Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Apple has blocked Java 7 Update 11 (and earlier)

Apple has via their Xprotect anti-malware feature blocked running the Java browser plug-in if it is version 7 Update 11 (or older) due to it being 'insecure'. Unfortunately like what happened on Thursday January 10th 2013 when Apple blocked Java 7 Update 10 (or earlier) Oracle have as of yet not issued a newer 'fixed' version. Last time it was not until Monday 14th Jan that Oracle issued a fixed version so we could be waiting until February 4th if Oracle take as long again.

Posted on Jan 31, 2013 3:32 AM

Reply
34 replies

Jan 31, 2013 5:20 AM in response to John Lockwood

I don't think this is correct. I think that Apple has blocked all Java versions from 7 1 through 22 so even if Oracle releases 7 12 it is still going to be blocked by Apple. This seems to be in an Apple plist but I am not brave enough or savvy enough to know if I can simply edit that plist and have it block only up to 7 10......

I suspect we are going to be waiting for an Apple update which will amend this file - I hope it comes soon too

Jan 31, 2013 7:37 AM in response to StarskyMarky

even if Oracle releases 7 12 it is still going to be blocked by Apple.


No, that's incorrect. Apple blocked all versions of Java below 1.7.11.22 (ie, a particular sub-version of Java 7u11). When Oracle releases Java 7u12, that will be 1.7.12.x, which will work fine again.


This seems to be in an Apple plist but I am not brave enough or savvy enough to know if I can simply edit that plist and have it block only up to 7 10...


I don't advise doing that, because Apple has very good reasons for blocking the versions of Java that they did. You really don't want to be crippling your computer's security if you can help it.


If you absolutely require Java, you certainly can edit the plist file you refer to, but any consequences will be on your head. And I'd say that if you require Java, it's probably time for you to start finding ways to get things done without it, if possible. For example, many people have complained because they can't access their bank sites without Java... I'd say, time to get a new bank that doesn't use insecure technology to access your account! Would you trust your money to a bank that used an old-fashioned skeleton key to lock up the vault?

Jan 31, 2013 8:16 AM in response to thomas_r.

My understanding right now is that there are vulnerabilities in Java (shocker!) that are unpatched by the vendor. At this point there are no reports of those vulnerabilities being publicly exploited. Apple should not be turning off functionality for it's users that have installed software because of a Proof-of-concept vulnerability with no exploit code available and no patch. Security conscious organizations and individuals can take additionnal precautions but hand-editing a plist file that Apple will update or overwrite in the future is not the right approach in my mind.

Jan 31, 2013 8:43 AM in response to thomas_r.

This is a simplistic answer and avoids the issue of the company installing software without the user's permission, no matter whether it may wreak havoc or not. (I guess it really is 1984!) There are government run aviation related websites people use to gather critical information and that still use Java. (And we all know how long it takes the government to change.) I can find that data elsewhere, but it takes more work, longer, and makes the user have to piece together data that is intuitively obvious. I haven't checked yet to see if I might still be able to get the websites I need using XP in a virtual environment (which admittedly is safer), but I still object to silent pushes in principle, and I have told Apple so via their feedback page. If Apple continues to expand such bevavior, I"ll be leaving OS X and iOS behind. It's only a matter of time.

Jan 31, 2013 8:57 AM in response to Gadget

It is possible as the owner/user of the Mac to enable/disable the downloading of updates to Apple's Xprotect system. Normally you would want this enabled to block Malware automatically. It is however an all or nothing setting.


In this case it has disabled the vulnerable Java version.


You can see the setting in System Preferences -> Security & Privacy


and then after unlocking the preference pane, click on Advanced... you can then see a tick box for 'Automatically update safe download list' which is the Xprotect list.

Jan 31, 2013 9:04 AM in response to John Lockwood

There is no non-vulnerable Java version. The security experts that have submitted bug reports to Oracle think there are at least two years worth waiting in the queue. If I have the latest version of Java installed I theoretically need it for some reason and Apple should not be disabling it unless there is an immediate threat and an available patch. The criteria for legitimate software has to be different than malware.

