Zero-day flaw prompts Apple to block Java 7 from OS X
Apple has disabled the Java 7 plugin on Macs through its OS X anti-malware system, in order to protect users from a potentially serious security issue.
Apple's updated security measures block Java 7 in OS X. Screenshot via MacRumors.
The newly discovered zero-day flaw in Java 7 is so serious that the U.S. Department of Homeland Security has warned users to disable or uninstall it.
"We are currently unaware of a practical solution to this problem," the departments' Computer Emergency Readiness Team said. "This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also available."
But Apple has already taken measures to protect OS X users by quietly disabling the Java 7 plug-in, according to MacRumors. This was accomplished by updating the OS X "Xprotect.plist" file to require users to have installed an unreleased version of Java, "1.7.0_10-b19."
Last year, Apple stopped building its own in-house Java updates, handing responsibility over to Oracle. The company also dropped Java from the default installation of OS X 10.7 Lion in 2010.
Java was a part of what was the most serious malware threat to the Mac, dubbed "Flashback." That trojan was estimated to have infected 600,000 Macs worldwide last year, before Oracle and Apple released Java patches to remove the malware.
Apple's updated security measures block Java 7 in OS X. Screenshot via MacRumors.
The newly discovered zero-day flaw in Java 7 is so serious that the U.S. Department of Homeland Security has warned users to disable or uninstall it.
"We are currently unaware of a practical solution to this problem," the departments' Computer Emergency Readiness Team said. "This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also available."
But Apple has already taken measures to protect OS X users by quietly disabling the Java 7 plug-in, according to MacRumors. This was accomplished by updating the OS X "Xprotect.plist" file to require users to have installed an unreleased version of Java, "1.7.0_10-b19."
Last year, Apple stopped building its own in-house Java updates, handing responsibility over to Oracle. The company also dropped Java from the default installation of OS X 10.7 Lion in 2010.
Java was a part of what was the most serious malware threat to the Mac, dubbed "Flashback." That trojan was estimated to have infected 600,000 Macs worldwide last year, before Oracle and Apple released Java patches to remove the malware.
Comments
And no one shed a single tear. Good riddance.
Java. Party like it's 1999.
Or not.
Java has always do more ugliness than goods, I never understand what value it had beside being a developers shortcut.
Quote:
Originally Posted by BigMac2
Java has always do more ugliness than goods, I never understand what value it had beside being a developers shortcut.
As a developer who has written his share of Java code, I can say that it's a very nice language (and has spawned quite a few copycats, including Microsoft [the king of copycats] with C#).
Let's put this into perspective, shall we? A couple of well publicized exploits has put a lot of computers at risk on a couple of occasions. We're talking about it here because it finally has put the Mac at risk, true. However, hundreds of thousands of exploits have put even more computers at risk on a continuing basis - Microsoft Windows has historically done plenty of ugliness, yet ignorance has maintained its value in the eyes of the world.
Quote:
Originally Posted by coolfactor
Just the browser plug-in is blocked. MacRumors had a misleading title, and now AppleInsider has spread the same misinformation.
Are there any actual Java apps being used on the desktop? It's obviously dangerous for the browser, but in every case I've seen it's also sub-par as a native app experience. So while the title may be misleading, it sounds pretty good.
[And no, not if you're doing server development with it, I do understand that not supporting Java would be an issue for those users... Just can't stand it crapping up web pages or 'portable' desktop stuff.]
Quote:
Originally Posted by Tallest Skil
And no one shed a single tear. Good riddance.
Careful. There are some diehard Java supporters who claim that computers are completely useless if they don't have Java installed. They claim that OS X is completely irrelevant now that Apple doesn't have a default Java install. Real work can only be done with Java. Don't argue with them. They know what they are talking about .
Quote:
Originally Posted by Kr00
Now if only we can get web developers to stop scripting using java, we'd all be safer.
Java and Javascript are two different things. They are not related at all.
Quote:
Originally Posted by Kr00
Now if only we can get web developers to stop scripting using java, we'd all be safer.
You might mean to say "javascript" here?
Quote:
Originally Posted by mrstep
Are there any actual Java apps being used on the desktop? It's obviously dangerous for the browser, but in every case I've seen it's also sub-par as a native app experience. So while the title may be misleading, it sounds pretty good.
[And no, not if you're doing server development with it, I do understand that not supporting Java would be an issue for those users... Just can't stand it crapping up web pages or 'portable' desktop stuff.]
There are a lot of well done Java apps out there. WebEx uses a Java app. In addition, I know the Cyberduck FTP client is also based in Java. OpenOffice used to require Java, but I haven't checked the most recent versions to see if this requirement is still present. The biggest problem is when a Java application is poorly written and the minimum amount of effort is used to get it to work in the OS X Java environment. Those applications are the exception rather than the rule but are much more noticeable because they stand out.
Originally Posted by mrstep
Are there any actual Java apps being used on the desktop?
All of Adobe's crap requires Java to run.
Regardless of what anyone thinks about Java, there has to be a better way to allow people to visit Java-using sites (ie chats) and still keep their systems safe. Preventing us from using all Java-based sites is an overly-heavyhanded approach.
Quote:
Originally Posted by mrstep
Are there any actual Java apps being used on the desktop? ...
Absolutely. My firm handle virtually all enterprise business through a vertical market application based on Oracle. Administrative access to the database is done exclusively through a Java-based client.
For children who play with knives, most Torrent clients I know of are Java-based. The popular Vuze torrent client/media player is very much Java-based. Among other Java-based OS X applications are MSN Live messenger client, Mercury Messenger.
Go to Webinar uses Java. Since 2010 I haven't been able to attend presentations of companies that use that software. It has been frustrating. They also don't support Linux so I'm screwed unless I open Windows. I almost never open Windows.
Java, JavaScript, Java Plugin. there seems to be some confusion here.
Can someone say specifically and accurately what the source of the security problem is, and how to prevent it? (I assume it's server side JavaScript and that disabling javaScript in the Safari preferences does the trick.)
Originally Posted by DESuserIGN
(I assume it's server side JavaScript and that disabling javaScript in the Safari preferences does the trick.)
JavaScript ? Java.
Quote:
Originally Posted by SockRolid
Java. Party like it's 1999.
Or not.
Yep. I would like it if the whole idea of web plugins would have stayed in the 90s. The web is just too dangerous these days, anything that can't be done with HTML/JS/CSS should be forced to be a native app, subject to App Store review, OS sandboxing, Unix permissions and all the rest.