|
|
Apple quietly blocks Java 7 in OS X [U]
|
|
|
|
MacNN Staff
Join Date: Jul 2012
Status:
Offline
|
|
[Update: Mozilla joins in, FBI issues warning, fix coming] Apple has disabled the Java 7 browser plug-in on Macs through an updated OS X blacklist file, notes MacRumors. Recently a major security vulnerability was discovered in Java 7, one already being exploited in malware. In response, Apple has silently pushed an updated Xprotect.plist file to OS X users, setting an as-yet-unreleased v1.7.0_10-b19 as the minimum version of Java required for unrestricted operation.
In the past few years, Apple has tried to distance itself from Java as part of a general move away from third-party browser plug-ins. At one point the software came preinstalled on Macs, and was maintained in a separate Apple fork. In 2010, though, the company began leaving Java support up to Oracle, since the Apple fork was regularly lagging behind, which was leaving Macs exposed to known threats. Java is now entirely optional code that Mac owners have to download on their own, though if users attempted to run a Java applet they would be asked if they wanted to install Java from an Oracle public link.
Oracle has yet to say when a new version of Java will reach OS X. That could cause at least temporary problems for Mac owners who depend on apps and websites built around the plugin, though Java-based applications that use Java 7 separately of a web browser will not be affected by the blocking.
[U] The Mozilla foundation has also quietly updated the blacklist in its Firefox browser to block the affected Java 7 web plug-in, and security experts are now advising the public to temporarily disable Java in other browsers until Oracle can release a patch for the security issues, which it has said it will do on Tuesday.
(
Last edited by NewsPoster; Jan 11, 2013 at 09:08 PM.
)
|
|
|
|
|
|
|
|
|
Forum Regular
Join Date: Sep 2000
Location: Newport News,VA,USA
Status:
Offline
|
|
I understand that this is a severe vulnerability but completely and compulsorily blocking the Java plugin is extreme. Many companies have internally developed Java applets to access databases and perform other functions. There are also games and other legitimate Java code out there. I understand that Apple probably would find it almost impossible to whitelist applets based on network source it's Oracle that needs to move!
|
Beware of geeks bearing Gifs
|
|
|
|
|
|
|
|
Senior User
Join Date: Jan 2007
Location: SF
Status:
Offline
|
|
I could be mistaken, but not all browsers comply with the XProtect thingee.
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Apr 2001
Location: Victoria, Australia
Status:
Offline
|
|
They blocked the Java 7 *plugin*, not Java 7. That is a big difference. Java applications will still run on the Mac - just not in a browser. If they blocked Java 7, developers who work in Java (for example, web server back ends) would suddenly find they could no longer work on their Macs.
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Aug 2001
Location: Maitland, FL
Status:
Offline
|
|
Thanks for pointing this out, the article has been revised to make that clearer.
|
Charles Martin
MacNN Editor
|
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Jan 2013
Status:
Offline
|
|
Websites that require Java to run always inform the users that the plugin is required to view the content, so I don't see this as a big issue. By blocking it Apple makes sure that everything is safe for its users.
|
|
|
|
|
|
|
|
|
Forum Regular
Join Date: Sep 2000
Location: Michigan, USA
Status:
Offline
|
|
What's the final word on this? Do I need to take action to protect my Mac?
Will Sophos antivirus software, which I have installed and updated, catch and eradicate this if I do stumble across it?
|
MBP 17" Core i7 matte screen; iPad 16Gb 3G
|
|
|
|
|
|
|
|
Junior Member
Join Date: Aug 2007
Status:
Offline
|
|
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Jan 2007
Location: SF
Status:
Offline
|
|
Jeff75. You should avoid accessing sites that use client side Java applets.
- How do you know if a site uses Java applets until you go there? You should make sure your Java security settings alert you to that. You get a warning that a site wants to put a client side applet on your machine.
- Will Sophos antivirus catch and eradicate "this" if I do stumble across it? That all depends on what "this" is. Between the time that a vulnerability is discovered and when the AntiVirus folk create a detection mechanism, there is a window of opportunity for your system to become compromised. In the event a known malware product leaves a detectable trace (specific actions, or specific files indicative of a compromise) your AntiVirus may well catch and block those specific actions, and/or eradicate the offending files (presuming your settings specify those AntiVirus remediation steps). The Java plugin vulnerability is typically an attack "vector", meaning, that's how they can get in. The damage is usually done by software the intruder installs after gaining access.
In short, yeah, maybe - or - almost certainly, eventually.
If you want to be as safe as you can, make sure your AV software, Java software, and browser plugins are up to date. Don't reduce security settings for expedience.
My 2 cents.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|