Apple's anti-malware blacklists Java 7 plug-in again

Apple's anti-malware blacklists Java 7 plug-in again

Summary: Java web plugins get the boot from OS X for a second time in a month.


Apple has once again effectively blacklisted Java 7 web plug-ins on Macs by enforcing a minimum version for the software — a version that has yet to be released by Oracle.

The new blacklisting of Java 7 update 11 — the latest version available — makes it the second time in a one-month period that Apple has used the anti-malware system built into OS X to remotely block the software.

It's not clear why Apple has blacklisted the latest Java update. However, it follows reports last Sunday that, despite Oracle's efforts to harden Java security, the latest version allows unsigned code to be executed.

When Apple instituted the first Java block in January the move was considered unusual, in part because Apple has typically used its Xprotect to block malware such as the widespread Flashback Trojan for Macs in 2011. However the serious risks posed by zero-day vulnerabilities in SE Java 7 update 10 prompted Apple to apply Xprotect to it.

Read this

How to disable Java in your browser on Windows, Mac

How to disable Java in your browser on Windows, Mac

Amid a serious security flaw in the latest version of Java 7, where even the U.S. Department of Homeland Security has warned users to disable the plug-in, here's how you do it.

In January, Apple moved to fend off attacks exploiting those vulnerabilities by adding "build 19" of Java 7 update 10, denoted by "1.7.0_10-b19", to its "Xprotect.plist" blacklist. The latest build at the time was 1.7.0_10-b18, meaning that Java 7 web plug-ins were effectively blacklisted until Oracle released a version that superseded it.

That version came in mid-January when Oracle released Java 7 update 11, which satisfied Apple's minimum requirements under Xprotect. It didn't fix all the vulnerabilities, though, according to researchers at security firm Immunity.

The US Department of Homeland Security also urged internet users to disable Java web plug-ins despite the latest update.

The new block applies to the plugin for Java 7 update 11 version 1.7.0_11-b22, which, like last time, is one build ahead of the current version 1.7.0_11-b21.

Since the Flashback malware hit Apple users, the company has released a series of updates distancing Java from its latest operating systems. Addressing Flashback malware varients, Apple in April last year disabled the Java web plug-in in OS X Lion and in October issued an update that uninstalled the Apple-provided Java applet plug-in from all Safari browsers.

Topics: Apple, Malware, Oracle, Security

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • The problem with this

    The real problem is that it broke some very important tools for some. I believe a big newspaper used a Java application for pictures and found out the hard way it did not work.
    This again is my gripe with Apple. Its like our government these days. Stop deciding what is best for me when I can make the changes myself.
    • When you can...

      Surely YOU can decide what's best and disable Java and enable it on a per-page base policy. But alot of people can't! For your grandma, it's best when other people decide. She might find some web page not working, but it's better than finding your PC infected.
      • Get real!

        When your granny just uses her computer for playing Scrabble and looking at Facebook, I hardly think she will be grateful for Apple pushing the nuclear option and stopping these things working at all???
        Better to have the negligible risk in those situations and things "just work".

        Why does every customer get punished just because Apple finds a way to perceive that there is some risk to some particular users

        Thats the crazy thing about Apple's singular environment. Great when it works for everyone, but then everyone gets stuffed when there is any risk to one person.
        • Is Scrabble a java app?

          Cause you don't need Java for Facebook and you probably don't need it for Scrabble either. If you can enable the plugin manually, then I don't think this is a bad idea. OTOH, if you can't enable it, then it's a problem for corporate users, because the one thing that requires a java plugin is corporate web apps.
  • Thanks for protecting us, but...

    While I am not a large newspaper I work in the transportation industry and the emulator we use to check work (and everything else about our job) uses Java. Last night and today there are thousands that can not use their computers to check on their status and may have missed work, or worse could be reprimanded/suspended/fired because of it. I hope they figure this out soon. Oh yes, I could easily run out and buy a Windows machine. Fortunately, I have a work-around, but most do not, nor would they know to suspect that Apple pulled the Java Plug(in) on them.
  • This is wrong!!!!!

    Apple has disabled Java which runs an important program I use all day long. I spent several hours this morning trying to figure a workaround.

    It is completely wrong for them to automatically remove a program from my computer without my knowledge via an automatic update.

    An update is an update. REMOVING a program is another thing. They should have had a WARNING popup and ask you if you want to REMOVE a program before they did it.

    They haven't just disabled a program. They have DISABLED my ability to work!!

    I know many people that have been affected by this. They should not unilaterally decide what Mac owners can and cannot have on computers that we own. This is just wrong. If the government decided to take a program off my computer I would have a fit. This is even worse. I bought and paid for an Apple product and now they think they can decide what I can run on it? Wrong, wrong, wrong!!!
    • kgood is right.

      kgood is right on. I too spent about 3 hours trying to fix a problem I didn't create so that I could sell some stock on the Schwab Streetsmart site. By the time I got Schwab on the line to tell me what the problem was, I had lost $4000. No security breach has ever occurred on my computer, and I think Apple owes me the money. They, at least, could have informed people of their unilateral, unwelcome, unnecessary, action. The Schwab tech guy said they had been deluged with calls all morning, so kgood and I aren''t the only ones
    • Java program running on Apple OS.

