, the company behind the popular Speedtest website and app. It said the results are based on global, crowdsourced Speedtest user data...
Read Full Article51 comments
macbook black friday

The Best Early Black Friday Mac Deals

Tuesday November 18, 2025 7:32 am PST by
We're getting closer to Black Friday, which lands next week on Friday, November 28. In the lead-up to the shopping holiday, we're tracking a few lowest-ever prices on Apple's most popular Macs, including the M4 MacBook Air and brand new M5 MacBook Pro. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment,...
Read Full Article1 comments
Magic Keyboard Touch ID Feature

Apple Releases New Firmware for 140W USB-C Power Adapter, Magic Keyboard and Magic Trackpad

Tuesday November 18, 2025 1:05 pm PST by
Apple today released updated firmware for several accessories, including the 140W USB-C Power Adapter, the Magic Trackpad 2, the Magic Trackpad USB-C, the Magic Keyboard with Touch ID, and the Magic Keyboard with Touch ID and Numeric Keypad. There is no word on what's included in the updated firmware at this time, but it could offer performance improvements and security updates. Accessory...
Read Full Article79 comments
watchos 26 workout app

Apple Watch Users Claim Workout App Is Now Worse in Every Way

Thursday November 20, 2025 7:01 am PST by
Apple Watch owners have been voicing their frustration online over changes to the Workout app that Apple introduced in watchOS 26, with many finding the redesigned interface makes starting exercises difficult and exasperating. When Apple launched watchOS 26 in September, the Workout app went from large, easily tapped workout tiles to a scrolling, corner-button interface. Instead of tapping a ...
Read Full Article182 comments

Top Rated Comments

KnightWRX Avatar
KnightWRX
168 months ago
com.oracle.java.JavaAppletPlugin = Browser plug-in.

Apple has not blocked Java 7 on OS X.

Please correct the headline ASAP before this thread becomes a major flamewar.
Score: 23 Votes (Like | Disagree)
xionxiox Avatar
xionxiox
168 months ago
Java is the worst thing ever. Always buggy and slow. Oracle doesn't give a damn about Macs.
Score: 19 Votes (Like | Disagree)
mreed911 Avatar
mreed911
168 months ago
Wow. The Apple fix for this is both elegant and scary - I tested it on mine and I definitely get the popup that Java is unsecure and out of date, and blocked - but I didn't have to do anything to get that update to xprotect.plist. No software update, no nothing. That's rather scary.

I suppose at this point I'm willing to trade the 0-day security for Apple's ability to reach in and tweak settings.
Score: 14 Votes (Like | Disagree)
WildCowboy Avatar
WildCowboy
168 months ago
I tested it on mine and I definitely get the popup that Java is unsecure and out of date, and blocked - but I didn't have to do anything to get that update to xprotect.plist. No software update, no nothing. That's rather scary.
OS X systems check for an updated version of that file on a daily basis. It's primarily used for malware definitions, but can also be used to require minimum versions of certain plugins, as with Flash and Java.


com.oracle.java.JavaAppletPlugin = Browser plug-in.

Apple has not blocked Java 7 on OS X.

Please correct the headline ASAP before this thread becomes a major flamewar.
You are of course correct, and I've updated accordingly to make things more clear.
Score: 8 Votes (Like | Disagree)
inkswamp Avatar
inkswamp
168 months ago
Well, I don't think I will join the debate about Java, but a temporary fix to enable Java (I know, it is a security hazard, however I don't have another option as I have to use the Juniper SSL VPN network connect client).
So,
1. close Safari
2. Open a terminal
3. sudo vi /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
4. Find the string <key>MinimumPlugInBundleVersion</key>
5. Just under that line you should see the version. Change the last portion of the number from 19 to 1.
6. Save and exit
7. Start up Safari and you should work. You must keep in mind that this file may be updated by Apple again, so this is only temporary and should only be done if you *must* use your current version of Java.

best of luck....

Thanks so much for posting this. The company I work for uses a payroll system that requires the Java plug-in and I was unable to access it. Would have been stuck without this.

I like that Apple is clearly looking out for the safety of their users, but at the same time, it would be nice if they would put in a user interface for temporarily side-stepping this kind of thing instead of having to hack around in the system files. Just a simple prompt of "This plug-in/app has been disabled due to security issues. Do you want to run it this one time?" That would serve the dual purposes of not leaving their users stranded and giving an explanation for why it suddenly doesn't work.
Score: 6 Votes (Like | Disagree)
Stella Avatar
Stella
168 months ago
Seriously? From a programmer's perspective: http://tech.jonathangardner.net/wiki/Why_Java_Sucks
Thanks for the reply.

I write Java on a daily basis, I wanted to know from you why you thought 'Java Sucks'... or if you were just on some bandwagon. Some reasons why Java sucks are now invalid and have been for a long time - such as 'Java is Slow'... which is a gross generalization.

Some of those points or valid in the link, others are just his opinion, others may disagree or agree.

Java can be a good choice on the server side, on the GUI side, not so much. Saying that, writing webapps with Java is not a great experience - there are better choices - YMMV.
Score: 6 Votes (Like | Disagree)
Read All Comments