Apple Blocks Java 7 Plug-in on OS X to Address Widespread Security Threat

by

As noted by ZDNet, a major security vulnerability in Java 7 has been discovered, with the vulnerability currently being exploited in the wild by malicious parties. In response to threat, the U.S. Department of Homeland Security has recommended that users disable the Java 7 browser plug-in entirely until a patch is made available by Oracle.

Hackers have discovered a weakness in Java 7 security that could allow the installation of malicious software and malware on machines that could increase the chance of identity theft, or the unauthorized participation in a botnet that could bring down networks or be used to carry out denial-of-service attacks against Web sites.

"We are currently unaware of a practical solution to this problem," said the DHS' Computer Emergency Readiness Team (CERT) in a post on its Web site on Thursday evening. "This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available."

Apple has, however, apparently already moved quickly to address the issue, disabling the Java 7 plug-in on Macs where it is already installed. Apple has achieved this by updating its "Xprotect.plist" blacklist to require a minimum of an as-yet unreleased 1.7.0_10-b19 version of Java 7. With the current publicly-available version of Java 7 being 1.7.0_10-b18, all systems running Java 7 are failing to pass the check initiated through the anti-malware system built into OS X.

java 7 blacklist
Apple's updated plug-in blacklist requiring an unreleased version of Java 7

Apple historically provided its own support for Java on OS X, but in October 2010 began pushing support for Java back to Oracle, with Steve Jobs noting that the previous arrangement resulted in Apple's Java always being a version behind that available to other platforms through Oracle. Consequently, Jobs acknowledged that having Apple responsible for Java "may not be the best way to do it."

It wasn't until last August that the transition was essentially complete, with Oracle officially launching Java 7 for OS X. Java 7 does not ship by default on Mac systems, meaning that many users are not affected this latest issue or other recent ones, but those users who have manually installed Java 7 may be experiencing issues with their systems.

There is no word yet on when an updated version of Java addressing the issue will be made available by Oracle.

Update: As detailed in the National Vulnerability Database, the issue affects not only the Java 7 plug-in, but at least some versions of Java 4 through 7.

Popular Stories

Apple iPhone 16e Feature

Apple Announces iPhone 16e With A18 Chip and Apple Intelligence, Pricing Starts at $599

Wednesday February 19, 2025 8:02 am PST by
Apple today introduced the iPhone 16e, its newest entry-level smartphone. The device succeeds the third-generation iPhone SE, which has now been discontinued. The iPhone 16e features a larger 6.1-inch OLED display, up from a 4.7-inch LCD on the iPhone SE. The display has a notch for Face ID, and this means that Apple no longer sells any iPhones with a Touch ID fingerprint button, marking the ...
Read Full Article657 comments
iphone 17 pro asherdipps

iPhone 17 Pro Models Rumored to Feature Aluminum Frame Instead of Titanium Frame

Tuesday February 18, 2025 12:02 pm PST by
Over the years, Apple has switched from an aluminum frame to a stainless steel frame to a titanium frame for its highest-end iPhones. And now, it has been rumored that Apple will go back to using aluminum for three out of four iPhone 17 models. In an investor note with research firm GF Securities, obtained by MacRumors this week, Apple supply chain analyst Jeff Pu said the iPhone 17, iPhone...
Read Full Article175 comments
apple launch feb 2025 alt

Here Are the New Apple Products We're Still Expecting This Spring

Thursday February 20, 2025 5:06 am PST by
Now that Apple has announced its new more affordable iPhone 16e, our thoughts turn to what else we are expecting from the company this spring. There are three product categories that we are definitely expecting to get upgraded before spring has ended. Keep reading to learn what they are. If we're lucky, Apple might make a surprise announcement about a completely new product category. M4...
Read Full Article59 comments
iPhone 17 Roundup Feature 2

iPhone Design to Change 'Significantly' This Year

Monday February 17, 2025 7:09 am PST by
Apple is set to "significantly change" the iPhone's design language later this year, according to a Weibo leaker. In a new post, the user known "Digital Chat Station" said that the iPhone's design is "starting to change significantly" this year. The "iPhone 17 Air" reportedly features a "horizontal, bar-shaped" design on the rear, likely referring to an elongated camera bump. On the other...
Read Full Article241 comments
Generic iOS 18

Here's When Apple Will Release iOS 18.4

Wednesday February 19, 2025 11:38 am PST by
Following the launch of the iPhone 16e, Apple updated its iOS 18, iPadOS 18, and macOS Sequoia pages to give a narrower timeline on when the next updates are set to launch. All three pages now state that new Apple Intelligence features and languages will launch in early April, an update from the more broader April timeframe that Apple provided before. The next major point updates will be iOS ...
Read Full Article46 comments
apple launch feb 2025

