Apple Remotely Disables Java on Macs After Major Security Alert

| News

The U.S. Department of Homeland Security has urged that computer users immediately disable Java in light of of a security expert's warning of a serious exploit. Apple has already remotely disabled any version prior to 1.7.0_10-b18 via it's remote Xprotect security mechanism in OS X.

The U.S. Computer Emergency Readiness Team referenced, on January 10, the Software Engineering Institute Vulnerability Note VU#625617 which says: "Java 7 Update 10 and earlier contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system."

There is no known workaround to the latest version of Java, and the agency noted that "This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available."

Apple has already responded by disabling the Java plug-in on Macs that have it installed. OS X now has a mechanism, the "Xprotect.plist," that can be remotely updated by Apple.

If you're curious about whether Java is even installed on your Mac, you can open a terminal window and enter:

java -version

If it's not installed, the OS will invite you to do so, but considering that the latest version of Java is vulnerable, you should probaby pass on the offer.

The exploit was discovered by a French researcher, "Kafeine" who first described the problem.

Because the Java plug-in is disabled by Apple for browsers, applets will be prevented from executing within a browser.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

Comments

brett_x

Hear me out.
This is really troubling. Not that there is a vulnerability, or that there is an exploit. But that Apple decides to remotely disable Java without any way of re-enabling it.
I know Apple means well, but suppose this scenario:  You’re a systems administrator (or a security administrator) working for a company with multiple locations that span thousands of miles.  You have a Mac. Your company has Juniper SSL VPN’s to allow you to connect to your remote locations to administer security patches (including Java updates) to all of your systems.

Juniper VPN’s rely on Java to assert certain requirements of computers connecting to networks.

Today, without warning, you can no longer get to your network. Because Apple says you can’t.

What do you do?

Bosco (Brad Hutchings)

What do you do?

Get a Windows PC.

brett_x

Wow, Bosco. Trolling much?

Bosco (Brad Hutchings)

Seeing as Java has not been disabled on my Windows 7 lapper, it seemed like it the suggestion might help you get on your network.

kricken nexx

Agreed, this may be an example where it is more forgivable, but apple’s “this is for your own good, deal with it” style of computer parenting gets old fast for anyone who isn’t using their first computer.  I often get the feeling that my MacBook and my idevices aren’t really mine at all, its more like I’m just borrowing them from apple.  If I ever use them in a way they didn’t pre-approve of, they might show up and take them away.  Or just remotely disable them.

Lee Dronick

I ran the Terminal command and it returned this

java version “1.6.0_37”
Java(TM) SE Runtime Environment (build 1.6.0_37-b06-434-11M3909)
Java HotSpot(TM) 64-Bit Server VM (build 20.12-b01-434, mixed mode)

What does that mean?

albatross

“I ran the Terminal command and it returned this

java version “1.6.0_37”
Java(TM) SE Runtime Environment (build 1.6.0_37-b06-434-11M3909)
Java HotSpot(TM) 64-Bit Server VM (build 20.12-b01-434, mixed mode)

What does that mean?”

Same here.

John Martellaro

It means that you have installed a very old version of the Java Runtime. But if the Java plug-in is disabled, thanks to Apple, malicious applets can’t access it.

Lee Dronick

Thanks John. Is it a good idea to remove it even though I have Java disabled?

John Martellaro

Lee: if you’ll need Java later and expect to update to a secure version, it’s okay to leave it there, dormant.

Tiger

This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available.

Guess that doesn’t count for much?

Or would you want your entire network hacked simultaneously?

Just asking

Tiger

As detailed in the National Vulnerability Database, the issue affects not only the Java 7 plug-in, but all versions from 4 through 7.

Swiss Cheese software…...

jp64

So, how do I disable it?  Using the Safari preferences and, security and click off the checkmark on Java?  Or do I have to delete it off the hard drive?

John Martellaro

JP64: You don’t have to. Apple has blacklisted the plug-in in the Xprotect file. The plug-in itself is in /Library/Internet Plug-ins, but you can leave it there for the day when it’s no longer blacklisted. No need to mess with the Safari Prefs either.

Intruder

How do we know that it has been blacklisted and disabled on our computer? Is there a way to check?

jp64

Ok..Thanks!!!

John Martellaro

Intruder,
The file of interest is:
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

You have to know how to dig into Package Contents. Mine was updated on 10 Jan 2013 at 22:48 GMT.

