Apple Once Again Blocks Java 7 Web Plug-in

I've had Java disabled in my browser for the last several years, and I don't miss it at all. I think in all that time I have re-enabled it maybe once because there was an applet I actually wanted to run.

Just leave it turned off.

Classic if it doesnt affect me its not important.

This has stopped by company from using its finance system and staff are currently sat around twiddling their thumbs. Plus it took me an entire morning to work out what the issue was as there was no notification from Apple.

Thanks for your really useful advice!

I re-iterate what some others have said. THIS IS NOT ACCEPTABLE BEHAVIOUR from Apple and they need to sort this out pronto.

I've had Java disabled in my browser for the last several years, and I don't miss it at all. I think in all that time I have re-enabled it maybe once because there was an applet I actually wanted to run.

Just leave it turned off.

Some people actually need it in certain business environments. Apple really should quit doing this, and I mean now. If we want it disabled, we can disable it ourselves. How hard would it be to push the update to computers after Oracle updates Java with the security patch, not before?

Flash, Java, what's next? Internet access to Apple approved sites only?

Java is essential for the joint Norwegian bank login system BankID. If Apple has disabled this without a way of switching it back on, we are all locked out of our bank accounts!

They are also blocking Apple Java 1.6! Don't know where XProtect.meta.plist screenshot is from, but that is not what Apple pushed out this morning.

Here's what it really is!

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>JavaWebComponentVersionMinimum</key>
<string>1.6.0_37-b06-435</string>
<key>LastModification</key>
<string>Thu, 31 Jan 2013 04:41:14 GMT</string>
<key>PlugInBlacklist</key>
<dict>
<key>10</key>
<dict>
<key>com.macromedia.Flash Player.plugin</key>
<dict>
<key>MinimumPlugInBundleVersion</key>
<string>11.3.300.271</string>
</dict>
<key>com.oracle.java.JavaAppletPlugin</key>
<dict>
<key>MinimumPlugInBundleVersion</key>
<string>1.7.11.22</string>
</dict>
</dict>
</dict>
<key>Version</key>
<integer>2028</integer>
</dict>
</plist>


To re-enable Apple Java 1.6:

sudo /usr/libexec/PlistBuddy -c "Delete :JavaWebComponentVersionMinimum" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

or

sudo defaults write /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist JavaWebComponentVersionMinimum \"1.6.0_37-b06-434\"


To re-enable Oracle Java 1.7u11 edit the "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist" using vi in Terminal and change:

<string>1.7.11.22</string>
to:
<string>1.7.11.19</string>

I posted the block on Twitter when I noticed it this morning.
https://twitter.com/sonynair/status/296935103383347201

Hope that helps someone!

Exactly None.
Apple should NOT BE BLOCKING HTTPS web sites that use Java Plugins.
Especially as Java 7 now has Java FX, with better Table handling and Charts.
It looks like Apple Envy, attempt to Force People to HTML5,
vs. a superior Technology: Java 7.

Since Java is not installed by default on the latest version of OS X, I don't think Apple should be blocking it at all. If a user wants to use Java, he or she should be able to do so. If a user wants to be protected, perhaps he or she can install some sort of malware app that also checks for possible Java exploits. I can see why Apple would use Xprotect for their own in-house version of Java, but this is not their baby anymore.

----------

Simple logic that you don't want to follow maybe?

The police "as prevention" may say do not go down that dark alley in this neighborhood, you may be robbed.

You can then decide if you go or not. You may want to go there , because your stuff is in a shed down there and you have not had any incidents.

The police will not block the access to that dark alley, so you can't go down there and get your stuff.

A pop up saying:

WARNING using JAVA is insecure to use or so

with an

I understand the risks (not that people do) continue

or

Cancel

This notification can be turned off in the preferences file.

Nobody here says that we do not appreciate actions by Apple to make our user experiences as safe as possible.

But, when somebody switches something off in my computer, I'd like to know.

Al Franken will get on this very shortly and the government will get involved.
Not necessarily a good thing, just wait and see:-)

Thank you... I agree wholeheartedly! I don't need Apple babysitting me. I hope this all gets resolved very soon.

This is too funny


I went to www.icloud.com (http://www.icloud.com) to make some changes to my account - which for some reason, the icloud site uses JavaScript!

Of course Safari blocks access to it. The screenshot was from Safari.

(I think MacRumors uses Java to submit reply's too.....)

JavaScript does not equal Java. They have similar names, but they are not even kinda like each other....

How do I turn it back on?

(oh, and spare me the preaching, I'm aware of the tiny theoretical risk involved, and it's massively outweighed by 100% chance of me not being able to use my computer to do most of the things I want to do today)

I would have thought Apple would have learned from iOS Maps, iOS Youtube and iTunes 11 not to break stuff that was working until they had a replacement that was usable?

The article by MacRumors states that it's unknown why Apple took this step. I received an email advisory from MS-ISAC on January 28th which spoke of a new vulnerability. I am pasting it below.

--

MS-ISAC ADVISORY NUMBER:
2013-008 - UPDATED

DATE(S) ISSUED:
01/28/2013

SUBJECT:
Security Bypass Vulnerability in Oracle Java Runtime Environment Could Allow Remote Code Execution

OVERVIEW:
A vulnerability has been discovered in Oracle Java Runtime Environment (JRE) that can lead to remote code execution. The Java Runtime Environment is used to enhance the user experience when visiting websites and is installed on mostdesktops and servers. This vulnerability may be exploited if a user visits or is redirected to a specifically crafted web page. Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the JRE application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts will likely result in denial-of-service conditions.

SYSTEM AFFECTED:
Oracle JRE 1.7.0 Update 10, prior versions may also be affected.

UPDATED SYSTEM AFFECTED:
• Oracle JRE 1.7.0 Update 11, prior versions may also be affected.

RISK:

Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users:High

DESCRIPTION:
A vulnerability has been discovered in Oracle Java Runtime Environment that can lead to remote code execution. In order to exploit this vulnerability, an attacker must first create a web page with a specially crafted applet designed to leverage this issue. When the web page is visited, the attacker suppliedcode is run in the context of the affected application.

Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the JRE application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attemptswill likely result in denial-of-service conditions.

Please note that there is no patch available from Oracle to mitigate this vulnerability at this time and this vulnerability is being sold in the underground markets.

RECOMMENDATIONS:
We recommend the following actions be taken:

Apply the patch from Oracle, after appropriate testing, as soon as one becomes available.
Consider disabling Java completely on all systems until a patch is available.
Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
Remind users not to open e-mail attachments from unknown users or suspicious e-mails from trusted sources.

REFERENCES:

Security Focus:
http://www.securityfocus.com/bid/57563

Full Disclosure:
http://seclists.org/fulldisclosure/2013/Jan/241

Multi-State Information Sharing and Analysis Center
31 Tech Valley Drive, Suite 2
East Greenbush, NY 12061
(518) 266-3460
1-866-787-4722
soc@msisac.org

I feel your pain! This is totally and utterly unprofessional. Apple must stop playing 'God' by interfering like this.

Microsoft realise that doing stuff like this can cripple businesses, that's why they issue security bulletins and put the onus on users/Administrators to call the shots.

Oh yeah its really "professional" to leave your users vulnerable to crippling attack, privacy invasion, etc. etc.

THAT is the Microsoft definition of "professionalism". The moment you turn it on, you're at risk of losing everything.