Zero-day flaw prompts Apple to block Java 7 from OS X

Posted:
in macOS edited January 2014
Apple has disabled the Java 7 plugin on Macs through its OS X anti-malware system, in order to protect users from a potentially serious security issue.

Java
Apple's updated security measures block Java 7 in OS X. Screenshot via MacRumors.


The newly discovered zero-day flaw in Java 7 is so serious that the U.S. Department of Homeland Security has warned users to disable or uninstall it.

"We are currently unaware of a practical solution to this problem," the departments' Computer Emergency Readiness Team said. "This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also available."

But Apple has already taken measures to protect OS X users by quietly disabling the Java 7 plug-in, according to MacRumors. This was accomplished by updating the OS X "Xprotect.plist" file to require users to have installed an unreleased version of Java, "1.7.0_10-b19."

Last year, Apple stopped building its own in-house Java updates, handing responsibility over to Oracle. The company also dropped Java from the default installation of OS X 10.7 Lion in 2010.

Java was a part of what was the most serious malware threat to the Mac, dubbed "Flashback." That trojan was estimated to have infected 600,000 Macs worldwide last year, before Oracle and Apple released Java patches to remove the malware.
«13

Comments

  • Reply 1 of 43


    And no one shed a single tear. Good riddance.

  • Reply 2 of 43
    sockrolidsockrolid Posts: 2,789member


    Java.  Party like it's 1999.


     


    Or not.

  • Reply 3 of 43
    coolfactorcoolfactor Posts: 2,275member
    Just the browser plug-in is blocked. MacRumors had a misleading title, and now AppleInsider has spread the same misinformation.
  • Reply 4 of 43
    bigmac2bigmac2 Posts: 639member


    Java has always do more ugliness than goods, I never understand what value it had beside being a developers shortcut.

  • Reply 5 of 43
    Portability? It's the right idea, at least.
  • Reply 6 of 43

    Quote:

    Originally Posted by BigMac2 View Post


    Java has always do more ugliness than goods, I never understand what value it had beside being a developers shortcut.



     


    As a developer who has written his share of Java code, I can say that it's a very nice language (and has spawned quite a few copycats, including Microsoft [the king of copycats] with C#).


     


    Let's put this into perspective, shall we? A couple of well publicized exploits has put a lot of computers at risk on a couple of occasions. We're talking about it here because it finally has put the Mac at risk, true. However, hundreds of thousands of exploits have put even more computers at risk on a continuing basis - Microsoft Windows has historically done plenty of ugliness, yet ignorance has maintained its value in the eyes of the world.

  • Reply 7 of 43
    philboogiephilboogie Posts: 7,675member
    @djames4242: sad, but true
  • Reply 8 of 43
    kr00kr00 Posts: 99member
    Now if only we can get web developers to stop coding for java, we'd all be safer.
  • Reply 9 of 43
    mrstepmrstep Posts: 516member

    Quote:

    Originally Posted by coolfactor View Post



    Just the browser plug-in is blocked. MacRumors had a misleading title, and now AppleInsider has spread the same misinformation.


     


    Are there any actual Java apps being used on the desktop? It's obviously dangerous for the browser, but in every case I've seen it's also sub-par as a native app experience. So while the title may be misleading, it sounds pretty good. ;)


     


    [And no, not if you're doing server development with it, I do understand that not supporting Java would be an issue for those users... Just can't stand it crapping up web pages or 'portable' desktop stuff.]

  • Reply 10 of 43
    lkrupplkrupp Posts: 10,557member

    Quote:

    Originally Posted by Tallest Skil View Post


    And no one shed a single tear. Good riddance.



     


    Careful. There are some diehard Java supporters who claim that computers are completely useless if they don't have Java installed. They claim that OS X is completely irrelevant now that Apple doesn't have a default Java install. Real work can only be done with Java. Don't argue with them. They know what they are talking about .image

  • Reply 11 of 43
    lkrupplkrupp Posts: 10,557member

    Quote:

    Originally Posted by Kr00 View Post



    Now if only we can get web developers to stop scripting using java, we'd all be safer.


     


    Java and Javascript are two different things. They are not related at all.

  • Reply 12 of 43

    Quote:

    Originally Posted by Kr00 View Post



    Now if only we can get web developers to stop scripting using java, we'd all be safer.




    You might mean to say "javascript" here?

  • Reply 13 of 43

    Quote:

    Originally Posted by mrstep View Post


     


    Are there any actual Java apps being used on the desktop? It's obviously dangerous for the browser, but in every case I've seen it's also sub-par as a native app experience. So while the title may be misleading, it sounds pretty good. ;)


     


    [And no, not if you're doing server development with it, I do understand that not supporting Java would be an issue for those users... Just can't stand it crapping up web pages or 'portable' desktop stuff.]




     


    There are a lot of well done Java apps out there.  WebEx uses a Java app.  In addition, I know the Cyberduck FTP client is also based in Java.  OpenOffice used to require Java, but I haven't checked the most recent versions to see if this requirement is still present.  The biggest problem is when a Java application is poorly written and the minimum amount of effort is used to get it to work in the OS X Java environment.  Those applications are the exception rather than the rule but are much more noticeable because they stand out.

  • Reply 14 of 43


    Originally Posted by mrstep View Post

    Are there any actual Java apps being used on the desktop?


     


    All of Adobe's crap requires Java to run.

  • Reply 15 of 43
    Is there any chance this is going to change anytime soon? I found out last night that Java was blocked from Safari when I went to get to a chat I've been attending for several years. At least I was able to get there via Firefox! Oracle needs to get their Java straightened out ASAP!

    Regardless of what anyone thinks about Java, there has to be a better way to allow people to visit Java-using sites (ie chats) and still keep their systems safe. Preventing us from using all Java-based sites is an overly-heavyhanded approach.
  • Reply 16 of 43
    mr. memr. me Posts: 3,221member

    Quote:

    Originally Posted by mrstep View Post


     


    Are there any actual Java apps being used on the desktop? ...



     


    Absolutely. My firm handle virtually all enterprise business through a vertical market application based on Oracle. Administrative access to the database is done exclusively through a Java-based client.


     


    For children who play with knives, most Torrent clients I know of are Java-based. The popular Vuze torrent client/media player is very much Java-based. Among other Java-based OS X applications are MSN Live messenger client, Mercury Messenger

  • Reply 17 of 43


    Go to Webinar uses Java. Since 2010 I haven't been able to attend presentations of companies that use that software. It has been frustrating. They also don't support Linux so I'm screwed unless I open Windows. I almost never open Windows.

  • Reply 18 of 43
    desuserigndesuserign Posts: 1,316member


    Java, JavaScript, Java Plugin. there seems to be some confusion here.


    Can someone say specifically and accurately what the source of the security problem is,  and how to prevent it? (I assume it's server side JavaScript and that disabling javaScript in the Safari preferences does the trick.)  

  • Reply 19 of 43


    Originally Posted by DESuserIGN View Post

    (I assume it's server side JavaScript and that disabling javaScript in the Safari preferences does the trick.)  


     


    JavaScript ? Java.

  • Reply 20 of 43
    asciiascii Posts: 5,936member

    Quote:

    Originally Posted by SockRolid View Post


    Java.  Party like it's 1999.


     


    Or not.



    Yep. I would like it if the whole idea of web plugins would have stayed in the 90s. The web is just too dangerous these days, anything that can't be done with HTML/JS/CSS should be forced to be a native app, subject to App Store review, OS sandboxing, Unix permissions and all the rest.

Sign In or Register to comment.