Apple has once again effectively blacklisted Java 7 web plug-ins on Macs by enforcing a minimum version for the software — a version that has yet to be released by Oracle.
The new blacklisting of Java 7 update 11 — the latest version available — makes it the second time in a one-month period that Apple has used the anti-malware system built into OS X to remotely block the software.
It's not clear why Apple has blacklisted the latest Java update. However, it follows reports last Sunday that, despite Oracle's efforts to harden Java security, the latest version allows unsigned code to be executed.
When Apple instituted the first Java block in January the move was considered unusual, in part because Apple has typically used its Xprotect to block malware such as the widespread Flashback Trojan for Macs in 2011. However the serious risks posed by zero-day vulnerabilities in SE Java 7 update 10 prompted Apple to apply Xprotect to it.
In January, Apple moved to fend off attacks exploiting those vulnerabilities by adding "build 19" of Java 7 update 10, denoted by "1.7.0_10-b19", to its "Xprotect.plist" blacklist. The latest build at the time was 1.7.0_10-b18, meaning that Java 7 web plug-ins were effectively blacklisted until Oracle released a version that superseded it.
That version came in mid-January when Oracle released Java 7 update 11, which satisfied Apple's minimum requirements under Xprotect. It didn't fix all the vulnerabilities, though, according to researchers at security firm Immunity.
The US Department of Homeland Security also urged internet users to disable Java web plug-ins despite the latest update.
The new block applies to the plugin for Java 7 update 11 version 1.7.0_11-b22, which, like last time, is one build ahead of the current version 1.7.0_11-b21.
Since the Flashback malware hit Apple users, the company has released a series of updates distancing Java from its latest operating systems. Addressing Flashback malware varients, Apple in April last year disabled the Java web plug-in in OS X Lion and in October issued an update that uninstalled the Apple-provided Java applet plug-in from all Safari browsers.