      Very well, kgoodfl . I 100% support your opinion in this case. Apple has no right to dictate users of its OS , what should or what shouldn't be run on their own machine . This kind of policy is clearly cannot be justified. I'm against tyranny.
      Andre H.S Xie
  • Hate when Apple does things like this

    They just do not seem to be able to play nice with anyone these days and continue to act as if they still own the devices they sold to consumers.
    • Dammed if you do. Dammed if you don't.

      The US Government "suggested" that Java be disabled on computer systems. PC security experts "advised" that the latest Java updates were still vulnerable to the security exploits that the US Government warned against.

      There comes a time when each libertarian must compromise for the better good. This is one of those times.

      Apple made a decision. It was only a little bit better than a "no win" solution. But they made it. I can understand the logic behind that pro-active decision to disable Java on as many Apple devices as it could.

      I don't begrudge your "hate" for this decision. Like I said, it was almost a no-win scenario. But I would also respect Apple for a gutsy call.

      Now, the ball is in Oracle's court - so to speak. If Oracle can bullet proof Java, I'm sure Apple will lift it's Java ban.

      But, ultimately, it is Oracle's responsibility to world wide computer users to safeguard their software from attack vectors - not Apple's nor Microsoft's.
      • No Internet Age Program is "Bullet Proof"

        By connecting to a network you as a user should be prepared and aware that there are and will always be holes and flaws in everything that uses that network with you. Expecting anything else means you have now become the biggest flaw in your online security. You certainly don't expect auto manufacturers to accept responsibility for you rolling over a nail or screw do you? Why would you you expect software companies and developers to foresee unpredictable problems down the line with every release? Lets be honest if all programming was bullet proof there would be no reason for updating said programming. They made the product they tested it against scenarios it passed, how can they foresee it failing in a manner no previous build did. Simple fact is Apple over reacted when it did what it did in nannying millions of machines that they have no ownership in. No program is bullet proof and above fault and you should be responsible for your machines security or stop using third party software. Since most of us choose to use software and programs through third party agencies we accept all liability for things that happen when we do, it's in ALL user agreements.

        If the ball is in Oracle's court, i wouldn't be surprised if they pulled out of the Apple market all-together. In fact I would applaud them. Why should you continue to serve a market that has shown no regard for developers in the past. If they were willing to cut you out all-together why not reciprocate?
        Éloi Yorke
  • Gee, I Wonder?

    What kind of catastrophic event could trigger such a drastic response?
  • As a New Mac user, I'm ready to go back to PC

    As a realtor, many of the programs I use for business apparently use Java, because they aren't working right. I didn't know there was a security issue until this morning's edition of the New York Times gave me that info. I was blaming the corporate web connection they've been tweaking lately. This is ridiculous, Java is used on so many platforms, I am in full agreement with kgoodfl, they've brought my work to a standstill online. I may go back to PC over this....what a terrible decision I made last summer when I decided to "upgrade" to Mac.
  • Apple's disabling of Java

    My husband does some market trading and uses a MAC. He has TWO large screens to see everything. It took about 4 hours to set up my tiny Windows XP laptop to solve a problem that Apple created overnight. Also it took my work away from me to be the IT desk. I do not like Big Brother watching you. They could have explained the problem and let him make up his own mind. He could weigh the risk and the cost of doing without this system. But they did it for him!!! And without any indication of how long he will need to use a 13 inch screen instead of a 20" plus a 16". We think that something may have been done yesterday, and it caused his system to crash while he was working on a word document.
    Sarah Christiansen
  • Get the Story Straight

    My problem with sensationalist posts such as this is that they do nothing but blur the facts and support false presumptions. The gist of this article presupposes that 'Apple' is your friend and looking out for your best interests while 'Oracle' isn't concerned about, nor handles security concerns effectively.

    If your going to tell the story :: Do your homework and tell the WHOLE story :: this post smacks of trash-tabloid quality ...
  • I'm missing something.

    As far as I know, Java is some kind of programming language. My computers use their own languages and do all kinds of stuff without external help. So, why Java? Apple, Microsoft, please
    WAKE UP.
  • Possible?.....

    You would think a generation that can shrink the processing power of 10 computers onto a space the size of button would be able to figure out and fix something like Java. Why isn't this possible? Is it because the companies are just too interestd in making money and nothing else? I don't approve of the method used by Apple, and to use the "We're Doing Thie For The Public's Safety" schpiel is even worse. It would seem to me that no matter how "hi-tech" we as a society get....that those who have "dumbed down" personal computing still think we need to have someone hold our hands, and this is not the case anymore! Many people are highly capable of enabling / disabling Java on their machines, and for some company to decide to do it FOR you just shows how feeble they consider you all to be. (And I use "you all" to signify Human Beings...NOT anyone in particular!) And Microsoft is also on the same firing line, while they haven't gone ahead and taken anything away from the users control, they also haven't given the user freedom to choose other things....(And for all wondering....I don't use Microsoft....OR Apple, I have an OLD PC that USED torun Win XP that now runs Linux.....I don't have to worry about not being able to run / enable / diable Java on my laptop....but I guess it's what's best for the public that matter most no?...
  • For consumers, duh!

    I can't believe Apple can get away with this. This is just proving that Apple is really only for consumers and you're playing with fire if you're using their computers for enterprise. Where is the Mac Pro update? What about Final Cut Pro(sumer)? Apple doesn't care.
  • Interesting

    Its interesting that so many are commenting on Apple's "bad call" but hardly any are going after Oracle for creating software with swiss-cheese security.