Apple (again) washes its hands of the Java mess

Filed Under: Apple Safari, Firefox, Java, Malware, Oracle, OS X, Security threats, Vulnerability, Web Browsers

Mac and JavaApple's thrown in the towel on the Java mess and has, for the second time in two weeks, blocked all versions of Java on OS X 10.6 (Snow Leopard) and later.

The new block applies to the plugin for Java 7 update 11 version 1.7.0_11-b22, which, like last time, is one build ahead of the current version 1.7.0_11-b21.

According to The Register, the blockade was first noted by the French blog MacGeneration.

Apple issued the update to its XProtect malware-handling system in OS X early Thursday morning. XProtect is a rudimentary anti-malware system built into recent releases of Mac OS X that Apple updates periodically to blacklist certain malware.

The update now blocks all versions of the Java Web plug-in before version 1.7.11.22 (previously the limit was version 1.7.10.19).

The move is likely due to issues outlined in Oracle's latest security alert regarding its Java problem child.

In that most recent Java headache, which came out in mid-January, Oracle's CVE-2013-0422 security alert concerned Java applets being able to escape from Java security and infect PCs with malware.

Within weeks of that security advisory hitting the airwaves, the Polish researcher Adam Gowdiak, who specializes in Java leakage, poked two new holes in it.

Apple's not the only one shunning Java. On Tuesday, Mozilla announced an end to auto-loading of plug-ins for Firefox.

If you haven't already booted Java out of your browser, consider following our simple steps on how to turn off Java in your browser.

Forgive me if it's cavalier to casually suggest unhooking the Java catheter.

It's obviously hard for large, heterogeneous networks to adapt a complex change. As Paul Ducklin notes, sysadmins are complaining that it's just not easy to ditch Java suddenly, and it's thoughtless of Naked Security to suggest it.

Unfortunately, as he also points out, the problem(s) with Java security don't look like they're going away anytime soon, legacy systems or no.

I welcome input from sysadmins on how you're dealing with the Java issue, beyond, presumably, tearing your hair out.


, , ,

You might like

13 Responses to Apple (again) washes its hands of the Java mess

  1. YG · 637 days ago

    Hello,

    I am glad you have specifically mentioned the REAL issue, which is with the PLUGIN. In most of the other articles going around, they have given an incorrect image to the user, which force them to think the problem is with the whole Java language. Most of the other article providers has taken a "side" and blamed Java. As a Final year student in Software Engineering studying at one of top universities, I can see how less their knowledge is!! Some has suggested to uninstall Java completely, showing how strong they have taken the "sides", and showing their lack of knowledge.Glad you have not done the same here, keep up the good work.

    Bit information for the other readers, if they "hate" Java. Read, below.

    Java is the one which "FORCED" the internet "programs" (which means, complex web sites) to be free, after PHP. Not like in other languages, Java is playing a major role in free and open source world, making developers to make it to the lowest cost possible. That is why Java is programs are less cost, compared to other products, because others have to purchase the "libraries", while the same can be found in Free and OpenSource world for the Java developer.

    Today world cannot run without it. Even you don't know, most of the commercial web sites including banks, Telecommunication services etc are created with Java.

    Java is one of most secured languages ever created. That is why it is running inside the "JVM" which gives very limited access to physical memory and hardware. This situation happening in these days is a very sad issue. But you don't need to uninstall Java, as this article says, disable it in you browser if you want.

    Sometimes it is shame to see how other products blame Java, while keeping dozens of exploitable bugs in their products!! They should make their systems 100% bug free (it is a myth. In software world, no products can be 100% bug free) and blame Java. I think this issue has become a "market" to other competitors.

    Lets hope Oracle find a solution as soon as possible.

    • Joshua · 637 days ago

      Unfortuantely, disabling Java in the browser is not so simple when the browser is Internet Explorer. We attempted to do this using the browser's preferences, but the setting had no effect. We have uninstalled Java entirely on Windows systems because we have no apps that require stand-alone Java and we can't effectively disable the web plug-in. We are providing a "Java Sandbox" VM which our users access via RDP when they need to access a Java-based website.

