Apple Blocks Java 7 Plug-in on OS X to Address Widespread Security Threat

by

As noted by ZDNet, a major security vulnerability in Java 7 has been discovered, with the vulnerability currently being exploited in the wild by malicious parties. In response to threat, the U.S. Department of Homeland Security has recommended that users disable the Java 7 browser plug-in entirely until a patch is made available by Oracle.

Hackers have discovered a weakness in Java 7 security that could allow the installation of malicious software and malware on machines that could increase the chance of identity theft, or the unauthorized participation in a botnet that could bring down networks or be used to carry out denial-of-service attacks against Web sites.

"We are currently unaware of a practical solution to this problem," said the DHS' Computer Emergency Readiness Team (CERT) in a post on its Web site on Thursday evening. "This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available."

Apple has, however, apparently already moved quickly to address the issue, disabling the Java 7 plug-in on Macs where it is already installed. Apple has achieved this by updating its "Xprotect.plist" blacklist to require a minimum of an as-yet unreleased 1.7.0_10-b19 version of Java 7. With the current publicly-available version of Java 7 being 1.7.0_10-b18, all systems running Java 7 are failing to pass the check initiated through the anti-malware system built into OS X.

java 7 blacklist
Apple's updated plug-in blacklist requiring an unreleased version of Java 7

Apple historically provided its own support for Java on OS X, but in October 2010 began pushing support for Java back to Oracle, with Steve Jobs noting that the previous arrangement resulted in Apple's Java always being a version behind that available to other platforms through Oracle. Consequently, Jobs acknowledged that having Apple responsible for Java "may not be the best way to do it."

It wasn't until last August that the transition was essentially complete, with Oracle officially launching Java 7 for OS X. Java 7 does not ship by default on Mac systems, meaning that many users are not affected this latest issue or other recent ones, but those users who have manually installed Java 7 may be experiencing issues with their systems.

There is no word yet on when an updated version of Java addressing the issue will be made available by Oracle.

Update: As detailed in the National Vulnerability Database, the issue affects not only the Java 7 plug-in, but at least some versions of Java 4 through 7.

Popular Stories

maxresdefault

Apple Shows Off a Key Reason to Upgrade to the iPhone 17

Saturday February 7, 2026 9:26 am PST by
Apple today shared an ad that shows how the upgraded Center Stage front camera on the latest iPhones improves the process of taking a group selfie. "Watch how the new front facing camera on iPhone 17 Pro takes group selfies that automatically expand and rotate as more people come into frame," says Apple. While the ad is focused on the iPhone 17 Pro and iPhone 17 Pro Max, the regular iPhone...
Read Full Article83 comments
apple wallet drivers license feature iPhone 15 pro

Apple Says These 7 U.S. States Plan to Offer iPhone Driver's Licenses

Monday February 9, 2026 6:24 am PST by
In select U.S. states, residents can add their driver's license or state ID to the Apple Wallet app on the iPhone and Apple Watch, and then use it to display proof of identity or age at select airports and businesses, and in select apps. The feature is currently available in 13 U.S. states and Puerto Rico, and it is expected to launch in at least seven more in the future. To set up the...
Read Full Article112 comments
m5 macbook pro deal

Why You Shouldn't Buy the Next MacBook Pro

Tuesday February 10, 2026 4:27 pm PST by
Apple is planning to launch new MacBook Pro models as soon as early March, but if you can, this is one generation you should skip because there's something much better in the works. We're waiting on 14-inch and 16-inch MacBook Pro models with M5 Pro and M5 Max chips, with few changes other than the processor upgrade. There won't be any tweaks to the design or the display, but later this...
Read Full Article219 comments
Apple Logo Zoomed

Apple Expected to Launch These 10+ Products Over the Coming Months

Tuesday February 10, 2026 6:33 am PST by
It has been a slow start to 2026 for Apple product launches, with only a new AirTag and a special Apple Watch band released so far. We are still waiting for MacBook Pro models with M5 Pro and M5 Max chips, the iPhone 17e, a lower-cost MacBook with an iPhone chip, long-rumored updates to the Apple TV and HomePod mini, and much more. Apple is expected to release/update the following products...
Read Full Article39 comments
14 inch MacBook Pro Keyboard

