Slashdot Mirror
Apple Angers Mac Users With Silent Shutdown of Java 7
An anonymous reader writes in with news of the continuing saga of Java patches and exploits. "If you're a Mac user who suddenly can't access websites or run applications that rely on Java, you're not alone. For the second time in a month, Apple has silently blocked the latest version of Java 7 from running on OS X 10.6 Snow Leopard or higher via its XProtect anti-malware tool. Apple hasn't issued any official statements advising users of the change or its reasons, but it's a safe bet that the company has deemed Oracle's most recent update to Java insecure. That's why the company stealthily disabled Java on Macs back on Jan. 10, the same day a Java vulnerability was being exploited in the wild."
If you ran Linux you wouldn't have to worry about software not being able to run.
Update 13 is already out, and *not* blocked by Apple. All that's blocked are the old, insecure (well, more insecure) versions.
Ask me how the Heisenberg Principle may or may not have saved my life.
Oracle is probably the greediest company on the planet.
Without Java applets, my plan to time travel back to 1997 and surf the web is completely ruined!
There's no -1 for "I don't get it."
But How is it ok for apple to disable software on MY computer, without my permission? I never told apple I wanted XX blocked, so apple should not know I have XX running to begin with. IF apple is blocking XX from my computer, without my permission, then is apple breaking any laws? unauthorized access to a PC for example? As My sig says, im sure its hidden in the EULA somewhere that apple can do this but to me, it is apple breaking into MY PC, and disabling software. That just makes me wonder what else apple has access to???
have you seen my sig? there are many others like it but none that are the same
This is why I run GNU Hurd, the only truly free operating system, on my Lemote Yeeloong. My freedom is incredible. I can run ls and cat and EVERYTHING. I look forward to support for manpages in 2017.
You do realise you can disable this right?
https://discussions.apple.com/thread/4762386?start=0&tstart=0
Quite amazing what a google search for 'disable XProtect' turns up..
Ehm, doesn't Firefox also block vulnerable versions of Java? I guess maybe they are fascist as well.
Those people which rely heavily on using java applets(*) .. and well that must be .. malware devellopers and physicists that actually try to teach physicists in an understandable way.
And I only sympathise with the physicists!
(*)(there indeed are some java applicatIONS that are very good, Jdownloader, JBidwatcher2, for example, and well eclipse)
Mozilla did the same thing with blocking Java on Firefox on January 10th.
Java 7 Update 13 is out already and works on Macs again anyway.
Scorta futuere amo!
What browser do you run on OpenBSD, FreeBSD, Linux, or Hurd? If you said Firefox (the usual default browser in most distros)... guess what? Mozilla blocked Java too!
Scorta futuere amo!
But at least you didn't let the fact that you don't know shit about shit stop you from talking!
It's monitoring in the same sense that antivirus software is monitoring.
SJWs are the new boogeyman. -Me
WTF is up with the old news on slashdot? Java 7 Update 13 came out the day after this "block" went into affect. Update 13 is NOT blocked and fixes the relevant vulnerabilities:
http://www.macrumors.com/2013/02/01/oracle-releases-java-7-update-13-to-address-security-issues-reenable-web-plug-in-on-os-x/
What is actually the problem here? This is no different from a regular antivirus/antimalware software update. Most users will find it valuable that vulnerable plugins are disabled until the user actively reenables them.
It would be more responsible to give users a choice on the matter. Especially for those using Macs for work, teleworking, etc where not running Java may not be an option. Fine, disable it by default to be safe, but give an option to re-enable it besides Googling for random XProtect plist hacks.
This only affects Java applets running within the Safari web browser.
Let's not let the facts get in our way.
Thirty four characters live here.
companies who sell electronic devices must have these types of things opt in rather than opt out
Opt-in security on mass-market devices generally equates to no security. I don't like Apple's walled garden approach, but I think secure-by-default is the right decision.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
There is very little reason to offer such option since users should not use vulnerable versions of plugins. The plugin vendor should fix the problem and update the plugin.
a) it's old news ;)
b) both the Java 7 (from Oracle) and Java 6 (from Apple) updates that address this are already out . Is the new motto Recycling obselete news that matters
c) if you want to opt out from Xprotect, how to guides abound
d)it's the Safari plugin only - other browsers are not effected
e) Apple have pulled the trigger on Xprotect maybe 4 times in 3 years, its not like they are shotgunning
The vulnerabilities from Java 7 were hideously large, and Apple probably did the right thing for the 99 percent who don't know any better. Driveby root access isn't all that fun for the target.
The 1 percent who care, can disable Xprotect temporarily if they want to.
For anyone in between, they could always use another browser.
If you are using a Mac , you are not generally the IT equivalent of a Yukon Frontiersman
Wow... Apple can't catch a break... You know damn well people would be bitching if they hadn't done this... Apple Fails To Disable Java 7. Millions of Macs Vulnerable. News at 11.
The real Sig captains the Northwestern. This one captains
Two issues. