7 Replies Latest reply: Feb 4, 2013 6:39 PM by thomas_r.
BiggestMouseOfWorld Level 1 Level 1 (0 points)

Is possible to bypass javaplugin blacklisting setted today? A lot of internet application all around the world uses java plugin technology. That's unbelivable.!.


OS X Mountain Lion (10.8.2), New XProtect.plist
  • 1. Re: Is possible to bypass javaplugin blacklisting ?
    thomas_r. Level 7 Level 7 (27,945 points)

    Yes, it certainly is unbelievable that so many applications still use Java, despite the security nightmare that it has become!

     

    There are ways to get around this, though I would not recommend any of them as they will cause short-term security issues, and may also introduce long-term security issues if using them results in future failures to properly update the file you would have to modify. You would be strongly advised to find other ways to get things done, and avoid Java entirely, rather than deliberately poke holes in the systems designed to keep you secure online.

  • 2. Re: Is possible to bypass javaplugin blacklisting ?
    BiggestMouseOfWorld Level 1 Level 1 (0 points)

    This site is written in java.

     

    No flash plugin, no java plugin. What about the next step. Use only tecnology Apple Recomended? Nagigate only on Apple recomended web sites?

    Let choose the user if disable and run its own risk or let the plugin enebaled or enabled only for particular website (https and certifed for example..)

     

    I know that is possiblle to manual modify the XProtect.meta.plist blacklist but.... it'not for the great part of users!

     

    This is a strong decision.... In my opinion is a wrong decision.

     

    Wait for the new updated-patched version and THEN deprecate the previous....

     

    It's a crazy policy. Consider that the vulnerabilities are known since one year!

  • 3. Re: Is possible to bypass javaplugin blacklisting ?
    William Lloyd Level 6 Level 6 (19,355 points)

    What are you talking about?  The Apple Support Communities site may be written in Java (I don't know), but it does not REQUIRE the Java plug-in.  I have Java disabled in my browser and haven't come across any site that requires Java in years.

     

    The only real application I know that needs it is Juniper's SSL VPN client.

  • 4. Re: Is possible to bypass javaplugin blacklisting ?
    thomas_r. Level 7 Level 7 (27,945 points)

    What about the next step. Use only tecnology Apple Recomended? Nagigate only on Apple recomended web sites?

     

    The next step is in Oracle's hands. This has nothing to do with only using things that Apple endorses, it has to do with massive security problems with Java. Pretty much every security organization in the world, as well as the US Department of Homeland Security and probably a number of other government organizations, recommend disabling Java in the web browser.

     

    It's a crazy policy. Consider that the vulnerabilities are known since one year!

     

    Not true. The current version of Java includes three vulnerabilities that I'm aware of. One is based on an old bug, but the other two are not, and all three were discovered in the last 2 weeks. Prior to that, a new vulnerability was discovered on January 10, and fixed in Java 7u11. Last year, Java repeatedly fell victim to exploits that took advantage of a constant stream of new vulnerabilities, some of which resulted in one of the largest-scale infections in Mac history. (See About the Flashback malware.)

     

    This is not a made-up concern, it's a very real threat, and I, for one, am glad to see Apple taking it seriously.

  • 5. Re: Is possible to bypass javaplugin blacklisting ?
    BobCov Level 1 Level 1 (0 points)

    My advice:  While I think it is fine to warn people they MAY be making a mistake, it's just obnoxious to not answer the question. Not everybody here is drinking the Cupertino Kool-Aid. I too need to do the same thing this questioner asked about. I too need an answer, not a nanny.

  • 6. Re: Is possible to bypass javaplugin blacklisting ?
    Barney-15E Level 8 Level 8 (35,280 points)

    BobCov wrote:

     

    My advice:  While I think it is fine to warn people they MAY be making a mistake, it's just obnoxious to not answer the question. Not everybody here is drinking the Cupertino Kool-Aid. I too need to do the same thing this questioner asked about. I too need an answer, not a nanny.

    Just disable XProtect updates in the Security System Prefs. The nanny won't be taking care of you and you can fend for yourself.

  • 7. Re: Is possible to bypass javaplugin blacklisting ?
    thomas_r. Level 7 Level 7 (27,945 points)

    I too need an answer, not a nanny.

     

    The problem is gone. Just go get the latest version of Java. It was released on Friday.