Apple Blocks Java 7 Plug-in on OS X to Address Widespread Security Threat

As noted by ZDNet, a major security vulnerability in Java 7 has been discovered, with the vulnerability currently being exploited in the wild by malicious parties. In response to threat, the U.S. Department of Homeland Security has recommended that users disable the Java 7 browser plug-in entirely until a patch is made available by Oracle.

Hackers have discovered a weakness in Java 7 security that could allow the installation of malicious software and malware on machines that could increase the chance of identity theft, or the unauthorized participation in a botnet that could bring down networks or be used to carry out denial-of-service attacks against Web sites.

"We are currently unaware of a practical solution to this problem," said the DHS' Computer Emergency Readiness Team (CERT) in a post on its Web site on Thursday evening. "This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available."

Apple has, however, apparently already moved quickly to address the issue, disabling the Java 7 plug-in on Macs where it is already installed. Apple has achieved this by updating its "Xprotect.plist" blacklist to require a minimum of an as-yet unreleased 1.7.0_10-b19 version of Java 7. With the current publicly-available version of Java 7 being 1.7.0_10-b18, all systems running Java 7 are failing to pass the check initiated through the anti-malware system built into OS X.


Apple's updated plug-in blacklist requiring an unreleased version of Java 7

Apple historically provided its own support for Java on OS X, but in October 2010 began pushing support for Java back to Oracle, with Steve Jobs noting that the previous arrangement resulted in Apple's Java always being a version behind that available to other platforms through Oracle. Consequently, Jobs acknowledged that having Apple responsible for Java "may not be the best way to do it."

It wasn't until last August that the transition was essentially complete, with Oracle officially launching Java 7 for OS X. Java 7 does not ship by default on Mac systems, meaning that many users are not affected this latest issue or other recent ones, but those users who have manually installed Java 7 may be experiencing issues with their systems.

There is no word yet on when an updated version of Java addressing the issue will be made available by Oracle.

Update: As detailed in the National Vulnerability Database, the issue affects not only the Java 7 plug-in, but at least some versions of Java 4 through 7.

Top Rated Comments

(View all)
Avatar
101 months ago
com.oracle.java.JavaAppletPlugin = Browser plug-in.

Apple has not blocked Java 7 on OS X.

Please correct the headline ASAP before this thread becomes a major flamewar.
Score: 23 Votes (Like | Disagree)
Avatar
101 months ago
Java is the worst thing ever. Always buggy and slow. Oracle doesn't give a damn about Macs.
Score: 19 Votes (Like | Disagree)
Avatar
101 months ago
Wow. The Apple fix for this is both elegant and scary - I tested it on mine and I definitely get the popup that Java is unsecure and out of date, and blocked - but I didn't have to do anything to get that update to xprotect.plist. No software update, no nothing. That's rather scary.

I suppose at this point I'm willing to trade the 0-day security for Apple's ability to reach in and tweak settings.
Score: 14 Votes (Like | Disagree)
Avatar
101 months ago

I tested it on mine and I definitely get the popup that Java is unsecure and out of date, and blocked - but I didn't have to do anything to get that update to xprotect.plist. No software update, no nothing. That's rather scary.

OS X systems check for an updated version of that file on a daily basis. It's primarily used for malware definitions, but can also be used to require minimum versions of certain plugins, as with Flash and Java.


com.oracle.java.JavaAppletPlugin = Browser plug-in.

Apple has not blocked Java 7 on OS X.

Please correct the headline ASAP before this thread becomes a major flamewar.

You are of course correct, and I've updated accordingly to make things more clear.
Score: 8 Votes (Like | Disagree)
Avatar
101 months ago

Well, I don't think I will join the debate about Java, but a temporary fix to enable Java (I know, it is a security hazard, however I don't have another option as I have to use the Juniper SSL VPN network connect client).
So,
1. close Safari
2. Open a terminal
3. sudo vi /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
4. Find the string <key>MinimumPlugInBundleVersion</key>
5. Just under that line you should see the version. Change the last portion of the number from 19 to 1.
6. Save and exit
7. Start up Safari and you should work. You must keep in mind that this file may be updated by Apple again, so this is only temporary and should only be done if you *must* use your current version of Java.

best of luck....


Thanks so much for posting this. The company I work for uses a payroll system that requires the Java plug-in and I was unable to access it. Would have been stuck without this.

I like that Apple is clearly looking out for the safety of their users, but at the same time, it would be nice if they would put in a user interface for temporarily side-stepping this kind of thing instead of having to hack around in the system files. Just a simple prompt of "This plug-in/app has been disabled due to security issues. Do you want to run it this one time?" That would serve the dual purposes of not leaving their users stranded and giving an explanation for why it suddenly doesn't work.
Score: 6 Votes (Like | Disagree)
Avatar
101 months ago

Seriously? From a programmer's perspective: http://tech.jonathangardner.net/wiki/Why_Java_Sucks

Thanks for the reply.

I write Java on a daily basis, I wanted to know from you why you thought 'Java Sucks'... or if you were just on some bandwagon. Some reasons why Java sucks are now invalid and have been for a long time - such as 'Java is Slow'... which is a gross generalization.

Some of those points or valid in the link, others are just his opinion, others may disagree or agree.

