Apple blocks OS X Java 7 plug-in as U.S. Department of Homeland Security warns of zero day threat

“As noted by ZDNet, a major security vulnerability in Java 7 has been discovered, with the vulnerability currently being exploited in the wild by malicious parties,” Eric Slivka reports for MacRumors. “In response to threat, the U.S. Department of Homeland Security has recommended that users disable the Java 7 browser plug-in entirely until a patch is made available by Oracle.”

“Apple has, however, apparently already moved quickly to address the issue, disabling the Java 7 plug-in on Macs where it is already installed,” Slivka reports. “Apple has achieved this by updating its ‘Xprotect.plist’ blacklist to require a minimum of an as-yet unreleased 1.7.0_10-b19 version of Java 7. With the current publicly-available version of Java 7 being 1.7.0_10-b18, all systems running Java 7 are failing to pass the check initiated through the anti-malware system built into OS X.”

Read more in the full article here.

MacDailyNews Take: Java is the new Flash.

Related articles:
Apple makes OS X even more secure for Mac users by removing Java – October 19, 2012
Apple uninstalls Java applet plug-in from all web browsers – October 17, 2012
New zero-day Java exploit puts 1 billion PCs and Macs running OS X 10.6 or earlier at risk – September 26, 2012
Warning: New Java trojan targets Apple’s OS X along with Windows, Linux – July 11, 2012
Apple releases Java Update to remove Flashback trojan – April 12, 2012
OS X trojan variant preys on Mac users with unpatched Java – February 27, 2012
Jobs: Having Oracle, not Apple, release timely Java updates better for Mac users – October 22, 2010
Apple deprecates its release of Java for Mac OS X – October 21, 2010

15 Comments

  1. “Apple has achieved this by updating its ‘Xprotect.plist’ blacklist”
    So OS X is in FACT more secure than windows and not just because of the “Security through obscurity” sense.

    1. Unfortunately, as I have verified, on 10.7.5 there have been problems at Apple’s end allowing the XProtectUpdater CLI app to download the new XProtect.plist file. I consistently ran into certificate/signature errors from Apple’s website no matter how I invoked XProtectUpdater. That’s not good.

      I’ll be doing more testing Saturday, including on my 10.8 systems.

      http://Mac-Security.blogspot.com

  2. I usually disable the Java web plugin whenever I hear about something like this. Now Apple has disabled it for me, before I even heard about this problem. That’s awesome.

    I wonder, hypothetically, what I would have to do to override this if i really did need to use the Java web plugin today.

    1. Total agreement. I’ve proven Security Through Security to be total BS on many occasions. Do some simple proportional math and you’ll find there are over 1000x more malware for Windows than Mac on a 1:1 user basis. That’s VERY bad. That’s Microsoft’s fault, not market share’s fault.

        1. I’ve been up and I’ve been down. My worth didn’t change one way or the other.

          But we geeks know full well that technology ignorance attracts people to all sorts of worthless crap. My mom is a prime example. If not for me, she’d own a netbook as well as an Android. I think of teaching people about superior technology as a public service, an act of altruism. 🙂

  3. I wish Apple had bothered to TELL its users that it was disabling all versions of Java. I spent more than an hour yesterday troubleshooting my computer’s Java issues when I couldn’t use a vendor’s Java-based proofing system to okay materials waiting to go on press. I called the vendor, they called THEIR software people, I reinstalled the Java plug-in on three different browsers.

    Sigh.

    I know Apple was doing the right thing. But they could have at least warned their user base!!! AAARGGGHHH!

  4. Damn. I posted three Mac-Security articles today to keep up with the onslaught of Java horror news.

    NOTE: There are assertions this afternoon that ALL versions of Java, versions 4 through 7, are affected by today’s zero-day security hole.

    Therefore: There is NO safety in older versions of Java, including Java 6.

    My mantra:
    Just Turn Java OFF

    http://Mac-Security.blogspot.com

  5. “Java is the new Flash.”

    If you think about it, Java is the OLD Flash. When the iPhone came out, no one cared that the browser didn’t support Java, because Java was already long-obsolete by then (thanks in large part to Flash).

  6. Copy and paste this string below into “Go to Folder” under “Go” in the Finder Menu, for fast access to the XProtect.plist, then right click “Get info” on XProtect.plist to see dates for “Created” and “Modified”

    /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.