or Connect
AppleInsider › Forums › Software › Mac OS X › Zero-day flaw prompts Apple to block Java 7 from OS X
New Posts  All Forums:Forum Nav:

Zero-day flaw prompts Apple to block Java 7 from OS X

post #1 of 42
Thread Starter 
Apple has disabled the Java 7 plugin on Macs through its OS X anti-malware system, in order to protect users from a potentially serious security issue.

Java
Apple's updated security measures block Java 7 in OS X. Screenshot via MacRumors.


The newly discovered zero-day flaw in Java 7 is so serious that the U.S. Department of Homeland Security has warned users to disable or uninstall it.

"We are currently unaware of a practical solution to this problem," the departments' Computer Emergency Readiness Team said. "This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also available."

But Apple has already taken measures to protect OS X users by quietly disabling the Java 7 plug-in, according to MacRumors. This was accomplished by updating the OS X "Xprotect.plist" file to require users to have installed an unreleased version of Java, "1.7.0_10-b19."

Last year, Apple stopped building its own in-house Java updates, handing responsibility over to Oracle. The company also dropped Java from the default installation of OS X 10.7 Lion in 2010.

Java was a part of what was the most serious malware threat to the Mac, dubbed "Flashback." That trojan was estimated to have infected 600,000 Macs worldwide last year, before Oracle and Apple released Java patches to remove the malware.
post #2 of 42

And no one shed a single tear. Good riddance.

Originally Posted by helia

I can break your arm if I apply enough force, but in normal handshaking this won't happen ever.
Reply

Originally Posted by helia

I can break your arm if I apply enough force, but in normal handshaking this won't happen ever.
Reply
post #3 of 42

Java.  Party like it's 1999.

 

Or not.

Sent from my iPhone Simulator

Reply

Sent from my iPhone Simulator

Reply
post #4 of 42
Just the browser plug-in is blocked. MacRumors had a misleading title, and now AppleInsider has spread the same misinformation.
post #5 of 42

Java has always do more ugliness than goods, I never understand what value it had beside being a developers shortcut.

post #6 of 42
Portability? It's the right idea, at least.
post #7 of 42
Quote:
Originally Posted by BigMac2 View Post

Java has always do more ugliness than goods, I never understand what value it had beside being a developers shortcut.

 

As a developer who has written his share of Java code, I can say that it's a very nice language (and has spawned quite a few copycats, including Microsoft [the king of copycats] with C#).

 

Let's put this into perspective, shall we? A couple of well publicized exploits has put a lot of computers at risk on a couple of occasions. We're talking about it here because it finally has put the Mac at risk, true. However, hundreds of thousands of exploits have put even more computers at risk on a continuing basis - Microsoft Windows has historically done plenty of ugliness, yet ignorance has maintained its value in the eyes of the world.

post #8 of 42
@djames4242: sad, but true
How to enter the Apple logo  on iOS:
/Settings/Keyboard/Shortcut and paste in  which you copied from an email draft or a note. Screendump
Reply
How to enter the Apple logo  on iOS:
/Settings/Keyboard/Shortcut and paste in  which you copied from an email draft or a note. Screendump
Reply
post #9 of 42
Now if only we can get web developers to stop coding for java, we'd all be safer.
Edited by Kr00 - 1/12/13 at 7:11pm
post #10 of 42
Quote:
Originally Posted by coolfactor View Post

Just the browser plug-in is blocked. MacRumors had a misleading title, and now AppleInsider has spread the same misinformation.

 

Are there any actual Java apps being used on the desktop? It's obviously dangerous for the browser, but in every case I've seen it's also sub-par as a native app experience. So while the title may be misleading, it sounds pretty good. ;)

 

[And no, not if you're doing server development with it, I do understand that not supporting Java would be an issue for those users... Just can't stand it crapping up web pages or 'portable' desktop stuff.]

post #11 of 42
Quote:
Originally Posted by Tallest Skil View Post

And no one shed a single tear. Good riddance.