Tim Cook Teases an 'Apple Launch' Next Wednesday

Thursday February 13, 2025 8:07 am PST by
In a social media post today, Apple CEO Tim Cook teased an upcoming "launch" of some kind scheduled for Wednesday, February 19. "Get ready to meet the newest member of the family," he said, with an #AppleLaunch hashtag. The post includes a short video with an animated Apple logo inside a circle. Cook did not provide an exact time for the launch, or share any other specific details, so...
Read Full Article286 comments
Apple 2025 Thumb 1

Two of Apple's Oldest Products Are Finally Getting Updated This Year

Friday February 14, 2025 6:03 am PST by
Apple released the HomePod mini in November 2020, followed by the AirTag in May 2021, and both still remain first-generation products. Fortunately, rumors suggest that both the HomePod mini and the AirTag will finally be updated at some point this year. Below, we recap rumors about the HomePod mini 2 and AirTag 2. HomePod mini 2 In January 2025, Bloomberg's Mark Gurman said Apple is ...
Read Full Article
iOS 18

iOS 18.4 Coming Next Week With These New Features for Your iPhone

Friday February 14, 2025 6:18 am PST by
The first iOS 18.4 beta for iPhones should be just around the corner, and the update is expected to include many new features and changes. Bloomberg's Mark Gurman expects the iOS 18.4 beta to be released by next week. Below, we outline what to expect from iOS 18.4 so far. Apple Intelligence for Siri Siri is expected to get several enhancements powered by Apple Intelligence on iOS...
Read Full Article

Top Rated Comments

KnightWRX Avatar
KnightWRX
158 months ago
com.oracle.java.JavaAppletPlugin = Browser plug-in.

Apple has not blocked Java 7 on OS X.

Please correct the headline ASAP before this thread becomes a major flamewar.
Score: 23 Votes (Like | Disagree)
xionxiox Avatar
xionxiox
158 months ago
Java is the worst thing ever. Always buggy and slow. Oracle doesn't give a damn about Macs.
Score: 19 Votes (Like | Disagree)
mreed911 Avatar
mreed911
158 months ago
Wow. The Apple fix for this is both elegant and scary - I tested it on mine and I definitely get the popup that Java is unsecure and out of date, and blocked - but I didn't have to do anything to get that update to xprotect.plist. No software update, no nothing. That's rather scary.

I suppose at this point I'm willing to trade the 0-day security for Apple's ability to reach in and tweak settings.
Score: 14 Votes (Like | Disagree)
WildCowboy Avatar
WildCowboy
158 months ago
I tested it on mine and I definitely get the popup that Java is unsecure and out of date, and blocked - but I didn't have to do anything to get that update to xprotect.plist. No software update, no nothing. That's rather scary.
OS X systems check for an updated version of that file on a daily basis. It's primarily used for malware definitions, but can also be used to require minimum versions of certain plugins, as with Flash and Java.


com.oracle.java.JavaAppletPlugin = Browser plug-in.

Apple has not blocked Java 7 on OS X.

Please correct the headline ASAP before this thread becomes a major flamewar.
You are of course correct, and I've updated accordingly to make things more clear.
Score: 8 Votes (Like | Disagree)
inkswamp Avatar
inkswamp
158 months ago
Well, I don't think I will join the debate about Java, but a temporary fix to enable Java (I know, it is a security hazard, however I don't have another option as I have to use the Juniper SSL VPN network connect client).
So,
1. close Safari
2. Open a terminal
3. sudo vi /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
4. Find the string <key>MinimumPlugInBundleVersion</key>
5. Just under that line you should see the version. Change the last portion of the number from 19 to 1.
6. Save and exit
7. Start up Safari and you should work. You must keep in mind that this file may be updated by Apple again, so this is only temporary and should only be done if you *must* use your current version of Java.

best of luck....

Thanks so much for posting this. The company I work for uses a payroll system that requires the Java plug-in and I was unable to access it. Would have been stuck without this.

I like that Apple is clearly looking out for the safety of their users, but at the same time, it would be nice if they would put in a user interface for temporarily side-stepping this kind of thing instead of having to hack around in the system files. Just a simple prompt of "This plug-in/app has been disabled due to security issues. Do you want to run it this one time?" That would serve the dual purposes of not leaving their users stranded and giving an explanation for why it suddenly doesn't work.
Score: 6 Votes (Like | Disagree)
Stella Avatar
Stella
158 months ago
Seriously? From a programmer's perspective: http://tech.jonathangardner.net/wiki/Why_Java_Sucks
Thanks for the reply.

I write Java on a daily basis, I wanted to know from you why you thought 'Java Sucks'... or if you were just on some bandwagon. Some reasons why Java sucks are now invalid and have been for a long time - such as 'Java is Slow'... which is a gross generalization.

Some of those points or valid in the link, others are just his opinion, others may disagree or agree.

Java can be a good choice on the server side, on the GUI side, not so much. Saying that, writing webapps with Java is not a great experience - there are better choices - YMMV.
Score: 6 Votes (Like | Disagree)
Read All Comments