Apple Once Again Blocks Java 7 Web Plug-in

by

Earlier this month, Apple took the unusual step of remotely blocking Oracle's Java 7 browser plug-in due to a major security vulnerability, using the "Xprotect" anti-malware system built into OS X to enforce a minimum version number that had yet to be released. Within days, Oracle updated Java to address the issue, with the new version number making the Java plug-in usable on OS X systems once more.

As noted by French site MacGeneration [Google translation] and the Apple discussion forums, Apple has once again blocked the Java 7 plug-in using Xprotect.

java_7_11_blacklist
The updated blacklist enforces a minimum Java plug-in version of 1.7.0_11-b22, while the latest version of the plug-in is 1.7.0_11-b21.

The exact reason for Apple's renewed block on the Java plug-in is unknown although reports immediately following the release of Update 11 earlier this month indicated that it fixed only one of the two bugs that contributed to the security vulnerability. In the wake of that news, cybersecurity officials recommended that most users disable Java even with the up-to-date plug-in installed.

Oracle Security Alert CVE-2013-0422 states that Java 7 Update 11 addresses this (CVE-2013-0422) and an equally severe, but distinct vulnerability (CVE-2012-3174). Immunity has indicated that only the reflection vulnerability has been fixed and that the JMX MBean vulnerability remains. Java 7u11 sets the default Java security settings to "High" so that users will be prompted before running unsigned or self-signed Java applets.

Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future.

If this continued issue is indeed the reason for the new block by Apple, it is unclear why the company waited several weeks to update its plug-in blacklist.

Popular Stories

iPhone 17 Pro Render Front Page Tech

iPhone 17 Pro Launching Later This Year With These 8 New Features

Tuesday March 4, 2025 3:15 pm PST by
While the iPhone 17 Pro and iPhone 17 Pro Max are not expected to launch until September, there are already plenty of rumors about the devices. iPhone 17 Pro's alleged design via Front Page Tech Below, we recap key changes rumored for the iPhone 17 Pro models as of March 2025: Aluminum frame: iPhone 17 Pro models are rumored to have an aluminum frame, whereas the iPhone 15 Pro and iPhone...
Read Full Article
Apple MacBook Air hero

Apple Announces New MacBook Air With M4 and 'Sky Blue' Color Option

Wednesday March 5, 2025 6:02 am PST by
Apple today announced refreshed 13- and 15-inch MacBook Air models, now featuring the M4 chip, an upgraded camera, and a new "Sky Blue" color option. "Sky Blue" is an all-new blue finish that joins Midnight, Starlight, and Silver. Apple describes it as a "beautiful, metallic light blue that creates a dynamic gradient when light reflects off of its surface." Space Gray is no longer available. ...
Read Full Article438 comments
ipad 11 feature

Apple Unveils 11th-Gen iPad With A16 Chip and More Storage

Tuesday March 4, 2025 6:06 am PST by
Apple today announced the 11th-generation iPad, now featuring the A16 chip and more storage. The announcement came alongside the debut of the new iPad Air, which now features the M3 chip. From Apple's press release: The A16 chip provides a jump in performance for everyday tasks and experiences in iPadOS, while still providing all-day battery life. Compared to the previous generation, the...
Read Full Article175 comments
M3 iPad Air

Apple Announces New iPad Air With M3 Chip, Updated Magic Keyboard

Tuesday March 4, 2025 6:04 am PST by
Apple today introduced new 11-inch and 13-inch iPad Air models with the M3 chip, along with an updated Magic Keyboard for the device. With the M3 chip, the new iPad Air should offer up to 20% faster performance compared to the previous-generation model with the M2 chip, which was released in May 2024. In addition, the M3 chip brings hardware-accelerated ray tracing to the iPad Air for the...
Read Full Article203 comments
CarPlay Hero

iOS 18.4 Upgrades CarPlay in Two Ways

Tuesday March 4, 2025 8:39 am PST by
The upcoming iOS 18.4 update for the iPhone includes two smaller but meaningful improvements for Apple's in-car iPhone mirroring system CarPlay. First, CarPlay now shows a third row of icons, up from two rows previously. However, this change is only visible in vehicles with a larger center display. For example, a MacRumors Forums member noticed the change in a Toyota Tundra with a 14-inch...
Read Full Article
Apple MacBook Air hero

Apple Has Finally Solved One of the MacBook Air's Biggest Limitations

Wednesday March 5, 2025 11:29 am PST by
The new MacBook Air has a useful upgrade: it natively supports up to two external displays, in addition to the laptop's built-in display. In other words, the latest MacBook Air can be used with a pair of external displays without needing to keep the laptop's lid closed. Apple's tech specs for the new 13-inch and 15-inch MacBook Air:Simultaneously supports full native resolution on the...
Read Full Article90 comments
Mac Studio 2025

Apple Announces New Mac Studio With M4 Max and M3 Ultra Chips, Thunderbolt 5, and More

Wednesday March 5, 2025 6:01 am PST by
Apple today announced that it has updated the Mac Studio with M4 Max and M3 Ultra chip options, Thunderbolt 5 ports, and more. The M4 Max chip was already released last year in the 14-inch and 16-inch MacBook Pro. It can be configured with up to a 16-core CPU, up to a 40-core GPU, and up to 128GB of unified RAM. Geekbench 6 benchmark results indicate that the M4 Max is up to 75% faster than...
Read Full Article357 comments
Apple MacBook Air hero