    • Paul Ducklin · 637 days ago

      You might like to listen to this podcast. (The entire thing is about 15' and the part where we discuss Java starts at 4"50"):

      http://nakedsecurity.sophos.com/sscc-101

      Here we clarify the difference between applications (Java software that you install locally) and applets (Java programs that are sucked from possibly-untrusted sources into your browser).

      I'd be careful of trumpeting Java and its place in the open source world, though. Java was not open sourced until about 2007, unlike other widely-used virtual-machine-based languages (e.g. Perl, Python, Lua) that were born open source...

    • Larry M · 634 days ago

      When Java was created, the notion of a security sandbox had highest priority, Over time, feature creep (the addition of bloated, frivolous bell-and-whistle features that no one wanted) became the highest priority and were added without regard to their weakening effect on the sandbox. This should never have been permitted.

      One could say the same thing with regards to Adobe's Acrobat Reader.

  2. Hans · 637 days ago

    So let's get this right.

    With the latest update (Java 7 update 11) Oracle has enabled click-to-play by default for unsigned applets. This means that by default you always have to accept to run an unsigned Java applet in the browser. This benefits users regardless of browser.

    Meanwhile Firefox has implemented a click-to-play feature that works on any plugin (e.g Flash, .NET, Java, etc) and is enabled on the Java plugin regardless if the applet is signed or not.

    Chrome has for a long time had a click-to-play feature so Chrome users has been used to pressing "Accept" ( or "Reject") each time they visited a page with a Java applet.

    This leaves Safari that has none of this, but at least it will have Oracle's own click-to-play.

    The security problem that is reported to still exist in Java 7 Update 11 is no bigger than what exist in operating systems like Apple OS, Windows or even in applications like Safari and MS Office, yet they attract zero attention currently.

    In my view the click-to-play features are excellent. We HAVE to train our users to understand that nothing as complex as Java, Flash, .NET, etc will ever be 100% safe, indeed anything that does more than just simple HTML rendering is very difficult to make 100% safe.

    I do believe that Apple has exploited this "opportunity" to tease Oracle.

  3. me1 · 637 days ago

    This is a great example of companies not caring about their customer... you can point to their attempts to "protect" their customers machines as an example that they do, but you are fooling yourself if you believe such nonsense. Thanks to Apple deciding to pull the plug (no pun intended) on the Java JRE, they have cost their customers untold thousands, if not millions of dollars, all in the name of keeping a false image of their machines being more secure than a Windows based machine... Apple makes their money by wrapping their product in a neat package and marketing genius... and people defend them to the end... yes, a great product where the company dictates what's best for the user who spent way to much money on something that on occasion outshines a Windows system. That may work in a home, or very narrow market... but IMO that avenue has more faults than those within the Windows world. The trade off is that you must be more knowledgeable about your system in the Windows world... regardless, Apple has just given another big FU to the business world...

    • guest · 634 days ago

      It is more secure. And just how does it cost millions of dollars.

  4. Java has updated to Version 7 Update 13.
    http://www.java.com/en/download/index.jsp

  5. sea · 637 days ago

    Its a shame! Just block and leave the users alone. No timeline for a fix, no comment or excuse from apple. apple is not able to work with oracle on this issue. this guys give a shit to their snow leopard users..... this is just a bad sample of professional work, customer care and communication .........

  6. BrettG · 636 days ago

    Is the Apple action why I can no longer view MP3/4s even though I'm stuck in OSX 10.5.8?

    Just today all online, esp. YTube show "Unable to Run PlugIn.

  7. BrettG · 636 days ago

    Is the Apple action why I can no longer view MP3/4s even though I'm stuck in OSX 10.5.8?

    Correct error message is " Couldn't load plug-in.

  8. Justin Ong · 635 days ago

    There is an addon for Firefox called NoScript that blocks javascripts and java. With this you can whitelist certain sites to use Java.

  9. Mill_Jonson · 634 days ago

    Well writing but it is a disgrace, simply block and leave the users alone. No timeline for a fix, no comment or reason from apple. apple is not capable to work with oracle on this problem.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.