Apple Angers Mac Users With Silent Shutdown of Java 7

An anonymous reader writes in with news of the continuing saga of Java patches and exploits. "If you're a Mac user who suddenly can't access websites or run applications that rely on Java, you're not alone. For the second time in a month, Apple has silently blocked the latest version of Java 7 from running on OS X 10.6 Snow Leopard or higher via its XProtect anti-malware tool. Apple hasn't issued any official statements advising users of the change or its reasons, but it's a safe bet that the company has deemed Oracle's most recent update to Java insecure. That's why the company stealthily disabled Java on Macs back on Jan. 10, the same day a Java vulnerability was being exploited in the wild."

Old News

[swimboy]

Update 13 is already out, and *not* blocked by Apple. All that's blocked are the old, insecure (well, more insecure) versions.

Re:I sure the EULA will tell me I cant do anything

[SteveTheNewbie]

You do realise you can disable this right?

https://discussions.apple.com/thread/4762386?start=0&tstart=0 [apple.com]

Quite amazing what a google search for 'disable XProtect' turns up..

Re:Good

[Colonel Korn]

Java... free. VirtualBox... free. Oracle Linux... free. How can you say they're greedy?

On Windows, Java installs the Ask Toolbar (for now - other times it installs other shit) every time it updates to a new version unless the user realizes Oracle is a two bit hole in the wall company and unchecks the default boxes to opt out. That's greedy. To an even greater extent that's sleazy and just...trashy.

Re:This Mac user not angered.

[kthreadd]

There is very little reason to offer such option since users should not use vulnerable versions of plugins. The plugin vendor should fix the problem and update the plugin.

Re:Good for them.

[Anonymous Coward]

a) it's old news
b) both the Java 7 (from Oracle) and Java 6 (from Apple) updates that address this are already out . Is the new motto Recycling obselete news that matters ;)
c) if you want to opt out from Xprotect, how to guides abound
d)it's the Safari plugin only - other browsers are not effected
e) Apple have pulled the trigger on Xprotect maybe 4 times in 3 years, its not like they are shotgunning

The vulnerabilities from Java 7 were hideously large, and Apple probably did the right thing for the 99 percent who don't know any better. Driveby root access isn't all that fun for the target.

The 1 percent who care, can disable Xprotect temporarily if they want to.

For anyone in between, they could always use another browser.

If you are using a Mac , you are not generally the IT equivalent of a Yukon Frontiersman

Re:Good for them.

[countach]

Two issues. Firstly Apple didn't just disable web applets. They disabled Java Web Start too, so whole corporations and government departments are suddently shut down. Secondly, they didn't provide any announcement, or a gui tool to re-enable at your own risk. It was just nuke everyone in silence.

Re:I'm Pretty Sure They Just Needed An Excuse

[FreakyGeeky]

Your information is woefully out of date. Oracle is where you get Java for OS X, and it's been that way for a couple years.

Still not working on 10.6

[g1powermac]

The summary is incorrect with saying Apple blocked Java 7 on 10.6. Actually, Snow Leopard can't run the new Java from Oracle, it can only run the Apple version of it which is still the 6 series. With this last round of blocking, Apple also blocked their own version on Snow Leopard and Apple has not yet released an update for it last time I checked. Now, in my opinion, this whole blocking thing without notice was extremely unprofessional and made me disappointed in Apple, and that's coming from a Mac fan. I got hit with it the other day and spent hours trying to figure out why in the world Java wasn't working on my machines. Ended up finding a work around editing a .plist file using a console text editor. Definitely not a solution for anyone not familiar with the command line.

Re:Old News

[R.Mo_Robert]

I am not stupid and know how to disable it for web browsing, but many apps use older java versions.

First, I'm not sure why Slashdot chose to run this article as opposed to any of dozens of others that actually explain the situation better, not that it matters because nobody reads them. Apple is not blocking Java applications. They are blocking only the plug-in. Further, from what I've read, they were not blocking Java 6, only insecure (well, more insecure) versions of Java 7 applets. Additionally, you can get around this with just about any Web browser besides Safari. Finally, at the moment, at least, the latest version of the plug-in is once again perfectly capable of running.

For competent reporting on this subject, see, among others, the MacRumors article about the most recent block [macrumors.com].

Re:Run Linux

[dririan]

Almost all of the plugins are soft blocked. They'll be automatically disabled when you start Fx, but you can easily re-enable them without patching or updating anything. In fact, the same dialog that tells you about the soft block lets you uncheck "Disable" to prevent it from being disabled. Very nearly all plugins that are blacklisted are soft blocked. Their criteria for hard blocking plugins (which means the plugin cannot be re-enabled) is that the plugin either "is malicious" or "a soft-block will not resolve the issue in question, such as a start-up crash". See Mozilla's wiki [mozilla.org] for more information, especially the sections "A High Bar", "Block Conditions", and "Block Severity".

Please don't spread misinformation and FUD about Mozilla's blocklisting when it really is done properly.

Re:Good for them.

[sjames]

Firefox implemented 'click to play' for Java, Silverlight, and Flash. That just means that it only runs them is the user specifically requests it. There's a big difference between blocking outright and suggesting strongly not running it and then letting the user decide.

Re:I sure the EULA will tell me I cant do anything

[gnasher719]

Depends on how it works, if it sends a list of installed software to Apple to check it's bad, but if it downloads a list of plugin signatures to disable because they're outdated and insecure that's not any worse or different than the antivirus downloading virus signatures. I don't see the privacy implications of that, would you elaborate?

Apple has been using a blacklist that is updated daily to stop dangerous software from running. It is mostly used against trojans, but also to block Java running as a Safari plugin, which has some rather serious exploits (basically, an applet can replace the default Java security manager with its own, and from then on anything goes), _and_ it is known that these exploits are actually for sale.

So there are no privacy problems whatsoever, and while blocking Java applets might be annoying, the alternative would be highly dangerous. By the way, Oracle has released a new software version fixing about 50 security problems, which is not blocked.

Re:I sure the EULA will tell me I cant do anything

[exomondo]

again, If i run a 3rd party monitoring system, I allowed them into my system. If this is on by default, then I am not sure I am ok with this..

It's updating a blacklist because people have auto-update on, nothing more. You are not 'allowing them into your system'.

What if apple decides one day that they dont want YY running on macs anymore

That would obviously be pointless given the only thing going on here is updating a blacklist - which is editable by the user - when automatic update is on. So clearly if they were to do that for some reason then the information would be disseminated pretty damn quickly about the simple fix to avoid it.

Re:Good for them.

[countach]

Yeah well, as someone tasked with fixing this for a government department, Apple hasn't told me how to do it. Yes, some hackers figured it out. Yes, I can google and get their knowledge. But Apple didn't give me any way to push the fix out. Nor did they give a gui tool so I can email the users with instructions. In short, we're a bit screwed right now. We'll get over it sure, but in the mean time, tons of legal centres are out of action. is this good enough behavior? Surely not! Please don't defend this crap.

Re:Wow... Apple can't catch a break...

[smash]

In slashdot groupthink, yes.

Re: Good for them.

[jbolden]

The "fools at Apple" make the security system a standard XML file which is editable by admins. You can do anything you want with it.