or Connect
AppleInsider › Forums › Software › Mac OS X › Apple again blocks latest version of Java through OS X anti-malware system
New Posts  All Forums:Forum Nav:

Apple again blocks latest version of Java through OS X anti-malware system

post #1 of 48
Thread Starter 
The recently released Java 7 Update 11 has been blocked by Apple through its XProtect anti-malware feature in OS X.

Java


Oracle issued the latest update to Java earlier this month to fix a serious zero-day security flaw. The threat was so serious that the U.S. Department of Homeland Security had recommended that all Java 7 users disable or uninstall the software until a patch was issued.

Apple took action on its own and quietly disabled the plugin through its OS X anti-malware system. And as noted by MacGeneration on Thursday, Apple has again updated its OS X XProtect list, this time to block Java 7 Update 11.

Because Oracle has yet to issue a newer version of Java that addresses any outstanding issues, Mac users are prevented from running Java on their system.

Over the last few years, Apple has moved to gradually remove Java from OS X. The Mac maker dropped the Java runtime from the default installation for OS X 10.7 Lion when the operating system update launched in 2010. Java vulnerabilities have been a common exploit used by malicious hackers looking to exploit the OS X platform.

Most notably, the "Flashback" trojan that spread last year was said to have infected as many as 600,000 Macs worldwide at its peak. Apple addressed the issue by releasing a removal tool specifically tailored for the malware, and also disabled the Java runtime in its Safari web browser starting with version 5.1.7.
post #2 of 48
I completely understand that Apple is acting to protect the vast majority of its users, users who have no idea what Java is or even if they have it installed.

But shouldn't they also have an option for users who know the risks but want Java anyway, an option to allow the installation of the plugin?
post #3 of 48
Good for you Apple. May it go the ways Flash is going. Or has, I actually don't know.
post #4 of 48
Not Apple's style (to allow workarounds). Not judging whether that's good or bad. As an individual user I'd like the option but as an IT administrator responsible for Windows computers I see the challenges everyday of trying to walk people through workarounds and then fixes for their workarounds.
post #5 of 48
Quote:
Originally Posted by ddawson100 View Post

Not Apple's style (to allow workarounds). Not judging whether that's good or bad. As an individual user I'd like the option but as an IT administrator responsible for Windows computers I see the challenges everyday of trying to walk people through workarounds and then fixes for their workarounds.

Can't you install the needed plug-ins yourself? Or has Apple now completely disallowed it on OS altogether?

post #6 of 48
I think the disallow list only works for certain browsers, the workaround is to use a third party browser.
post #7 of 48
I know Apple is looking out for us, but for some instances its kind of a pain in the ass that they keep disabling Java. I work in a school and were doing student assessment state testing and the program is Java based. It creates major havoc as testing has to go on right now. This isn't something that can be delayed just because there's an exploit.

I'm going to assume I can just use ARD to re-enable it through a Unix command.

Mac Mini (Mid 2011) 2.5 GHz Core i5

120 GB SSD/500 GB HD/8 GB RAM

AMD Radeon HD 6630M 256 MB

Reply

Mac Mini (Mid 2011) 2.5 GHz Core i5

120 GB SSD/500 GB HD/8 GB RAM

AMD Radeon HD 6630M 256 MB

Reply
post #8 of 48
If these is really the runtime (JRE), this is very bad news. If it is the crappy plugin, it is quite good news.

In the first case, we can safely predict that very soon, Mac as well as Windows will only allow you to run Apple-signed software. Great.
I can't say how unhappy I would be to see these developments.

Social Capitalist, dreamer and wise enough to know I'm never going to grow up anyway... so not trying anymore.

 

http://m.ign.com/articles/2014/07/16/7-high-school-girls-are-kickstarting-their-awa...

Reply

Social Capitalist, dreamer and wise enough to know I'm never going to grow up anyway... so not trying anymore.

 

http://m.ign.com/articles/2014/07/16/7-high-school-girls-are-kickstarting-their-awa...

Reply
post #9 of 48
This really sucks for schools lots of online skill building software such as Reading Plus is written in java. Yes, these programs are never pretty but they are cross-platform and they generally achieve their educational objectives, school teachers have enough challenges Apple, in the words of Tracy Morgan "FIX IT", and stop playing corporate politics with kids.
post #10 of 48
Quote:
Originally Posted by lightknight View Post

If these is really the runtime (JRE), this is very bad news. If it is the crappy plugin, it is quite good news.

In the first case, we can safely predict that very soon, Mac as well as Windows will only allow you to run Apple-signed software. Great.
I can't say how unhappy I would be to see these developments.

