Apple Once Again Blocks Java 7 Web Plug-in

by

Earlier this month, Apple took the unusual step of remotely blocking Oracle's Java 7 browser plug-in due to a major security vulnerability, using the "Xprotect" anti-malware system built into OS X to enforce a minimum version number that had yet to be released. Within days, Oracle updated Java to address the issue, with the new version number making the Java plug-in usable on OS X systems once more.

As noted by French site MacGeneration [Google translation] and the Apple discussion forums, Apple has once again blocked the Java 7 plug-in using Xprotect.

java_7_11_blacklist
The updated blacklist enforces a minimum Java plug-in version of 1.7.0_11-b22, while the latest version of the plug-in is 1.7.0_11-b21.

The exact reason for Apple's renewed block on the Java plug-in is unknown although reports immediately following the release of Update 11 earlier this month indicated that it fixed only one of the two bugs that contributed to the security vulnerability. In the wake of that news, cybersecurity officials recommended that most users disable Java even with the up-to-date plug-in installed.

Oracle Security Alert CVE-2013-0422 states that Java 7 Update 11 addresses this (CVE-2013-0422) and an equally severe, but distinct vulnerability (CVE-2012-3174). Immunity has indicated that only the reflection vulnerability has been fixed and that the JMX MBean vulnerability remains. Java 7u11 sets the default Java security settings to "High" so that users will be prompted before running unsigned or self-signed Java applets.

Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future.

If this continued issue is indeed the reason for the new block by Apple, it is unclear why the company waited several weeks to update its plug-in blacklist.

Popular Stories

iPhone Top Left Hole Punch Face ID Feature Purple

10 Reasons to Wait for This Year's iPhone 18 Pro

Thursday January 8, 2026 2:56 am PST by
Apple's iPhone development roadmap runs several years into the future and the company is continually working with suppliers on several successive iPhone models at the same time, which is why we often get rumored features months ahead of launch. The iPhone 18 series is no different, and we already have a good idea of what to expect for the iPhone 18 Pro and iPhone 18 Pro Max. One thing worth...
Read Full Article70 comments
samsung crease less foldable display ces 2026%402x

Foldable iPhone's Crease-Free Display Tech Spotted at CES 2026

Tuesday January 6, 2026 3:04 am PST by
CES 2026 has just provided a first glimpse of the folding display technology that Apple is expected to use in its upcoming foldable iPhone. At the event, Samsung Display briefly showcased its new crease-less foldable OLED panel beside a Galaxy Z Fold 7, and according to SamMobile, which saw the test booth before it was abruptly removed, the new panel "has no crease at all" in comparison. The ...
Read Full Article178 comments
iOS 27 Mock Quick

Five New iPhone Features Rumored for iOS 27

Wednesday January 7, 2026 2:51 pm PST by
Though it's been just a few months since iOS 26 launched, we're already hearing rumors about the next-generation version of iOS, iOS 27. iOS 27 will be introduced at Apple's June WWDC 2026 event before it launches in September 2026. We don't know all of the details about iOS 27 yet, but we do have some information about what to expect. "Snow Leopard" Update iOS 27 will apparently focus...
Read Full Article130 comments
Apple Card iPhone 16 Pro Feature

Apple Card Will Move From Goldman Sachs to JPMorgan Chase

Wednesday January 7, 2026 12:57 pm PST by
JPMorgan Chase has reached a deal to take over operation of the Apple Card, reports The Wall Street Journal. Barring any "last minute hiccups," the deal should be announced shortly after over a year of negotiations. Reports began circulating over two years ago that current Apple Card issuer Goldman Sachs was looking to end its partnership with Apple as part of an effort to scale back on...
Read Full Article140 comments
Logitech MX Master 3S

Logitech Blames 'Inexcusable Mistake' After Certificate Expiry Breaks macOS Apps

Wednesday January 7, 2026 5:27 am PST by
Logitech users on macOS found themselves locked out of their mouse customizations yesterday after the company let a security certificate expire, breaking both its Logi Options+ and G HUB configuration apps. Logitech devices like its MX Master series mice and MX Keys keyboards stopped working properly as a result of the oversight, with users unable to access their custom scrolling setup,...
Read Full Article123 comments
ChatGPT Health Integration Connectors Feature

OpenAI Launches ChatGPT Health With Apple Health Integration

Wednesday January 7, 2026 11:27 am PST by
OpenAI today announced the launch of ChatGPT Health, a dedicated section of ChatGPT where users can ask health-related questions completely separated from their main ChatGPT experience. For more personalized responses, users can connect various health data services such as Apple Health, Function, MyFitnessPal, Weight Watchers, AllTrails, Instacart, and Peloton. Last month, MacRumors discovere...
Read Full Article98 comments
Touchscreen MacBook Feature

Apple Is Expected to Launch These Four MacBooks in 2026

Friday January 9, 2026 8:17 am PST by
2026 could be a bumper year for Apple's Mac lineup, with the company expected to announce as many as four separate MacBook launches. Rumors suggest Apple will court both ends of the consumer spectrum, with more affordable options for students and feature-rich premium lines for users that seek the highest specifications from a laptop. Below is a breakdown of what we're expecting over the next ...
Read Full Article58 comments
safari icon blue banner

Apple Loses Safari Lead Designer to The Browser Company

Thursday January 8, 2026 10:50 am PST by
Apple has lost another senior figure from its Safari team as a lead designer departs for The Browser Company, extending a pattern of high-profile exits from Apple's browser team amid intensifying competition around AI-driven browsing. Marco Triverio was a lead designer for Safari and has now joined The Browser Company, the developer of the Arc and Dia browsers. The move was confirmed by The...
Read Full Article92 comments

Top Rated Comments

jonatron Avatar
jonatron
169 months ago
I've had Java disabled in my browser for the last several years, and I don't miss it at all. I think in all that time I have re-enabled it maybe once because there was an applet I actually wanted to run.

