Skip navigation

Apple has blocked Java 7 Update 11 (and earlier)

10498 Views 34 Replies Latest reply: Feb 3, 2013 5:00 AM by Ken Kline RSS Branched to a new discussion.
1 2 3 Previous Next
John Lockwood Level 5 Level 5 (5,075 points)
Currently Being Moderated
Jan 31, 2013 3:34 AM

Apple has via their Xprotect anti-malware feature blocked running the Java browser plug-in if it is version 7 Update 11 (or older) due to it being 'insecure'. Unfortunately like what happened on Thursday January 10th 2013 when Apple blocked Java 7 Update 10 (or earlier) Oracle have as of yet not issued a newer 'fixed' version. Last time it was not until Monday 14th Jan that Oracle issued a fixed version so we could be waiting until February 4th if Oracle take as long again.

  • StarskyMarky Calculating status...

    I don't think this is correct. I think that Apple has blocked all Java versions from 7 1 through 22 so even if Oracle releases 7 12 it is still going to be blocked by Apple. This seems to be in an Apple plist but I am not brave enough or savvy enough to know if I can simply edit that plist and have it block only up to 7 10......

    I suspect we are going to be waiting for an Apple update which will amend this file - I hope it comes soon too

  • elvisimprsntr Level 1 Level 1 (0 points)

    I thought I hosed my system.   Glad I keep a WinXP VM on my Mac. 

  • thomas_r. Level 7 Level 7 (26,960 points)

    even if Oracle releases 7 12 it is still going to be blocked by Apple.

     

    No, that's incorrect. Apple blocked all versions of Java below 1.7.11.22 (ie, a particular sub-version of Java 7u11). When Oracle releases Java 7u12, that will be 1.7.12.x, which will work fine again.

     

    This seems to be in an Apple plist but I am not brave enough or savvy enough to know if I can simply edit that plist and have it block only up to 7 10...

     

    I don't advise doing that, because Apple has very good reasons for blocking the versions of Java that they did. You really don't want to be crippling your computer's security if you can help it.

     

    If you absolutely require Java, you certainly can edit the plist file you refer to, but any consequences will be on your head. And I'd say that if you require Java, it's probably time for you to start finding ways to get things done without it, if possible. For example, many people have complained because they can't access their bank sites without Java... I'd say, time to get a new bank that doesn't use insecure technology to access your account! Would you trust your money to a bank that used an old-fashioned skeleton key to lock up the vault?

  • ronc_laemigre Calculating status...
    Currently Being Moderated
    Jan 31, 2013 8:16 AM (in response to thomas_r.)

    My understanding right now is that there are vulnerabilities in Java (shocker!) that are unpatched by the vendor. At this point there are no reports of those vulnerabilities being publicly exploited. Apple should not be turning off functionality for it's users that have installed software because of a Proof-of-concept vulnerability with no exploit code available and no patch. Security conscious organizations and individuals can take additionnal precautions but hand-editing a plist file that Apple will update or overwrite in the future is not the right approach in my mind.

  • Gadget Level 1 Level 1 (25 points)
    Currently Being Moderated
    Jan 31, 2013 8:43 AM (in response to thomas_r.)

    This is a simplistic answer and avoids the issue of the company installing software without the user's permission, no matter whether it may wreak havoc or not. (I guess it really is 1984!) There are government run aviation related websites people use to gather critical information and that still use Java.  (And we all know how long it takes the government to change.)  I can find that data elsewhere, but it takes more work, longer, and makes the user have to piece together data that is intuitively obvious.  I haven't checked yet to see if I might still be able to get the websites I need using XP in a virtual environment (which admittedly is safer), but I still object to silent pushes in principle, and I have told Apple so via their feedback page.  If Apple continues to expand such bevavior, I"ll be leaving OS X and iOS behind.  It's only a matter of time.