 

It's only the plugin, you can put your tinfoil hat and pitchforks away.  

 

If Apple completely disabled Java you would hear the cries many many kids as they found out that Minecraft no longer works on their Macs.  As I can tell by looking around my own house, that is most certainly not the case.

post #11 of 48

Folks, this only affects the Java browser plug-in and only in Safari.

 

Stand-alone Java still works fine for those of that persuasion.

Quote:
Originally Posted by ddawson100 View Post

Not Apple's style (to allow workarounds). Not judging whether that's good or bad. As an individual user I'd like the option but as an IT administrator responsible for Windows computers I see the challenges everyday of trying to walk people through workarounds and then fixes for their workarounds.

 

The "workaround" is to simply use a different browser than Safari.  Easy peasy.

   Apple develops an improved programming language.  Google copied Java.  Everything you need to know, right there.

 

  MA497LL/A FB463LL/A MC572LL/A FC060LL/A MD481LL/A MD388LL/A ME344LL/A

Reply

   Apple develops an improved programming language.  Google copied Java.  Everything you need to know, right there.

 

  MA497LL/A FB463LL/A MC572LL/A FC060LL/A MD481LL/A MD388LL/A ME344LL/A

Reply
post #12 of 48
Quote:
Originally Posted by phasornc View Post

This really sucks for schools lots of online skill building software such as Reading Plus is written in java. Yes, these programs are never pretty but they are cross-platform and they generally achieve their educational objectives, school teachers have enough challenges Apple, in the words of Tracy Morgan "FIX IT", and stop playing corporate politics with kids.

It's not corporate politics, Apple and Oracle get along fine, Steve Jobs and Larry Ellison used to be close friends. They are just trying to stop another Flashback epidemic.

 

If you want to blame somebody, blame your educational software vendor for choosing an insecure platform on which to base their product. I mean come on, it's been insecure for years, they can't claim they didn't know. They most likely chose it because it was cross-platform and therefore would save them development costs, and that factor overrode their concern for end user security.

post #13 of 48
Quote:
Originally Posted by macxpress View Post

I know Apple is looking out for us, but for some instances its kind of a pain in the ass that they keep disabling Java. I work in a school and were doing student assessment state testing and the program is Java based. It creates major havoc as testing has to go on right now. This isn't something that can be delayed just because there's an exploit.

I'm going to assume I can just use ARD to re-enable it through a Unix command.

 

Yeah, but this is exactly one of those areas when you shouldn't be using a Java based program.  In a school situation, you are legally responsible for that information. You can be sued.  You can even attract criminal charges if something happens to the students info.  It's a very sensitive area. 

 

School is the very last place that Java should be used.  

post #14 of 48
Quote:
Originally Posted by phasornc View Post

This really sucks for schools lots of online skill building software such as Reading Plus is written in java. Yes, these programs are never pretty but they are cross-platform and they generally achieve their educational objectives, school teachers have enough challenges Apple, in the words of Tracy Morgan "FIX IT", and stop playing corporate politics with kids.

 

Your the one that's screwing over "the kids."  How anyone could think using Java in a school situation was an okay thing to do I just don't understand.  

post #15 of 48
Some of us still use Snow Leopard, you know!

This has affected my team's work today. We rely on using a Java applet to do our work. We have resorted to using a Windows 7 VM!

By the way, it is NOT just Safari. Firefox is affected too.

Apple, please sort it out.
post #16 of 48
Quote:
Originally Posted by Gazoobee View Post

 

Yeah, but this is exactly one of those areas when you shouldn't be using a Java based program.  In a school situation, you are legally responsible for that information. You can be sued.  You can even attract criminal charges if something happens to the students info.  It's a very sensitive area. 

 

School is the very last place that Java should be used.  

 

We don't make the program....were just told to use it and its a program approved by the State Education Department. BTW...thanks for the legal advice!

Mac Mini (Mid 2011) 2.5 GHz Core i5

120 GB SSD/500 GB HD/8 GB RAM

AMD Radeon HD 6630M 256 MB

Reply

Mac Mini (Mid 2011) 2.5 GHz Core i5

120 GB SSD/500 GB HD/8 GB RAM

AMD Radeon HD 6630M 256 MB

Reply
post #17 of 48

The term "Bag of hurt" comes to mind with respect to Java.

post #18 of 48
Quote:
Originally Posted by Gazoobee View Post

 

Your the one that's screwing over "the kids."  How anyone could think using Java in a school situation was an okay thing to do I just don't understand.  