 

Careful. There are some diehard Java supporters who claim that computers are completely useless if they don't have Java installed. They claim that OS X is completely irrelevant now that Apple doesn't have a default Java install. Real work can only be done with Java. Don't argue with them. They know what they are talking about .1cool.gif

post #12 of 42
Quote:
Originally Posted by Kr00 View Post

Now if only we can get web developers to stop scripting using java, we'd all be safer.

 

Java and Javascript are two different things. They are not related at all.

post #13 of 42
Quote:
Originally Posted by Kr00 View Post

Now if only we can get web developers to stop scripting using java, we'd all be safer.


You might mean to say "javascript" here?

Social Capitalist, dreamer and wise enough to know I'm never going to grow up anyway... so not trying anymore.

 

http://m.ign.com/articles/2014/07/16/7-high-school-girls-are-kickstarting-their-awa...

Reply

Social Capitalist, dreamer and wise enough to know I'm never going to grow up anyway... so not trying anymore.

 

http://m.ign.com/articles/2014/07/16/7-high-school-girls-are-kickstarting-their-awa...

Reply
post #14 of 42
Quote:
Originally Posted by mrstep View Post

 

Are there any actual Java apps being used on the desktop? It's obviously dangerous for the browser, but in every case I've seen it's also sub-par as a native app experience. So while the title may be misleading, it sounds pretty good. ;)

 

[And no, not if you're doing server development with it, I do understand that not supporting Java would be an issue for those users... Just can't stand it crapping up web pages or 'portable' desktop stuff.]

 
There are a lot of well done Java apps out there.  WebEx uses a Java app.  In addition, I know the Cyberduck FTP client is also based in Java.  OpenOffice used to require Java, but I haven't checked the most recent versions to see if this requirement is still present.  The biggest problem is when a Java application is poorly written and the minimum amount of effort is used to get it to work in the OS X Java environment.  Those applications are the exception rather than the rule but are much more noticeable because they stand out.
post #15 of 42
Originally Posted by mrstep View Post
Are there any actual Java apps being used on the desktop?

 

All of Adobe's crap requires Java to run.

Originally Posted by helia

I can break your arm if I apply enough force, but in normal handshaking this won't happen ever.
Reply

Originally Posted by helia

I can break your arm if I apply enough force, but in normal handshaking this won't happen ever.
Reply
post #16 of 42
Is there any chance this is going to change anytime soon? I found out last night that Java was blocked from Safari when I went to get to a chat I've been attending for several years. At least I was able to get there via Firefox! Oracle needs to get their Java straightened out ASAP!

Regardless of what anyone thinks about Java, there has to be a better way to allow people to visit Java-using sites (ie chats) and still keep their systems safe. Preventing us from using all Java-based sites is an overly-heavyhanded approach.
post #17 of 42
Quote:
Originally Posted by mrstep View Post

 

Are there any actual Java apps being used on the desktop? ...

 

Absolutely. My firm handle virtually all enterprise business through a vertical market application based on Oracle. Administrative access to the database is done exclusively through a Java-based client.

 

For children who play with knives, most Torrent clients I know of are Java-based. The popular Vuze torrent client/media player is very much Java-based. Among other Java-based OS X applications are MSN Live messenger client, Mercury Messenger

post #18 of 42

Go to Webinar uses Java. Since 2010 I haven't been able to attend presentations of companies that use that software. It has been frustrating. They also don't support Linux so I'm screwed unless I open Windows. I almost never open Windows.

post #19 of 42

Java, JavaScript, Java Plugin. there seems to be some confusion here.

Can someone say specifically and accurately what the source of the security problem is,  and how to prevent it? (I assume it's server side JavaScript and that disabling javaScript in the Safari preferences does the trick.)  

post #20 of 42
Originally Posted by DESuserIGN View Post
(I assume it's server side JavaScript and that disabling javaScript in the Safari preferences does the trick.)  

 

JavaScript ≠ Java.

Originally Posted by helia

I can break your arm if I apply enough force, but in normal handshaking this won't happen ever.
Reply

Originally Posted by helia

I can break your arm if I apply enough force, but in normal handshaking this won't happen ever.
Reply
post #21 of 42
Quote:
Originally Posted by SockRolid View Post

Java.  Party like it's 1999.

 

Or not.