There is an entry that blacklists anything earlier than Java 1.7.10.19:

<key>com.oracle.java.JavaAppletPlugin</key>
  <dict>
  <key>MinimumPlugInBundleVersion</key>
  <string>1.7.10.19</string>
  </dict>
I haven’t seen anything on a safe test site URL when you can go to confirm that the plug-in really is disabled.  If I find one, I’ll post it here.

iJack

Letter for letter, I got the same terminal return as did Lee.

I still can’t believe that Apple didn’t warn me, or notify me in some way, even after the fact.  And now that Big Bother (not a typo) has made us all Java-free, how will this affect my daily computing life?  I have several Java-based apps, and then there’s the internet…

iJack

PS:  With any luck, Brad’s PeeCee will get Java-Syphilis, and die.

Bosco (Brad Hutchings)

It won’t because I use Chrome and it asks me permission to run any Java applet it encounters. It is good to see that Stockholm Syndrome is still in full effect here.

iJack

Not really, Brad.  That would mean that I have something against PCs, and/or MS Windows.  I don’t care about them one way or the other; they’re just different from what I use.

It’s you I can’t stand.

dhp

Unbelievable timing. I was trying for the first time to use a Java applet for a medical device research study I am participating in. I was getting very frustrated not being able to get the applet to run. Then a google search led me to a post about Apple disabling Java. I was able to run the applet through Firefox. I’m glad Apple is being proactive, but there needs to be some kind of notification other than “blocked plugin.”

davebarnes

So, Apple updated my Mac without my knowledge.
Not happy about that.
How do I prevent Apple from doing that?

John Martellaro

Intruder,
I’m hesitant to get into this, but here goes.
The Java test page is at:

http://www.java.com/en/download/testjava.jsp

Basically, if you don’t see your machine info, Java is disabled.

However, there are many variables involved: whether the Java Runtime is installed, whether your browser plug-in is present, (Firefox simply yanked theirs.) whether you’ve disabled the plug-in in the browser and whether Apple has blacklisted the plug-in. The test page doesn’t sort all that out.

Intruder

Says the plugin is missing. I assume that is the response I should get after Apple disabled it remotely.

J. Charles Holt

Interestingly, I discovered that the update from Apple did not prevent Java 6 from running. I checked the XProtect file to make sure it was updated to the January 10th version, yet Oracle’s Java test ran perfectly. This is important, and should probably be clarified in the article.

John Martellaro

Mr. Holt.  That’s amazing.  The XProtect file appears to block the current Java 7 and any prior version.

Readers: If this happens to you, disable Java in your browser.  In Safari, it’s in Preferences -> Security. Then uncheck the “Enable Java” box.

Stephan Grilli

How about JavaScript ? Should it also be unchecked in Safari’s security in addition to Java ? Many websites require JavaScript to work.

John Martellaro

Mr. Grilli:  Java and Javascript are totally unrelated languages. No worries with Javascript.

Anonymous

thepiratebay.se and various other file sharing sites have been compromised.  If you visit The Pirate Bay a file called “your_file_download.exe” will download automatically without your consent or knowledge .  If you run across this file delete it immediately and of course DONT OPEN IT!

rec

John Martellaro,
I have a Mac with Java for OS X 2012-006 installed and I wanted to make sure that Apple has really disabled the plug in but when I looked in Library/Internet Plug-ins it has no files and the CoreTypes.bundle in the System Library/CoreServices also has zero content. I assume this means that Java is not disabled so I have removed the check in the Enable plug-ins and Enable Java in Safari Security. Is that OK/


/Library/Internet Plug-ins

/System/Library/CoreServices/CoreTypes.bundle

penguins

I can’t believe so many of you apple users are just cool with this remote disabling stuff.. Can you imagine the fracas if say google tried something like this on android?

J. Charles Holt

Yeah, but we’re not on Android. Most Apple users chose the platform because they’re OK with the level of control that Apple has—the “walled garden” so to speak. It eliminates a lot of the problems that people experience on other platforms. But, as you’ve noted, it creates a few of its own. Such is life, it’s all about compromise.

John Martellaro

penguins: I didn’t mention it in the article, but some people I’ve talked to think Apple should have let the customer know what’s happening. Offer expert users a chance to decline.

On the other hand, time has shown that users are notorious for neglecting security issues. This one was potentially serious, and I can’t blame Apple for acting.  Only for not notifying the customer.

Apple has the perfect tool now with the Notification Center and didn’t use it.

Log-in to comment