 

You obviously don't understand what its like to work in an educational environment. You don't always have choices in the matter. If its something you're mandated to do (and use) then how can you blame the school? In some instances, you do what you're told. 

 

There are a lot of Java based educational apps for the Mac. In some cases its how they make platform independent educational apps. 

Mac Mini (Mid 2011) 2.5 GHz Core i5

120 GB SSD/500 GB HD/8 GB RAM

AMD Radeon HD 6630M 256 MB

Reply

Mac Mini (Mid 2011) 2.5 GHz Core i5

120 GB SSD/500 GB HD/8 GB RAM

AMD Radeon HD 6630M 256 MB

Reply
post #19 of 48
Quote:
Originally Posted by maffk View Post

Some of us still use Snow Leopard, you know!

This has affected my team's work today. We rely on using a Java applet to do our work. We have resorted to using a Windows 7 VM!

By the way, it is NOT just Safari. Firefox is affected too.

Apple, please sort it out.

 

Firefox is taking their own approach to this:  http://arstechnica.com/security/2013/01/firefox-to-block-content-based-on-java-reader-and-silverlight/


Edited by John.B - 1/31/13 at 8:14am

   Apple develops an improved programming language.  Google copied Java.  Everything you need to know, right there.

 

  MA497LL/A FB463LL/A MC572LL/A FC060LL/A MD481LL/A MD388LL/A ME344LL/A

Reply

   Apple develops an improved programming language.  Google copied Java.  Everything you need to know, right there.

 

  MA497LL/A FB463LL/A MC572LL/A FC060LL/A MD481LL/A MD388LL/A ME344LL/A

Reply
post #20 of 48
Quote:
Originally Posted by phasornc View Post

in the words of Tracy Morgan "FIX IT"

If you are referring to the SNL sketch where the guy yells "FIX IT", that is Kenan Thompson, not Tracy Morgan.

post #21 of 48
Quote:
Originally Posted by phasornc View Post

This really sucks for schools lots of online skill building software such as Reading Plus is written in java. Yes, these programs are never pretty but they are cross-platform and they generally achieve their educational objectives, school teachers have enough challenges Apple, in the words of Tracy Morgan "FIX IT", and stop playing corporate politics with kids.

Couldn't agree more.

 

I need plug-ins quite often for our corporate VPN, for Adobe Connect, etc. (Right now, I am using Firefox -- in full privacy mode, so that nothing is stored anywhere -- for this).


Edited by anantksundaram - 1/31/13 at 8:22am
post #22 of 48
Quote:
Originally Posted by Gazoobee View Post

 

Yeah, but this is exactly one of those areas when you shouldn't be using a Java based program.  In a school situation, you are legally responsible for that information. You can be sued.  You can even attract criminal charges if something happens to the students info.  It's a very sensitive area. 

 

School is the very last place that Java should be used.  

Stop it, you scold. Get off your high horse.

 

People are required to use what they have access to or are told to.

post #23 of 48
Quote:
Originally Posted by lkrupp View Post

I completely understand that Apple is acting to protect the vast majority of its users, users who have no idea what Java is or even if they have it installed.

But shouldn't they also have an option for users who know the risks but want Java anyway, an option to allow the installation of the plugin?

Made sense when your machine was stand-alone. But now its like sharing a hot-tub with someone with a communicable disease.

The question isn't why Apple is blocking it, but why others aren't.

post #24 of 48
Quote:
Originally Posted by anantksundaram View Post

Stop it, you scold. Get off your high horse.

People are required to use what they have access to or are told to.

Understood, but I think he's referring to the developers. The developers shouldn't be making programs like that in Java and school districts should be very cautious about buying it. Obviously, it's not the poor student's fault that they have to use Java.

It's much like the Flash issues from a few years ago. Lots of people used Flash because it was easy, but it was a resource hog and a security problem. Apple pointed out how terrible it was and the industry slowly moved away from it - to the point that you don't get many "Flash is an essential part of the Internet and we can't live without it" claims any more.

Same thing will probably happen with Java.
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #25 of 48
Quote:
Originally Posted by maffk View Post

Some of us still use Snow Leopard, you know!

This has affected my team's work today. We rely on using a Java applet to do our work. We have resorted to using a Windows 7 VM!

By the way, it is NOT just Safari. Firefox is affected too.

Apple, please sort it out.

Firefox is independently blocking Java: http://www.informationweek.com/security/application-security/firefox-moves-to-block-java-silverlight/240147408

post #26 of 48
Quote:
Originally Posted by jragosta View Post

Understood, but I think he's referring to the developers. 