New MacBook Pros Could Now Arrive in March

Sunday February 8, 2026 6:02 am PST by
New MacBook Pro models with the M5 Pro and M5 Max chips could arrive as soon as Monday, March 2, according to Bloomberg's Mark Gurman. In today's "Power On" newsletter, Gurman said that the release of new MacBook Pro models is tied to the release of macOS Tahoe 26.3. The launch is said to be slated for as early as the week of March 2. He added that the M4 Pro and M4 Max models on sale today...
Read Full Article133 comments

Top Rated Comments

KnightWRX Avatar
KnightWRX
171 months ago
com.oracle.java.JavaAppletPlugin = Browser plug-in.

Apple has not blocked Java 7 on OS X.

Please correct the headline ASAP before this thread becomes a major flamewar.
Score: 23 Votes (Like | Disagree)
xionxiox Avatar
xionxiox
171 months ago
Java is the worst thing ever. Always buggy and slow. Oracle doesn't give a damn about Macs.
Score: 19 Votes (Like | Disagree)
mreed911 Avatar
mreed911
171 months ago
Wow. The Apple fix for this is both elegant and scary - I tested it on mine and I definitely get the popup that Java is unsecure and out of date, and blocked - but I didn't have to do anything to get that update to xprotect.plist. No software update, no nothing. That's rather scary.

I suppose at this point I'm willing to trade the 0-day security for Apple's ability to reach in and tweak settings.
Score: 14 Votes (Like | Disagree)
WildCowboy Avatar
WildCowboy
171 months ago
I tested it on mine and I definitely get the popup that Java is unsecure and out of date, and blocked - but I didn't have to do anything to get that update to xprotect.plist. No software update, no nothing. That's rather scary.
OS X systems check for an updated version of that file on a daily basis. It's primarily used for malware definitions, but can also be used to require minimum versions of certain plugins, as with Flash and Java.


com.oracle.java.JavaAppletPlugin = Browser plug-in.

Apple has not blocked Java 7 on OS X.

Please correct the headline ASAP before this thread becomes a major flamewar.
You are of course correct, and I've updated accordingly to make things more clear.
Score: 8 Votes (Like | Disagree)
inkswamp Avatar
inkswamp
171 months ago
Well, I don't think I will join the debate about Java, but a temporary fix to enable Java (I know, it is a security hazard, however I don't have another option as I have to use the Juniper SSL VPN network connect client).
So,
1. close Safari
2. Open a terminal
3. sudo vi /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
4. Find the string <key>MinimumPlugInBundleVersion</key>
5. Just under that line you should see the version. Change the last portion of the number from 19 to 1.
6. Save and exit
7. Start up Safari and you should work. You must keep in mind that this file may be updated by Apple again, so this is only temporary and should only be done if you *must* use your current version of Java.

best of luck....

Thanks so much for posting this. The company I work for uses a payroll system that requires the Java plug-in and I was unable to access it. Would have been stuck without this.

I like that Apple is clearly looking out for the safety of their users, but at the same time, it would be nice if they would put in a user interface for temporarily side-stepping this kind of thing instead of having to hack around in the system files. Just a simple prompt of "This plug-in/app has been disabled due to security issues. Do you want to run it this one time?" That would serve the dual purposes of not leaving their users stranded and giving an explanation for why it suddenly doesn't work.
Score: 6 Votes (Like | Disagree)
Stella Avatar
Stella
171 months ago
Seriously? From a programmer's perspective: http://tech.jonathangardner.net/wiki/Why_Java_Sucks
Thanks for the reply.

I write Java on a daily basis, I wanted to know from you why you thought 'Java Sucks'... or if you were just on some bandwagon. Some reasons why Java sucks are now invalid and have been for a long time - such as 'Java is Slow'... which is a gross generalization.

Some of those points or valid in the link, others are just his opinion, others may disagree or agree.

Java can be a good choice on the server side, on the GUI side, not so much. Saying that, writing webapps with Java is not a great experience - there are better choices - YMMV.
Score: 6 Votes (Like | Disagree)
Read All Comments