
Apple blocks Java 7 Mac plugin in OS X - tcskeptic
http://9to5mac.com/2013/01/11/apple-blocks-java-7-mac-plugin-in-os-x-following-discovered-security-vulnerability/
======
gokhan
Seems like people on this thread are OK when Apple remotely fiddle with what
they can and can't run on their own machine without a notice. Interesting
times.

~~~
orionblastar
"Screw your rights and liberties to run what you want on OUR OS X!" -Apple

This is why I chose Ubuntu over Mac OS X. I have a Macbook and OS X 10.7 on
it, I got tired of being restricted and locked out. Then I found that Ubuntu
was more open and less restrictive. I replaced Windows 8 on my PC with Ubuntu
12.10 and my Acer laptop no longer runs Windows 7 but Ubuntu 12.10 (I won it
at a church raffle) and my Macbook now gathers dust, I'll only use it when I
get around to developing iOS apps or something. For everything else it is
useless to me now.

~~~
archgrove
You can run anything you want in OS X. This block for Java is part of a
(easily deactivated) security system to prevent malware or critically
vulnerable software from compromising your system.

~~~
orionblastar
Nope not when Apple has the ability to block anything on OS X remotely. You
unblocked it, and then they do another check and block it again.

What is to stop Apple from blocking free and open source software in the same
way? Say they want you to buy iWork, not use LibreOffice for free, so they put
in a block for LibreOffice. Now let's say they don't want you using Firefox or
Chrome and they want you to use Safari instead, so they block Firefox and
Chrome. Citing that they are all 'security risks' because they are code Apple
does not control. BTW LibreOffice and OpenOffice.Org are Java based, and this
Java block would stop them from working in the web browser to display
documents.

There will come a time with Mac OS X that Apple will lock it down like they
did to iOS, and you'll have to jailbreak it to run what you want on it. This
will be done for security reasons, of course, to protect the user.

~~~
archgrove
Just turn off the auto update for the blacklist (IIRC, it's in the Security
prefpane). "Problem" solved?

------
asadotzler
Mozilla is blocking Java as well, keeping hundreds of millions of Firefox
users safe.

Mozilla Security Blog: Protecting Users Against Java Vulnerability

[https://blog.mozilla.org/security/2013/01/11/protecting-
user...](https://blog.mozilla.org/security/2013/01/11/protecting-users-
against-java-vulnerability/)

~~~
testing12341234
It appears that Mozilla has changed Java applets to "Click to Play". On the
other hand, Apple has completely blacklisted the current version of Java. This
may affect corporate users where they need access to Java applets for internal
intranet applications. In FF, they would still be able to use the applet if
needed. I think the Mozilla method strikes the better balance between
protecting the end users and allowing them to use the browser as intended.

~~~
absconditus
Those same corporate apps nearly always require IE.

~~~
cube13
And, realistically, those corporate apps probably work perfectly fine with
Apple's depreciated JVM. Oracle's JVM has been in the wild for about 5 months.

------
freehunter
This link is awful. This [1] is a much better link, and the source of this
news according to 9to5mac.

[1] [http://www.macrumors.com/2013/01/11/apple-blocks-
java-7-on-o...](http://www.macrumors.com/2013/01/11/apple-blocks-java-7-on-os-
x-to-address-widespread-security-threat/)

------
tommi
Apple has blocked only Java applet browser plugin from Safari. Java can still
be run on OS X.

~~~
rwg
That's little comfort for the hundreds of universities whose business logic
and data is tied up in Banner, which is a horrible Oracle Forms mess on the
client ("Internet Native Banner"), which requires a web browser with a working
Java plug-in...

(Imagine your company held a contest to design the worst CRUD application that
uses the Web somehow but isn't actually a web application. That's Internet
Native Banner.)

------
jiggy2011
So organisations that rely on Java applets (such as some online banks and
others) can expect _a lot_ of support calls around now.

Difficult to know what to suggest in such a circumstance, do you give the
customer instructions about how to override this and let them risk getting
pwned by some random site?