Yes, but to go on a finger-waving rant about "developers should..... blah blah" with some poor teacher who is just trying to do his/her job is quite unwarranted, unhelpful, and snotty.

 

Also, I agree that it will/should go the way of Flash. Unfortunately, there is still the issue of "in the meantime, what do we do"?

post #27 of 48

Initially, I thought it was Firefox that was blocking the plug-in, this morning. However, when I click the 'click to play' button to activate it, it loads the Admin login for Software Update. Of course, once checked, SU reports that there are no updates available.

 

On checking Firefox Add ons, the Java Applet plug-in is showing as "enabled".
 

The same thing happens with Safari.

post #28 of 48
Quote:
Originally Posted by jragosta View Post


Understood, but I think he's referring to the developers. The developers shouldn't be making programs like that in Java and school districts should be very cautious about buying it. Obviously, it's not the poor student's fault that they have to use Java.

It's much like the Flash issues from a few years ago. Lots of people used Flash because it was easy, but it was a resource hog and a security problem. Apple pointed out how terrible it was and the industry slowly moved away from it - to the point that you don't get many "Flash is an essential part of the Internet and we can't live without it" claims any more.

Same thing will probably happen with Java.

 

Yes, there are still a lot of Java Mac educational apps, but what do you do? We can just sit around and hope they make a real OS X version of the app. Some developers are just lazy and take what they this is the easiest way out.

Mac Mini (Mid 2011) 2.5 GHz Core i5

120 GB SSD/500 GB HD/8 GB RAM

AMD Radeon HD 6630M 256 MB

Reply

Mac Mini (Mid 2011) 2.5 GHz Core i5

120 GB SSD/500 GB HD/8 GB RAM

AMD Radeon HD 6630M 256 MB

Reply
post #29 of 48
Quote:
Originally Posted by maffk View Post

Initially, I thought it was Firefox that was blocking the plug-in, this morning. However, when I click the 'click to play' button to activate it, it loads the Admin login for Software Update. Of course, once checked, SU reports that there are no updates available.

 

On checking Firefox Add ons, the Java Applet plug-in is showing as "enabled".
 

The same thing happens with Safari.

This is very good to know -- I had seen this in Firefox, but did not know it was happening in Safari too. Thanks.

post #30 of 48

I'm not reading anywhere here that it's a Safari-only limit. It sounds to me like OS level. I think this is File Quarantine, aka XProtect, which blocks things from running no matter what method is used to launch something. And it's just Java, not all plug-ins. When there's a known vulnerability, is it reasonable to just stand by when you have the tools to immediately take some action?

post #31 of 48

Yes, is just isn't Safari.  We've tried firefox and it didn't work.  We tried going into our library system which runs Java and it wouldn't work.   We need a work around.  

 

Oh, ya, maybe I'll just unplug all computers from the network to tighten security because of all the problems and give no work arounds.

post #32 of 48
Quote:
Originally Posted by John.B View Post

Folks, this only affects the Java browser plug-in and only in Safari.

 

Stand-alone Java still works fine for those of that persuasion.

 

The "workaround" is to simply use a different browser than Safari.  Easy peasy.

Sometimes that doesn't work. In Germany, for example, every (small) company has to file its VAT declaration online on the 10th day of every subsequent month. This is done via web forms that require Java and, for reasons unknown to me, don't work with Chrome. Annoyingly enough, I have to keep and use Safari for the sole reason of VAT declarations. Now if Java remains disabled until Feb 10th, I'm really stuck. OK there are other workarounds (Internet Explorer with Wine, virtualisation or Bootcamp), but I still find Apple's stand unnecessary paternalistic.

post #33 of 48
Quote:
Originally Posted by John.B View Post

Folks, this only affects the Java browser plug-in and only in Safari.

 

Stand-alone Java still works fine for those of that persuasion.

 

The "workaround" is to simply use a different browser than Safari.  Easy peasy.

 

Just chiming in to say that you are kinda wrong with your statement. It affects Safari, Firefox, Chrome, etc.

 

The block to the web plugin is taking place at the OS level via XProtect. When you click on the Inactive Plugin arrow you get taken to an administrator password required Software Update, which doesn't do anything.