Java can be a good choice on the server side, on the GUI side, not so much. Saying that, writing webapps with Java is not a great experience - there are better choices - YMMV.
Score: 6 Votes (Like | Disagree)

Top Stories

Leaker: 'iPhone 12 mini' and iPhone 12 Storage Capacities Start at 64GB, Pro Models at 128GB

Tuesday September 29, 2020 2:31 am PDT by
Rumors suggest Apple's iPhone 12 launch event will be held on October 13, with the more affordable 5.4 and 6.1-inch devices set to ship out ahead of the more expensive 6.1-inch and 6.7-inch Pro devices, and this morning hit-and-miss leaker Jon Prosser has further committed to that date by providing alleged details on Apple's first shipment of finalized iPhone 12 units. Prosser claims the...

Hands-On With iOS 14.2's New Shazam Music Recognition Toggle in Control Center

Monday September 28, 2020 2:35 pm PDT by
Shortly after launching iOS 14, Apple introduced an upcoming iOS 14.2 update, which is now available to developers and public beta testers ahead of a public release that could come at some point in October. Subscribe to the MacRumors YouTube channel for more videos. The iOS 14.2 update mainly focuses on the Control Center, introducing a new Music Recognition toggle that deepens the Shazam...

iPhone 12 'Pro Max' Model to Sport Unique High-End Features

Wednesday September 30, 2020 2:01 am PDT by
The upcoming "iPhone 12 Pro Max" is anticipated to have a number of unique high-end features not found on any other iPhone, such as its screen size, LiDAR scanner, faster 5G, and potentially a higher display refresh rate. The iPhone 12 Pro Max is also expected to be the largest ever iPhone, with a 6.7-inch display. Previously, the largest iPhones have been 6.5-inches in the iPhone XS Max and ...

DigiTimes: 12.9-inch Mini-LED iPad Pro Arriving Early 2021, Mini-LED MacBook Coming Later

Tuesday September 29, 2020 4:18 am PDT by
Apple will launch a 12.9-inch mini LED-backlit iPad Pro in early 2021 and a mini LED-backlit MacBook in the second-half of next year, according to DigiTimes. The Taiwan-based industry publication claims Epistar will supply the over-10,000 mini LEDs used in each iPad Pro tablet. Meanwhile, Apple is expected to recruit Osram Opto as another supplier of mini LEDs for use in a new "high-end"...

iOS 14.2 Suggests Apple Won't Include EarPods in the Box With iPhone 12

Tuesday September 29, 2020 2:19 pm PDT by
Rumors have suggested that Apple's iPhone 12 models will not include power adapters or EarPods in the box, and a minor code tweak in iOS 14.2 seemingly confirms Apple's plan to sell the new devices without EarPods. In iOS 14 and earlier versions of iOS, there's a mention of reducing exposure to RF energy by using the "supplied headphones," which is the same wording that Apple has used for...

iPhone 12 Production Lines at Foxconn's Zhengzhou Factory in China Running '24 Hours a Day'

Tuesday September 29, 2020 3:38 am PDT by
Apple contract manufacturer Foxconn is running its massive Zhengzhou factory in China 24 hours a day to produce the new iPhone 12, according to Chinese media reports. Apple's main iPhone manufacturer in China is said to be cancelling workers' holidays and introducing mandatory overtime with additional bonuses for longer-serving staff, according to information garnered from employees,...

iPhone 12 May Launch Earlier Than Usual in South Korea

Monday September 28, 2020 5:24 am PDT by
The upcoming iPhone 12 lineup may launch earlier than usual in South Korea, reports The Korea Herald. South Korean telecoms firms speaking to The Korea Herald have said that the iPhone 12 lineup will launch ahead of its usual schedule. Normally, the release of new iPhones in South Korea comes about one month after launch in the United States. Last year, the iPhone 11 arrived in South Korea ...

iOS 14.2 Beta 2 Adds New Emoji Characters like Ninja, Pinata, Bubble Tea, Polar Bear and More

Tuesday September 29, 2020 11:22 am PDT by
The second beta of iOS 14.2 introduces the new Emoji 13 characters that Apple previewed earlier this year as part of World Emoji Day. New emoji options include ninja, people hugging, black cat, bison, fly, polar bear, blueberries, fondue, bubble tea, and more, with a list below. Faces - Smiling Face with Tear, Disguised Face People - Ninja, Person in Tuxedo, Woman in Tuxedo, Person...

Epic Games Unlikely to Win Injunction in Ongoing Fortnite Battle With Apple, Jury Trial Possible

Monday September 28, 2020 1:14 pm PDT by
The ongoing legal dispute between Apple and Epic Games continued on today, with a preliminary injunction hearing taking place this morning. We're still waiting to hear the judge's official ruling, but it looks like Epic is not going to be granted an injunction to allow Fortnite back into the App Store as the case unfolds. Many of the arguments that lawyers for Apple and Epic Games made were...

Apple Releases Ninth Beta of macOS Big Sur to Developers

Tuesday September 29, 2020 10:07 am PDT by
Apple today seeded the Ninth beta of an upcoming macOS Big Sur update to developers for testing purposes, a week after releasing the eighth beta and more than two months after the new update was unveiled at the Worldwide Developers Conference. The macOS Big Sur beta can be downloaded through the Apple Developer Center and once the appropriate profile is installed, subsequent betas will be...