Apple barred Java from running on Macs in order to safeguard users by blocking Java 7 Update 11 and adding it to the banned list in XProtect.
This was the second time in two weeks that Apple had blocked Oracle's code from running on Macs. The threat was so serious that the U.S. Department of Homeland Security had recommended that all Java 7 users disable or uninstall the software until a patch was issued. This time Java is blocked through Apple's XProtect anti-malware feature.
Java has come under fire as the means by which hackers have been able to gain control of computers. In April 2012 more than 600,000 Macs were reported to have been infected with a Flashback Trojan horse that was being installed on people's computers with the help of Java exploits. Then in August Macs were again at risk due to a flaw in Java, this time around, there was good news for Mac users: Thanks to changes Apple has made, most of us were safe from the threat.
Unwilling to leave its customers open to potential threats Apple decided it's safer to block Java entirely.
In order to block older versions of Flash, Apple has updated its "Xprotect.plist" file so that any versions that come before the current one (version 11.6.602.171) cannot be used on a Mac. Users who have older versions of Flash installed will be greeted with an alert that says "Blocked plug-in," and Safari will prompt the user to update to a newer version.
Macs running OS X Snow Leopard and beyond are affected.
UPDATE for those running Lion or Mountain Lion:
Oracle on Friday February 1 released a new version reportedly addressing vulnerabilities seen with the last build.
Apple disabled Java 7 through the OS X XProtect anti-malware system, requiring users to have at least version "1.7.0_10-b19" installed on their Macs. The release dated February 1 carries the designation "1.7.0_13-b20," meeting Apple's requirements.
Oracle "strongly recommends" applying the CPU fixes as soon as possible, saying that the latest Critical Patch Update contains 50 new security fixes across all Jave SE products.
Update for Snow Leopard users:
Apple issued update 12 for Java for OS 10.6:
http://support.apple.com/kb/DL1573
Note: On systems that have not already installed Java for Mac OS X 10.6 update 9 or later, this update will configure web browsers to not automatically run Java applets. Java applets may be re-enabled by clicking the region labeled "Inactive plug-in" on a web page. If no applets have been run for an extended period of time, the Java web plug-in will deactivate.
If, after installing Java for OS X 2013-002 and the latest version of Java 7 from Oracle, you want to disable Java 7 and re-enable the Apple-provided Java SE 6 web plug-in and Web Start functionality, follow these steps:
http://support.apple.com/kb/HT5559?viewlocale=en_US
Further update:
Apple issued this Java related security update No. 13 on February 19:
http://support.apple.com/kb/HT5666
and Update No. 14 on March 4: http://support.apple.com/kb/DL1573
http://support.apple.com/kb/HT5677
You should also read this:
https://support.apple.com/kb/HT5672
The standard recommendation is for users to turn off Java except when they have to use it on known and trusted websites (like their bank). Javascript, which is unrelated despite the name, can be left on.
Further useful comment in this article:
http://www.macworld.co.uk/macsoftware/news/?newsid=3435007&olo=email
