Apple Blocks Java 7 Plug-in on OS X to Address Widespread Security Threat

by

As noted by ZDNet, a major security vulnerability in Java 7 has been discovered, with the vulnerability currently being exploited in the wild by malicious parties. In response to threat, the U.S. Department of Homeland Security has recommended that users disable the Java 7 browser plug-in entirely until a patch is made available by Oracle.

Hackers have discovered a weakness in Java 7 security that could allow the installation of malicious software and malware on machines that could increase the chance of identity theft, or the unauthorized participation in a botnet that could bring down networks or be used to carry out denial-of-service attacks against Web sites.

"We are currently unaware of a practical solution to this problem," said the DHS' Computer Emergency Readiness Team (CERT) in a post on its Web site on Thursday evening. "This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available."

Apple has, however, apparently already moved quickly to address the issue, disabling the Java 7 plug-in on Macs where it is already installed. Apple has achieved this by updating its "Xprotect.plist" blacklist to require a minimum of an as-yet unreleased 1.7.0_10-b19 version of Java 7. With the current publicly-available version of Java 7 being 1.7.0_10-b18, all systems running Java 7 are failing to pass the check initiated through the anti-malware system built into OS X.

java 7 blacklist
Apple's updated plug-in blacklist requiring an unreleased version of Java 7

Apple historically provided its own support for Java on OS X, but in October 2010 began pushing support for Java back to Oracle, with Steve Jobs noting that the previous arrangement resulted in Apple's Java always being a version behind that available to other platforms through Oracle. Consequently, Jobs acknowledged that having Apple responsible for Java "may not be the best way to do it."

It wasn't until last August that the transition was essentially complete, with Oracle officially launching Java 7 for OS X. Java 7 does not ship by default on Mac systems, meaning that many users are not affected this latest issue or other recent ones, but those users who have manually installed Java 7 may be experiencing issues with their systems.

There is no word yet on when an updated version of Java addressing the issue will be made available by Oracle.

Update: As detailed in the National Vulnerability Database, the issue affects not only the Java 7 plug-in, but at least some versions of Java 4 through 7.

Popular Stories

Generic iOS 19 Feature Mock Light

iOS 19 Leak Reveals All-New Design

Friday January 17, 2025 2:42 pm PST by
iOS 19 is still around six months away from being announced, but a new leak has allegedly revealed a completely redesigned Camera app. Based on footage it obtained, YouTube channel Front Page Tech shared a video showing what the new Camera app will apparently look like, with the key change being translucent menus for camera controls. Overall, the design of these menus looks similar to...
Read Full Article
2024 App Store Awards

Apple Explains Why It Removed TikTok From the App Store in the U.S.

Sunday January 19, 2025 6:58 am PST by
Apple on late Saturday removed TikTok from the App Store in the U.S., and it has now explained why it was required to take this action. Last year, the U.S. passed a law that required Chinese company ByteDance to divest its ownership of TikTok due to potential national security risks, or else the platform would be banned. That law went into effect today, and companies like Apple and Google...
Read Full Article252 comments
iPhone 17 Air Size Feature

'iPhone 17 Air' With Rear Camera Bar Allegedly Shown in Leaked Photo

Tuesday January 21, 2025 12:46 pm PST by
A leaker known as "Majin Bu" today shared an alleged image of a component for the rumored, ultra-thin "iPhone 17 Air" model. The blurry, pixelated image shows a pair of rear iPhone shells with a pill-shaped, raised camera bar along the top. On the left side of the bar, there is a circular cutout that appears to be for a single rear camera. On the right side of the bar, there appears to be an ...
Read Full Article109 comments
iPhone SE Dynamic Island Majin Bu

iPhone SE 4 Leak Shows Dynamic Island, Casts Doubt on Rumored 'iPhone 16E' Name

Monday January 20, 2025 9:01 am PST by
A new iPhone SE is widely rumored to launch this year, and the device has potentially been confirmed today by known leaker Evan Blass. In a private social media post, Blass shared an image of what appears to be source code mentioning an iPhone SE (4th Gen), which casts doubt on the alternative "iPhone 16E" name rumored for the device. However, the name in the source code could be a...
Read Full Article171 comments
airtag 4 pack blue

AirTag 2 Launching This Year With These 3 New Features

Sunday January 19, 2025 8:11 am PST by
After a four-year wait, a new AirTag is finally expected to launch in 2025. Below, we recap rumored upgrades for the accessory. A few months ago, Bloomberg's Mark Gurman said Apple was aiming to release the AirTag 2 around the middle of 2025. While he did not offer a more specific timeframe, that means the AirTag 2 could be announced by the end of June. The original AirTag was announced...
Read Full Article
iOS 19 Roundup Feature

iOS 19 Rumored to Be Compatible With These iPhones

Saturday January 18, 2025 10:28 am PST by
iOS 19 will not drop support for any iPhone models, according to French website iPhoneSoft.fr. The report cited a source who said iOS 19 will be compatible with any iPhone that can run iOS 18, which would mean the following models: iPhone 16 iPhone 16 Plus iPhone 16 Pro iPhone 16 Pro Max iPhone 15 iPhone 15 Plus iPhone 15 Pro iPhone 15 Pro Max iPhone 14 iPhon...
Read Full Article
apple power beats pro 2

