Apple's anti-malware blacklists Java 7 plug-in again

Summary:Java web plugins get the boot from OS X for a second time in a month.

Apple has once again effectively blacklisted Java 7 web plug-ins on Macs by enforcing a minimum version for the software — a version that has yet to be released by Oracle.

The new blacklisting of Java 7 update 11 — the latest version available — makes it the second time in a one-month period that Apple has used the anti-malware system built into OS X to remotely block the software.

It's not clear why Apple has blacklisted the latest Java update. However, it follows reports last Sunday that, despite Oracle's efforts to harden Java security, the latest version allows unsigned code to be executed.

When Apple instituted the first Java block in January the move was considered unusual, in part because Apple has typically used its Xprotect to block malware such as the widespread Flashback Trojan for Macs in 2011. However the serious risks posed by zero-day vulnerabilities in SE Java 7 update 10 prompted Apple to apply Xprotect to it.

Read this

How to disable Java in your browser on Windows, Mac

Amid a serious security flaw in the latest version of Java 7, where even the U.S. Department of Homeland Security has warned users to disable the plug-in, here's how you do it.

In January, Apple moved to fend off attacks exploiting those vulnerabilities by adding "build 19" of Java 7 update 10, denoted by "1.7.0_10-b19", to its "Xprotect.plist" blacklist. The latest build at the time was 1.7.0_10-b18, meaning that Java 7 web plug-ins were effectively blacklisted until Oracle released a version that superseded it.

That version came in mid-January when Oracle released Java 7 update 11, which satisfied Apple's minimum requirements under Xprotect. It didn't fix all the vulnerabilities, though, according to researchers at security firm Immunity.

The US Department of Homeland Security also urged internet users to disable Java web plug-ins despite the latest update.

The new block applies to the plugin for Java 7 update 11 version 1.7.0_11-b22, which, like last time, is one build ahead of the current version 1.7.0_11-b21.

Since the Flashback malware hit Apple users, the company has released a series of updates distancing Java from its latest operating systems. Addressing Flashback malware varients, Apple in April last year disabled the Java web plug-in in OS X Lion and in October issued an update that uninstalled the Apple-provided Java applet plug-in from all Safari browsers.

Topics: Apple, Malware, Oracle, Security

About

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, s... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.