Jan 31, 2013 9:43 AM in response to ronc_laemigre

At this point there are no reports of those vulnerabilities being publicly exploited. Apple should not be turning off functionality for it's users that have installed software because of a Proof-of-concept vulnerability


There are no reports of exploits.


To me, the timing of this is suspicious. Three weeks ago, when the news broke of a vulnerability that was being actively exploited, Apple reacted within less than 24 hours and blocked the insecure plug-ins. On the 16th, and then again on the 18th, a total of three new vulnerabilities were discovered in Java. So why is Apple reacting to this just now, two weeks later? We should not make the assumption that, just because we haven't heard anything, Apple hasn't seen a reason to be more concerned than they were two weeks ago.

Jan 31, 2013 9:59 AM in response to thomas_r.

I don't doubt that there may be exploits and I would hope that Apple knows more about what exploits are out there than I do. From a risk evaulation you don't turn off something for everyone when they have no recourse except to hand edit files or use a different platform. If you have to use Java you are stuck, not a very user friendly approach. Disabling the java plugin even more aggressively is certainly warranted but there needs to be an easier way to turn back on needed functionality than Apple is providing.

Jan 31, 2013 10:05 AM in response to ronc_laemigre

Given Java's history over the last couple years, I'd say that it SHOULD be difficult for the user to turn it back on. The average user likes pushing buttons even without full understanding of what those buttons do, and turning a vulnerable version of Java on in the web browser is highly dangerous activity.


However, I agree that Apple needs to alert the user somehow.

Jan 31, 2013 10:24 AM in response to thomas_r.

From the perspective of malware and trying to help users form not hurting themselves I agree a simple do you really wan to do this is sometimes not the best approach. However an end user that has to use Java applications breaking the functionality and not providing an easy way to recover is not good either.



Doing more with Gatekeeper to prevent unsigned executable code is a better cure in my mind. There is a Java vulnerability. If the attacker can't deliver a payload you do have some mitigation.

Jan 31, 2013 8:30 PM in response to John Lockwood

This is BS. Folks that develop in Java and run it on OS X should 1) Be told there is an update and what it does 2) Give the user who paid a premium for the Apple Hardware and Software that they purchased the option to install or not install.


The idea of Apple telling everyone that "we know what's best for you.." is crap.


Here's what I did to fix what Apple broke:


The Auto Anti-Malware is installed in the following location:


navigate to /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/


The two files you want to look for are: XProtect.meta.plist and XProtect.plist.


Launch Time Machine to yesterday and find these two files and restore them. You will get a prompt to replace existing or keep both. I kept both. The time machine backup files have ..(original) in the file name. I renamed the new files (date time stamp of 3:46 pm today) and the renamed the ..(original) files by deleting the (original)...


Restarted my browser and I am good to go.


Java web start works and I am able to continue my test and dev work.

Jan 31, 2013 11:47 PM in response to John Lockwood

This is weird. Last time we got reports of exploits before Apple update it's blacklist, but this time we haven't yet heard any bad news about Java.


And it's not only Apple; Mozilla had also blocked Java by default in their FireFox release a few days ago, though you can still re-enable Java in FireFox manually.


Is there something really, really nasty happened in the past few days, and we don't know yet ?

Feb 1, 2013 4:32 AM in response to Shawn.Hank

Good point Shawn,


There will come a time that Apple will lock Mac OS X down like they did to iOS. This will be done for security reasons, of course, to protect the user.



With less effort and resources going into OS X, they will start trimming on the edges and Java on the Mac is on the list to go. See what has happened with Flash, it will soon happen to Java.


OSX now includes a store: in the future, there would probably be no other way to install software, but buying it from the App Store.


And someday, there will be no other way to create software for the Mac than 'Objective-C'.


<Edited By Host>

Apple has blocked Java 7 Update 11 (and earlier)

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.