MacNN Forums (
-   Mac News (
-   -   Apple quietly blocks Java 7 in OS X [U] (

NewsPoster Jan 11, 2013 03:21 PM
Apple quietly blocks Java 7 in OS X [U]
<strong>[Update: Mozilla joins in, FBI issues warning, fix coming]</strong> Apple has disabled the Java 7 browser plug-in on Macs through an updated OS X blacklist file, notes <em>MacRumors</em>. Recently <a href="" rel='nofollow'>a major security vulnerability</a> was discovered in Java 7, one already being exploited in malware. In response, Apple has <a href="" rel='nofollow'>silently pushed</a> an updated Xprotect.plist file to OS X users, setting an as-yet-unreleased v1.7.0_10-b19 as the minimum version of Java required for unrestricted operation.<br />
<br />
In the past few years, Apple has tried to distance itself from Java as part of a general move away from third-party browser plug-ins. At one point the software came preinstalled on Macs, and was maintained in a separate Apple fork. In 2010, though, the company began <a href="" rel='nofollow'>leaving Java support up to Oracle</a>, since the Apple fork was regularly lagging behind, which was leaving Macs exposed to known threats. Java is now entirely optional code that Mac owners have to download on their own, though if users attempted to run a Java applet they would be asked if they wanted to install Java from an Oracle public link.

Oracle has yet to say when a new version of Java will reach OS X. That could cause at least temporary problems for Mac owners who depend on apps and websites built around the plugin, though Java-based applications that use Java 7 separately of a web browser will not be affected by the blocking.

<strong>[U]</strong> The Mozilla foundation has also <a href="" rel='nofollow'>quietly updated</a> the blacklist in its Firefox browser to block the affected Java 7 web plug-in, and security experts are now <a href="" rel='nofollow'>advising the public</a> to temporarily disable Java in other browsers until Oracle can release a patch for the security issues, which it has said it will do on Tuesday.
daqman Jan 11, 2013 04:05 PM
This is going to cause some grief!
I understand that this is a severe vulnerability but completely and compulsorily blocking the Java plugin is extreme. Many companies have internally developed Java applets to access databases and perform other functions. There are also games and other legitimate Java code out there. I understand that Apple probably would find it almost impossible to whitelist applets based on network source it's Oracle that needs to move!
Flying Meat Jan 11, 2013 04:53 PM
I could be mistaken, but not all browsers comply with the XProtect thingee.
curmi Jan 11, 2013 05:53 PM
Article is not correct
They blocked the Java 7 *plugin*, not Java 7. That is a big difference. Java applications will still run on the Mac - just not in a browser. If they blocked Java 7, developers who work in Java (for example, web server back ends) would suddenly find they could no longer work on their Macs.
Charles Martin Jan 11, 2013 11:38 PM
Thanks for pointing this out, the article has been revised to make that clearer.
pilker4y Jan 12, 2013 11:00 AM
Websites that require Java to run always inform the users that the plugin is required to view the content, so I don't see this as a big issue. By blocking it Apple makes sure that everything is safe for its users.
Jeff75 Jan 12, 2013 12:42 PM
Java threat - do I really need to take action on my Mac?
What's the final word on this? Do I need to take action to protect my Mac?

Will Sophos antivirus software, which I have installed and updated, catch and eradicate this if I do stumble across it?
JackWebb Jan 12, 2013 01:17 PM
Java 6 is working
Java 6 is still working as a plugin in Safari on Lion 10.7.5. I had to go back to Java 6 after installing Java 7 on Tuesday and it freezing.
Java for OS X 2012-006: How to re-enable the Apple-provided Java SE 6 applet plug-in and Web Start functionality
BTW, I hate Java.
Flying Meat Jan 14, 2013 06:12 PM
Jeff75. You should avoid accessing sites that use client side Java applets.
- How do you know if a site uses Java applets until you go there? You should make sure your Java security settings alert you to that. You get a warning that a site wants to put a client side applet on your machine.
- Will Sophos antivirus catch and eradicate "this" if I do stumble across it? That all depends on what "this" is. Between the time that a vulnerability is discovered and when the AntiVirus folk create a detection mechanism, there is a window of opportunity for your system to become compromised. In the event a known malware product leaves a detectable trace (specific actions, or specific files indicative of a compromise) your AntiVirus may well catch and block those specific actions, and/or eradicate the offending files (presuming your settings specify those AntiVirus remediation steps). The Java plugin vulnerability is typically an attack "vector", meaning, that's how they can get in. The damage is usually done by software the intruder installs after gaining access.
In short, yeah, maybe - or - almost certainly, eventually.

If you want to be as safe as you can, make sure your AV software, Java software, and browser plugins are up to date. Don't reduce security settings for expedience.

My 2 cents.
All times are GMT -4. The time now is 09:32 PM.

Copyright © 2005-2007 MacNN. All rights reserved.
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2017, vBulletin Solutions, Inc.

Content Relevant URLs by vBSEO 3.3.2