Apple Remotely Blocks Java OS X Web Plugin for the Second Time

| News

Apple Blocks Java Again

A major security breach in Oracle’s Java 7 browser plugin earlier this month caused Apple to remotely disable Java for all OS X Safari users. Oracle updated Java to address the security issues but after a short delay, Apple has again remotely blocked Java on OS X, as reported by French site MacGeneration.

In early January, the U.S. Department of Homeland Security issued an urgent warning to computer users that a serious exploit had been found in the popular Java plugin. Java had already been the source of several past OS X vulnerabilities so the Cupertino company proactively disabled the plugin in Safari rather than risk another security crisis.

Apple used OS X’s built-in “Xprotect” anti-malware system that was introduced in 2009 with OS X 10.6 Snow Leopard. The company configured the system so that a minimum version number of Java had to be installed in order for it run automatically. As a precaution, Apple set the version number to one that did not yet exist.

A few days after the news broke, Oracle released an update to address the vulnerabilities, and changed the version number so that Xprotect would no longer block it. Unfortunately, MacRumors points out that security researchers found that Oracle only addressed one of the two vulnerabilities, leaving the plug-in a still serious security threat.

In response, Apple today again updated Xprotect to block the current version of Java, 1.7.0_11-b21, by setting a minimum version number of 1.7.0_11-b22.

For those interested in learning more about the Java exploit TMO’s John Martellaro has a detailed explanation of the risks and instructions on how users can check to see if they are vulnerable.

Those using software that relies on the desktop version of Java, which is separate from the browser plugin, need not take further action at this time. Those applications, such as CrashPlan, are still functional and there are no known vulnerabilities for that configuration.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

Comments

John

I guess Apple doesn’t feel the need to inform their customers about silently overriding and breaking their systems. Users should decide this. This one was even more infuriating because all the advice on how to fix this came from comments after the last break where there was a workaround (that no longer works). Also, if they’re going to break Safari like this they shouldn’t continue to pretend there’s a work around with the dialog telling people to upgrade Java.  Idiots.  Incidentally, Chrome is not a work around as it uses the same plugin configuration as Safari.  Firefox is a workaround.

Ryan

Yeah no it doesn’t work in Firefox for me either. I’m still running 10.6.8 which had Apple’s retarded version of Java. I had to launch windows in parallels to use java in IE. I’ve spent hours messing with this today which could have been better spent… I dunno, surfing porn or something.

akcarver

How can someone test their system to see if Apple’s lock has been applied?

iJack

My System Prefs pane & control panel for Java 7 Update11 (build 1.7.0_11-b21) is still there and operational.  Is this something different?  My Firefox plugin is still there and apparently operational, although it says, “Java Aplet Plugin is known to be vulnerable.  Use with caution.”

Timon

Quit complaining at Apple because they blocked Java, blame Oracle. Apple is trying to protect you and you bitch and moan.

BTW, Apple does tell you, they pop up a window telling you that Java needs updating. That’s your clue that they have raised the required Java level. If you close the window it’s won’t pop up again. I do which that Apple would pop up a little different message that stated the current and required versions plus keep displaying the message if you try to run a Java program again.

akcarver

Apple does NOT own my computer. They should NOT be disabling software without telling me that they are doing exactly that, and giving me a chance to say no EVERY TIME THEY DO IT.

I am glad that Apple wants to protect me from malicious software, but they are going about it the wrong way.

Starr

So, Im pissed at both Apple AND Oracle.  Fine.  But in the meantime, what the heck do I do so I can get my Pogo to work on my macbook???

Allan Cuseo

I only use java for Pogo games - which no longer work, of course. Problem is that my subscription that I just renewed keeps going. I wrote Pogo today that I wished to turn off automatic renewal but,  course, pogo customer service is non existent. If something is not fixed soon I will again try to cancel pogo permanently.

Log-in to comment