  • ronc_laemigre Level 1 Level 1 (0 points)

    There is no non-vulnerable Java version. The security experts that have submitted bug reports to Oracle think there are at least two years worth waiting in the queue. If I have the latest version of Java installed I theoretically need it for some reason and Apple should not be disabling it unless there is an immediate threat and an available patch. The criteria for legitimate software has to be different than malware.

  • thomas_r. Level 7 Level 7 (26,960 points)

    At this point there are no reports of those vulnerabilities being publicly exploited. Apple should not be turning off functionality for it's users that have installed software because of a Proof-of-concept vulnerability

     

    There are no reports of exploits.

     

    To me, the timing of this is suspicious. Three weeks ago, when the news broke of a vulnerability that was being actively exploited, Apple reacted within less than 24 hours and blocked the insecure plug-ins. On the 16th, and then again on the 18th, a total of three new vulnerabilities were discovered in Java. So why is Apple reacting to this just now, two weeks later? We should not make the assumption that, just because we haven't heard anything, Apple hasn't seen a reason to be more concerned than they were two weeks ago.

  • ronc_laemigre Level 1 Level 1 (0 points)
    Currently Being Moderated
    Jan 31, 2013 9:59 AM (in response to thomas_r.)

    I don't doubt that there may be exploits and I would hope that Apple knows more about what exploits are out there than I do. From a risk evaulation you don't turn off something for everyone when they have no recourse except to hand edit files or use a different platform. If you have to use Java you are stuck, not a very user friendly approach. Disabling the java plugin even more aggressively is certainly warranted but there needs to be an easier way to turn back on needed functionality than Apple is providing.

  • thomas_r. Level 7 Level 7 (26,960 points)

    Given Java's history over the last couple years, I'd say that it SHOULD be difficult for the user to turn it back on. The average user likes pushing buttons even without full understanding of what those buttons do, and turning a vulnerable version of Java on in the web browser is highly dangerous activity.

     

    However, I agree that Apple needs to alert the user somehow.

  • ronc_laemigre Level 1 Level 1 (0 points)
    Currently Being Moderated
    Jan 31, 2013 10:24 AM (in response to thomas_r.)

    From the perspective of malware and trying to help users form not hurting themselves I agree a simple do you really wan to do this is sometimes not the best approach. However an end user that has to use Java applications breaking the functionality and not providing an easy way to recover is not good either.

     

     

    Doing more with Gatekeeper to prevent unsigned executable code is a better cure in my mind. There is a Java vulnerability. If the attacker can't deliver a payload you do have some mitigation.

  • Lanny Level 5 Level 5 (4,165 points)

    Protection in action:

     

    Screen Shot 2013-01-31 at 2.29.45 PM.png

  • Shawn.Hank Calculating status...

    This is BS. Folks that develop in Java and run it on OS X should 1) Be told there is an update and what it does 2) Give the user who paid a premium for the Apple Hardware and Software that they purchased the option to install or not install.

     

    The idea of Apple telling everyone that "we know what's best for you.." is crap.

     

    Here's what I did to fix what Apple broke:

     

    The Auto Anti-Malware is installed in the following location:

     

       navigate to /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/

     

    The two files you want to look for are: XProtect.meta.plist and XProtect.plist.

     

    Launch Time Machine to yesterday and find these two files and restore them. You will get a prompt to replace existing or keep both. I kept both. The time machine backup files have ..(original) in the file name. I renamed the new files (date time stamp of 3:46 pm today) and the renamed the ..(original) files by deleting the (original)...

     

    Restarted my browser and I am good to go.

     

    Java web start works and I am able to continue my test and dev work.

  • Richard Liu2 Level 1 Level 1 (5 points)

    This is weird. Last time we got reports of exploits before Apple update it's blacklist, but this time we haven't yet heard any bad news about Java.

     

    And it's not only Apple; Mozilla had also blocked Java by default in their FireFox release a few days ago, though you can still re-enable Java in FireFox manually.

     

    Is there something really, really nasty happened in the past few days, and we don't know yet ?

1 2 3 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.