Or do you just tell them they can't use the service anymore until they do a
full rewrite?

~~~
freehunter
I'm wondering what happens to corporate Macs where the users require Java in
the browser to do their job. Is there any kind of trouble Apple could get into
for removing this without warning when corporations have specifically
installed what they need to work?

~~~
kyllo
Yeah, my last employer did all their accounting in an Oracle ERP system that
was built on Java Applets. They would be screwed right now if they were using
Mac machines.

I could be wrong about this, but it sounds like if you go in and edit
Xprotect.plist manually to remove the Java plugin from the blacklist, Apple
will just update it again and blow out your changes within a day or so.

~~~
dmix
Safari (the only one getting the block) isn't even the most popular browser on
OSX. Chrome + Firefox have 10x more users than Safari on Macs.

~~~
biafra
Thank you for the clarification. I was wondering how Apple blocks plugins from
other browsers. Both articles I saw did not care to mention that only Safari
plugins (and probably third party browsers that use the mac webview like
Fluid.app) are blocked.

------
dutchbrit
Well well well! Great job at blocking Java, Apple. Stop those bastard virus
writers from spreading their malicious code. On the other hand, I assume this
happened silently since I didn't notice a thing. Would be good to show an
extra forced popup message saying, look, we disabled Java for you because it's
a total shitstorm outside at the moment. But if you really need it, do x y z
to (temporarily) disable the block or to whitelist certain applications/sites.
Now that'd be a sweet security system! Arggghh!

~~~
zaidf
I'm not sure I agree that Apple should try to explain to the users what they
did. It is really hard coming up with one message to communicate something to
tens of millions of people. The end result is often confusion or panic--both
of which I would not want to see in my users if I am Apple.

------
sergiotapia
What if you need to enable access to Java 7 again on your Mac machine? Is
there a setting you click that says, "I know the risks, let it run anyway."?

I find it hard to believe that a consumer desktop PC can be remotely
controlled like that and leave NO input to the user.

------
j45
Overall: This is interesting, because of how huge of a Java/Tomcat house Apple
is in-house.

In a browser: Java, like anything has it's bugs. Hopefully the stewards of
Java for the browser keep it current.

~~~
mjhall
The current vulnerability affects environments where untrusted code already
executes. Since applets can be used to upload arbitrary code, it makes sense
to block it.

This isn't a political move I don't think, just a common sense mitigatory move
to protect people. Web apps running Java are safe from this vulnerability,
unless they're accepting user-supplied code and running it.

~~~
j45
That's a great clarification and fact that sadly may be lost in the dramatics
of the headline, either done on purpose or someone didn't understand before
submitting.

~~~
mikegirouard
I thought the same thing too… I only read "Apple blocks Java 7…"

The "…Mac Plugin" part was completely lost in my skimming.

------
rdl
Sucks for people with VPNs that are java applet based.

~~~
bill-nordwall
I was able to get my java-applet-based VPN working again by temporarily re-
enabling Apple's Java SE 6 applet plugin: <http://support.apple.com/kb/HT5559>

------
kyllo
Did they already push the blacklist file update to all Mac machines? Or is it
bundled in a software update that OS X is going to ask me to install when I
get home from work and wake my MacBook up?

~~~
rbehrends
This is not distributed via Software Update, but via Apple's XProtect malware
protection system and should be updated silently in the background. You can
check
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
to see if it's up to date. To force an update, run "sudo
/usr/libexec/XProtectUpdater" or "sudo launchctl start
com.apple.xprotectupdater".

------
dakimov
Well, Java sucked, Apple blocked it.

If you pretend your technology to be secure, but constantly fail in that
aspect, you'd expect this kind of result.

~~~
cma
It also seems like a big failure of the OS/browser that it can't be sandboxed
effectively.

~~~
revscat
Did you notice the part where this affects every OS and browser?

This is a flaw in Java, not any operating system or browser. Java, across all
platforms, provides a way to execute native code if you have the correct
permissions to do so. A way was found to exploit this by getting access to a
raw classloader using MBeans. Once you have access to that classloader you can
do whatever you want.

Please do not try and turn this into an OS war.

~~~
cma
I wasn't making this an OS war, as I didn't recommend any alternative
OS/browser. See my later comment, since I wasn't very detailed in the initial
one.