 

This is a temporary fix posted by one of our techs:

 

sudo /usr/libexec/PlistBuddy -c "Delete:JavaWebComponentVersionMinimum" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

 

However this may get overwritten after every restart.

post #34 of 48
Quote:
Originally Posted by Philotech View Post

Sometimes that doesn't work. In Germany, for example, every (small) company has to file its VAT declaration online on the 10th day of every subsequent month. This is done via web forms that require Java and, for reasons unknown to me, don't work with Chrome. Annoyingly enough, I have to keep and use Safari for the sole reason of VAT declarations. Now if Java remains disabled until Feb 10th, I'm really stuck. OK there are other workarounds (Internet Explorer with Wine, virtualisation or Bootcamp), but I still find Apple's stand unnecessary paternalistic.

 

If Apple takes a lackadaisical approach and winds up with another "Flashback" trojan epidemic, they aren't being diligent enough.  If they disable browser plug-ins for Java to prevent another outbreak, they are are being "unnecessary paternalistic".  Given the two options, and despite the inconvenience, they err on the side of security.

 

FWIW, someone over on Ars has posted the steps to disable XProtect in the comments of their Apple Blacklists Java Web Plugin story.

 

That said, if I were in your shoes I'd be giving someone in the VAT declaration office an earful about the need to replace that Java-based VAT declaration process, stat.

   Apple develops an improved programming language.  Google copied Java.  Everything you need to know, right there.

 

  MA497LL/A FB463LL/A MC572LL/A FC060LL/A MD481LL/A MD388LL/A ME344LL/A

Reply

   Apple develops an improved programming language.  Google copied Java.  Everything you need to know, right there.

 

  MA497LL/A FB463LL/A MC572LL/A FC060LL/A MD481LL/A MD388LL/A ME344LL/A

Reply
post #35 of 48
Just to confirm java is blocked in Firefox under snow leopard work around is to copy xprotect.plist from a working machine into core bundle in core services folder. Then untick auto update safe list in sys prefs - security
post #36 of 48
Quote:
Originally Posted by John.B View Post

 

That said, if I were in your shoes I'd be giving someone in the VAT declaration office an earful about the need to replace that Java-based VAT declaration process, stat.

Here we go again.......

 

He was right when he said "paternalism." He could have added 'condescending' in your case.

post #37 of 48
Quote:
Originally Posted by ascii View Post

I think the disallow list only works for certain browsers, the workaround is to use a third party browser.

I typically use Firefox for web based java interfaces & locally run standalone java apps run just fine.  Apple only blocks java in Safari, which is fine by me since half the time it doesn't even work properly with most java based GUIs.  So if you wanna expose yourself to hackers just use a browser other than Safari to browse the web.

post #38 of 48
Quote:
Originally Posted by SmileyDude View Post

 

It's only the plugin, you can put your tinfoil hat and pitchforks away.  

 

If Apple completely disabled Java you would hear the cries many many kids as they found out that Minecraft no longer works on their Macs.  As I can tell by looking around my own house, that is most certainly not the case.


Damned. I never get to use those pitchforks...

Social Capitalist, dreamer and wise enough to know I'm never going to grow up anyway... so not trying anymore.

 

http://m.ign.com/articles/2014/07/16/7-high-school-girls-are-kickstarting-their-awa...

Reply

Social Capitalist, dreamer and wise enough to know I'm never going to grow up anyway... so not trying anymore.

 

http://m.ign.com/articles/2014/07/16/7-high-school-girls-are-kickstarting-their-awa...

Reply
post #39 of 48

Seems Java has got beyond a joke. Maybe we need decent virtual machine technology like Unisys (Burroughs) ClearPath MCP (B5000) systems, the ultimate programming environment. Or ideas from the B1700. JVM seems to be based on these machines anyway, but the original was better. Niklaus Wirth also based his Oberon systems on similar ideas. JVM is good for running Java and related languages like Scala. B5000 virtual machines are heavily oriented towards ALGOL (that's real HLL programming and the first OS written in HLL, long before Unix and C - which is more like structured assembler than a real HLL, but ran lots of others as well as COBOL, FORTRAN (which was recursive), APL (Iverson said it was the best version of APL even though he was an IBM guy), Simula, C, Eiffel (I wrote that compiler myself). A good VM should be relatively language independent - I don't think Java is and had problems with genericity (which is horrible in Java, like multiple inheritance is in C++).

 

So here's to a truly language and vendor independent VM. The B5000 high-level stack- and descriptor-based architecture (with no registers) with buffer overflow and array out-of-bounds checks is a good place to start to develop a real computer-independent computational model.

post #40 of 48

I can no longer work from home due to Apple!!!!!

Time to get a PC

At least I can get infected in peace if I want too!

New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › Apple again blocks latest version of Java through OS X anti-malware system