Apple’s thrown in the towel on the Java mess and has, for the second time in two weeks, blocked all versions of Java on OS X 10.6 (Snow Leopard) and later.
The new block applies to the plugin for Java 7 update 11 version 1.7.0_11-b22, which, like last time, is one build ahead of the current version 1.7.0_11-b21.
Apple issued the update to its XProtect malware-handling system in OS X early Thursday morning. XProtect is a rudimentary anti-malware system built into recent releases of Mac OS X that Apple updates periodically to blacklist certain malware.
The update now blocks all versions of the Java Web plug-in before version 184.108.40.206 (previously the limit was version 220.127.116.11).
The move is likely due to issues outlined in Oracle’s latest security alert regarding its Java problem child.
In that most recent Java headache, which came out in mid-January, Oracle’s CVE-2013-0422 security alert concerned Java applets being able to escape from Java security and infect PCs with malware.
Within weeks of that security advisory hitting the airwaves, the Polish researcher Adam Gowdiak, who specializes in Java leakage, poked two new holes in it.
Apple’s not the only one shunning Java. On Tuesday, Mozilla announced an end to auto-loading of plug-ins for Firefox.
If you haven’t already booted Java out of your browser, consider following our simple steps on how to turn off Java in your browser.
Forgive me if it’s cavalier to casually suggest unhooking the Java catheter.
It’s obviously hard for large, heterogeneous networks to adapt a complex change. As Paul Ducklin notes, sysadmins are complaining that it’s just not easy to ditch Java suddenly, and it’s thoughtless of Naked Security to suggest it.
Unfortunately, as he also points out, the problem(s) with Java security don’t look like they’re going away anytime soon, legacy systems or no.
I welcome input from sysadmins on how you’re dealing with the Java issue, beyond, presumably, tearing your hair out.