Yep. I would like it if the whole idea of web plugins would have stayed in the 90s. The web is just too dangerous these days, anything that can't be done with HTML/JS/CSS should be forced to be a native app, subject to App Store review, OS sandboxing, Unix permissions and all the rest.

post #22 of 42
Simple fix until the new Plugin for Java 7 comes out...just follow Apple's own advice for how to uninstall the Java 7 Plugin and resintall the Java 6 Plugin that came with Mountain Lion. I did it today...works great and Oracle says there is no problem with the Java 6 Plugin.

For those who have to dump on Java...there are some of us who don't have a choice and have to rely on it to access secure VPNs, etc. to work on websites or access intranets.
post #23 of 42
If you do any 3D printing, you're using java. I use java on my Mac more then not.
Quote:
Originally Posted by mrstep View Post

Are there any actual Java apps being used on the desktop? It's obviously dangerous for the browser, but in every case I've seen it's also sub-par as a native app experience. So while the title may be misleading, it sounds pretty good. 1wink.gif

[And no, not if you're doing server development with it, I do understand that not supporting Java would be an issue for those users... Just can't stand it crapping up web pages or 'portable' desktop stuff.]

[Forum Signature]  I have no signature.  [Forum Signature]

Reply

[Forum Signature]  I have no signature.  [Forum Signature]

Reply
post #24 of 42
crashplan is another notable java desktop app that is in widespread use.
post #25 of 42
Can you bypass Apple's protection by simply altering the minimum version number string or is there some other solution for those that just have to use Java on their Mac?

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #26 of 42
Quote:
Originally Posted by bunnyhero View Post

crashplan is another notable java desktop app that is in widespread use.

Now that you mention it, a lot of cloud storage clients seem to be written in Java.
post #27 of 42
Quote:
Originally Posted by SolipsismX View Post

Can you bypass Apple's protection by simply altering the minimum version number string or is there some other solution for those that just have to use Java on their Mac?

Maybe using a browser other than Safari would work? I'm not sure but maybe only Safari and Mail check that list.

post #28 of 42
Quote:
Originally Posted by ascii View Post

Maybe using a browser other than Safari would work? I'm not sure but maybe only Safari and Mail check that list.

Since it's Java and not JS I assume that it's locked down for the entire system.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #29 of 42
Quote:
Originally Posted by SolipsismX View Post


Since it's Java and not JS I assume that it's locked down for the entire system.

I think it's up to individual apps to check the list or not, there's not like a plugin loading API they call that checks the list for them. I could be wrong though because I mostly program iOS not OS X.

post #30 of 42
Quote:
Originally Posted by ascii View Post

I think it's up to individual apps to check the list or not, there's not like a plugin loading API they call that checks the list for them. I could be wrong though because I mostly program iOS not OS X.

I really don't know how deep Apple made the protection. I installed Java for some work thing but I don't recall what that was or if I ever even used it.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #31 of 42

Hey, where can I download this latest one, 1.7.0_10-b19? I've been look everywhere for this little shit :(

Please excuse my lame English grammar. American Sign Language is my first language and English's the second.
Tallest Skill, you can edit my English grammar for me. My English grammar sucks! lol

Reply

Please excuse my lame English grammar. American Sign Language is my first language and English's the second.
Tallest Skill, you can edit my English grammar for me. My English grammar sucks! lol

Reply
post #32 of 42

Oracle should just stop shipping the browser plugin. It's getting to the point where it's ruining the reputation of the entire Java brand and platform.

post #33 of 42

Where I work we use 2 distinct Java apps...one for Internet authentication and another that is vital for day to day operations.

 

Seeing these disabled by Apple periodically has created a ton of extra work for our tech support staff.

post #34 of 42
Stagecast. A neat little simulation environment, Java based. Started life as the "original" Cocoa (get it? Cocoa is like Java but for kids? Cute?) at Apple under Larry Tesler. When NEXT/OpenStep came to Apple and Cocoa was part of it, there was a needed name change and Stagecast emerged as a separate company. IIRC the plan was you would be able to flip the sims over and see the Java code behind what you did in the graphical environment (like in LOGO) but that part never got done.