Powerbeats Pro 2 Coming Soon: Apple to Announce Them 'Imminently'

Sunday January 19, 2025 8:25 am PST by
In September, Apple said that it would be launching Powerbeats Pro 2 in 2025, and it appears the wireless earbuds are coming very soon. Powerbeats Pro 2 images found in iOS 18 code In his Power On newsletter today, Bloomberg's Mark Gurman said the Powerbeats Pro 2 are "due imminently." In addition to Apple filing the Powerbeats Pro 2 in regulatory databases last month, Gurman said Apple is...
Read Full Article63 comments
Generic iOS 18

Everything New in iOS 18.3 Beta 3

Thursday January 16, 2025 12:39 pm PST by
Apple provided the third beta of iOS 18.3 to developers today, and while the betas have so far been light on new features, the third beta makes some major changes to Notification Summaries and also tweaks a few other features. Notification Summary Changes Apple made multiple changes to Notification Summaries in response to complaints about inaccurate summaries of news headlines. For...
Read Full Article29 comments

Top Rated Comments

KnightWRX Avatar
KnightWRX
157 months ago
com.oracle.java.JavaAppletPlugin = Browser plug-in.

Apple has not blocked Java 7 on OS X.

Please correct the headline ASAP before this thread becomes a major flamewar.
Score: 23 Votes (Like | Disagree)
xionxiox Avatar
xionxiox
157 months ago
Java is the worst thing ever. Always buggy and slow. Oracle doesn't give a damn about Macs.
Score: 19 Votes (Like | Disagree)
mreed911 Avatar
mreed911
157 months ago
Wow. The Apple fix for this is both elegant and scary - I tested it on mine and I definitely get the popup that Java is unsecure and out of date, and blocked - but I didn't have to do anything to get that update to xprotect.plist. No software update, no nothing. That's rather scary.

I suppose at this point I'm willing to trade the 0-day security for Apple's ability to reach in and tweak settings.
Score: 14 Votes (Like | Disagree)
WildCowboy Avatar
WildCowboy
157 months ago
I tested it on mine and I definitely get the popup that Java is unsecure and out of date, and blocked - but I didn't have to do anything to get that update to xprotect.plist. No software update, no nothing. That's rather scary.
OS X systems check for an updated version of that file on a daily basis. It's primarily used for malware definitions, but can also be used to require minimum versions of certain plugins, as with Flash and Java.


com.oracle.java.JavaAppletPlugin = Browser plug-in.

Apple has not blocked Java 7 on OS X.

Please correct the headline ASAP before this thread becomes a major flamewar.
You are of course correct, and I've updated accordingly to make things more clear.
Score: 8 Votes (Like | Disagree)
inkswamp Avatar
inkswamp
157 months ago
Well, I don't think I will join the debate about Java, but a temporary fix to enable Java (I know, it is a security hazard, however I don't have another option as I have to use the Juniper SSL VPN network connect client).
So,
1. close Safari
2. Open a terminal
3. sudo vi /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
4. Find the string <key>MinimumPlugInBundleVersion</key>
5. Just under that line you should see the version. Change the last portion of the number from 19 to 1.
6. Save and exit
7. Start up Safari and you should work. You must keep in mind that this file may be updated by Apple again, so this is only temporary and should only be done if you *must* use your current version of Java.

best of luck....

Thanks so much for posting this. The company I work for uses a payroll system that requires the Java plug-in and I was unable to access it. Would have been stuck without this.

I like that Apple is clearly looking out for the safety of their users, but at the same time, it would be nice if they would put in a user interface for temporarily side-stepping this kind of thing instead of having to hack around in the system files. Just a simple prompt of "This plug-in/app has been disabled due to security issues. Do you want to run it this one time?" That would serve the dual purposes of not leaving their users stranded and giving an explanation for why it suddenly doesn't work.
Score: 6 Votes (Like | Disagree)
Stella Avatar
Stella
157 months ago
Seriously? From a programmer's perspective: http://tech.jonathangardner.net/wiki/Why_Java_Sucks
Thanks for the reply.

I write Java on a daily basis, I wanted to know from you why you thought 'Java Sucks'... or if you were just on some bandwagon. Some reasons why Java sucks are now invalid and have been for a long time - such as 'Java is Slow'... which is a gross generalization.

Some of those points or valid in the link, others are just his opinion, others may disagree or agree.

Java can be a good choice on the server side, on the GUI side, not so much. Saying that, writing webapps with Java is not a great experience - there are better choices - YMMV.
Score: 6 Votes (Like | Disagree)
Read All Comments