Here Are Real-World Photos of the New Sky Blue MacBook Air

Wednesday March 5, 2025 1:47 pm PST by
Apple today updated the MacBook Air with the M4 chip, and the laptop is also available in an all-new Sky Blue finish alongside Silver, Starlight, and Midnight. YouTuber Andru Edwards has showed off the Sky Blue color in a few real-world photos. Keep in mind that the Sky Blue finish is not very saturated. However, the color's appearance will vary based on lighting conditions. View ...
Read Full Article73 comments
ipad air magic keyboard

Apple Announces Redesigned Magic Keyboard for iPad Air

Tuesday March 4, 2025 6:36 am PST by
Apple today announced a completely redesigned Magic Keyboard accessory for the iPad Air. The new keyboard features a larger built-in trackpad, a 14-key function row, and a new aluminum hinge. From Apple's press release: The all-new Magic Keyboard for iPad Air expands what users can do at an even lower price. The larger built-in trackpad brings greater precision for detail-oriented...
Read Full Article119 comments

Top Rated Comments

jonatron Avatar
jonatron
158 months ago
I've had Java disabled in my browser for the last several years, and I don't miss it at all. I think in all that time I have re-enabled it maybe once because there was an applet I actually wanted to run.

Just leave it turned off.

Classic if it doesnt affect me its not important.

This has stopped by company from using its finance system and staff are currently sat around twiddling their thumbs. Plus it took me an entire morning to work out what the issue was as there was no notification from Apple.

Thanks for your really useful advice!

I re-iterate what some others have said. THIS IS NOT ACCEPTABLE BEHAVIOUR from Apple and they need to sort this out pronto.
Score: 15 Votes (Like | Disagree)
ConCat Avatar
ConCat
158 months ago
I've had Java disabled in my browser for the last several years, and I don't miss it at all. I think in all that time I have re-enabled it maybe once because there was an applet I actually wanted to run.

Just leave it turned off.
Some people actually need it in certain business environments. Apple really should quit doing this, and I mean now. If we want it disabled, we can disable it ourselves. How hard would it be to push the update to computers after Oracle updates Java with the security patch, not before?
Score: 12 Votes (Like | Disagree)
AppleScruff1 Avatar
AppleScruff1
158 months ago
Flash, Java, what's next? Internet access to Apple approved sites only?
Score: 9 Votes (Like | Disagree)
jwkay Avatar
jwkay
158 months ago
Java is essential for the joint Norwegian bank login system BankID. If Apple has disabled this without a way of switching it back on, we are all locked out of our bank accounts!
Score: 8 Votes (Like | Disagree)
sonynair Avatar
sonynair
158 months ago
They are also blocking Apple Java 1.6! Don't know where XProtect.meta.plist screenshot is from, but that is not what Apple pushed out this morning.

Here's what it really is!

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>JavaWebComponentVersionMinimum</key>
<string>1.6.0_37-b06-435</string>
<key>LastModification</key>
<string>Thu, 31 Jan 2013 04:41:14 GMT</string>
<key>PlugInBlacklist</key>
<dict>
<key>10</key>
<dict>
<key>com.macromedia.Flash Player.plugin</key>
<dict>
<key>MinimumPlugInBundleVersion</key>
<string>11.3.300.271</string>
</dict>
<key>com.oracle.java.JavaAppletPlugin</key>
<dict>
<key>MinimumPlugInBundleVersion</key>
<string>1.7.11.22</string>
</dict>
</dict>
</dict>
<key>Version</key>
<integer>2028</integer>
</dict>
</plist>


To re-enable Apple Java 1.6:

sudo /usr/libexec/PlistBuddy -c "Delete :JavaWebComponentVersionMinimum" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

or

sudo defaults write /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist JavaWebComponentVersionMinimum \"1.6.0_37-b06-434\"


To re-enable Oracle Java 1.7u11 edit the "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist" using vi in Terminal and change:

<string>1.7.11.22</string>
to:
<string>1.7.11.19</string>

I posted the block on Twitter when I noticed it this morning.
https://twitter.com/sonynair/status/296935103383347201

Hope that helps someone!
Score: 7 Votes (Like | Disagree)
sseaton1971 Avatar
sseaton1971
158 months ago
Exactly None.
Apple should NOT BE BLOCKING HTTPS web sites that use Java Plugins.
Especially as Java 7 now has Java FX, with better Table handling and Charts.
It looks like Apple Envy, attempt to Force People to HTML5,
vs. a superior Technology: Java 7.

Since Java is not installed by default on the latest version of OS X, I don't think Apple should be blocking it at all. If a user wants to use Java, he or she should be able to do so. If a user wants to be protected, perhaps he or she can install some sort of malware app that also checks for possible Java exploits. I can see why Apple would use Xprotect for their own in-house version of Java, but this is not their baby anymore.

----------

Simple logic that you don't want to follow maybe?

The police "as prevention" may say do not go down that dark alley in this neighborhood, you may be robbed.

You can then decide if you go or not. You may want to go there , because your stuff is in a shed down there and you have not had any incidents.

The police will not block the access to that dark alley, so you can't go down there and get your stuff.

A pop up saying:

WARNING using JAVA is insecure to use or so

with an

I understand the risks (not that people do) continue

or

Cancel

This notification can be turned off in the preferences file.

Nobody here says that we do not appreciate actions by Apple to make our user experiences as safe as possible.

But, when somebody switches something off in my computer, I'd like to know.

Al Franken will get on this very shortly and the government will get involved.
Not necessarily a good thing, just wait and see:-)

Thank you... I agree wholeheartedly! I don't need Apple babysitting me. I hope this all gets resolved very soon.
Score: 6 Votes (Like | Disagree)
Read All Comments