Oh yeah, and the AP Computer Science test uses Java to test programming skills.
post #35 of 42
Quote:
Originally Posted by jpellino View Post

Oh yeah, and the AP Computer Science test uses Java to test programming skills.

So, High School students are now required to learn how to create exploits to take over computer systems?!

 

Just for fun:

 

1. Sony's Ultraviolet registration requires using Java 6. I've been having trouble installing Java 6 while Java 7 is still installed. I'll probably have to pull it out to do the installation. Oh, and since I don't have a *disk* to go with my copy of Mountain Lion, I'll have to find the installer someplace else.

 

2. I'm aware of a company that requires Java 6 Release 18 for certain old Java code. This code also seems completely incompatible with MacOS X, plus even under Windows the applet will fail to run on more recent versions of Java 6 and Java 7.

post #36 of 42
Quote:
Originally Posted by lkrupp View Post

Java and Javascript are two different things. They are not related at all.

Did I say JavaScript? No it didn't did I. If a coder has to write for java, it can be called scripting or coding.
post #37 of 42
Originally Posted by Kr00 View Post
Did I say JavaScript? No it didn't did I. If a coder has to write for java, it can be called scripting or coding.


Granted, but you did say "web development", and truly (though this may just be me), the number of actual Java applets I've seen on the Internet in the past decade has dropped precipitously. Really, what uses Java on the web anymore?

Originally Posted by helia

I can break your arm if I apply enough force, but in normal handshaking this won't happen ever.
Reply

Originally Posted by helia

I can break your arm if I apply enough force, but in normal handshaking this won't happen ever.
Reply
post #38 of 42

I'm not looking forward to losing Glimmerblocker, Cyberduck or Vuze. These are all free apps, so it's in poor taste to blast the developers for using Java. And these are polished products, not .jar files.

 

Tallest Skil View Post
mrstep View Post
Are there any actual Java apps being used on the desktop?

All of Adobe's crap requires Java to run.

I thought Adobe rolled their own now, Adobe AIR.

 

Tallest Skil View Post
The number of actual Java applets I've seen on the Internet in the past decade has dropped precipitously. Really, what uses Java on the web anymore?

Most virtualization that I use for work. We did have a Citrix client system, but migrated to Java-based access for terminal and print-to-file.

[this account has been abandoned]

Reply

[this account has been abandoned]

Reply
post #39 of 42
Originally Posted by Vorsos View Post
I'm not looking forward to losing Glimmerblocker, Cyberduck or Vuze. These are all free apps, so it's in poor taste to blast the developers for using Java. And these are polished products, not .jar files.

 

I'm amazed every time I hear that Glimmerblocker still works. Why not AdBlock+Ghostery for all your ad blocking needs? 


I thought Adobe rolled their own now, Adobe AIR.

 

Maybe I just don't have that installed, but I'm still asked (by OS X) to install Java whenever I click an Adobe program and it's not already done.

Originally Posted by helia

I can break your arm if I apply enough force, but in normal handshaking this won't happen ever.
Reply

Originally Posted by helia

I can break your arm if I apply enough force, but in normal handshaking this won't happen ever.
Reply
post #40 of 42
Quote:
Originally Posted by djames4242 View Post

 

As a developer who has written his share of Java code, I can say that it's a very nice language (and has spawned quite a few copycats, including Microsoft [the king of copycats] with C#).

 

Let's put this into perspective, shall we? A couple of well publicized exploits has put a lot of computers at risk on a couple of occasions. We're talking about it here because it finally has put the Mac at risk, true. However, hundreds of thousands of exploits have put even more computers at risk on a continuing basis - Microsoft Windows has historically done plenty of ugliness, yet ignorance has maintained its value in the eyes of the world.

 

Java like any third party runtime environment as always being security blackholes for OSes on a continuing bases. Java, Flash and M$ Office Macros account for the majority of security exploit OSX ever had. I don't question Java being nice language, but what is the value in there for end user over a native apps? There is none.  As a users I will ever prioritize native apps over ones using Java, Flash, and other third party runtime solutions. Not having Java on a desktop will only force people to find other and better solutions for the most part.


Edited by BigMac2 - 1/14/13 at 10:44am
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › Zero-day flaw prompts Apple to block Java 7 from OS X