Just leave it turned off.

Classic if it doesnt affect me its not important.

This has stopped by company from using its finance system and staff are currently sat around twiddling their thumbs. Plus it took me an entire morning to work out what the issue was as there was no notification from Apple.

Thanks for your really useful advice!

I re-iterate what some others have said. THIS IS NOT ACCEPTABLE BEHAVIOUR from Apple and they need to sort this out pronto.
Score: 15 Votes (Like | Disagree)
ConCat Avatar
ConCat
169 months ago
I've had Java disabled in my browser for the last several years, and I don't miss it at all. I think in all that time I have re-enabled it maybe once because there was an applet I actually wanted to run.

Just leave it turned off.
Some people actually need it in certain business environments. Apple really should quit doing this, and I mean now. If we want it disabled, we can disable it ourselves. How hard would it be to push the update to computers after Oracle updates Java with the security patch, not before?
Score: 12 Votes (Like | Disagree)
AppleScruff1 Avatar
AppleScruff1
169 months ago
Flash, Java, what's next? Internet access to Apple approved sites only?
Score: 9 Votes (Like | Disagree)
jwkay Avatar
jwkay
169 months ago
Java is essential for the joint Norwegian bank login system BankID. If Apple has disabled this without a way of switching it back on, we are all locked out of our bank accounts!
Score: 8 Votes (Like | Disagree)
sonynair Avatar
sonynair
169 months ago
They are also blocking Apple Java 1.6! Don't know where XProtect.meta.plist screenshot is from, but that is not what Apple pushed out this morning.

Here's what it really is!

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>JavaWebComponentVersionMinimum</key>
<string>1.6.0_37-b06-435</string>
<key>LastModification</key>
<string>Thu, 31 Jan 2013 04:41:14 GMT</string>
<key>PlugInBlacklist</key>
<dict>
<key>10</key>
<dict>
<key>com.macromedia.Flash Player.plugin</key>
<dict>
<key>MinimumPlugInBundleVersion</key>
<string>11.3.300.271</string>
</dict>
<key>com.oracle.java.JavaAppletPlugin</key>
<dict>
<key>MinimumPlugInBundleVersion</key>
<string>1.7.11.22</string>
</dict>
</dict>
</dict>
<key>Version</key>
<integer>2028</integer>
</dict>
</plist>


To re-enable Apple Java 1.6:

sudo /usr/libexec/PlistBuddy -c "Delete :JavaWebComponentVersionMinimum" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

or

sudo defaults write /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist JavaWebComponentVersionMinimum \"1.6.0_37-b06-434\"


To re-enable Oracle Java 1.7u11 edit the "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist" using vi in Terminal and change:

<string>1.7.11.22</string>
to:
<string>1.7.11.19</string>

I posted the block on Twitter when I noticed it this morning.
https://twitter.com/sonynair/status/296935103383347201

Hope that helps someone!
Score: 7 Votes (Like | Disagree)
sseaton1971 Avatar
sseaton1971
169 months ago
Exactly None.
Apple should NOT BE BLOCKING HTTPS web sites that use Java Plugins.
Especially as Java 7 now has Java FX, with better Table handling and Charts.
It looks like Apple Envy, attempt to Force People to HTML5,
vs. a superior Technology: Java 7.

Since Java is not installed by default on the latest version of OS X, I don't think Apple should be blocking it at all. If a user wants to use Java, he or she should be able to do so. If a user wants to be protected, perhaps he or she can install some sort of malware app that also checks for possible Java exploits. I can see why Apple would use Xprotect for their own in-house version of Java, but this is not their baby anymore.

----------

Simple logic that you don't want to follow maybe?

The police "as prevention" may say do not go down that dark alley in this neighborhood, you may be robbed.

You can then decide if you go or not. You may want to go there , because your stuff is in a shed down there and you have not had any incidents.

The police will not block the access to that dark alley, so you can't go down there and get your stuff.

A pop up saying:

WARNING using JAVA is insecure to use or so

with an

I understand the risks (not that people do) continue

or

Cancel

This notification can be turned off in the preferences file.

Nobody here says that we do not appreciate actions by Apple to make our user experiences as safe as possible.

But, when somebody switches something off in my computer, I'd like to know.

Al Franken will get on this very shortly and the government will get involved.
Not necessarily a good thing, just wait and see:-)

Thank you... I agree wholeheartedly! I don't need Apple babysitting me. I hope this all gets resolved very soon.
Score: 6 Votes (Like | Disagree)
Read All Comments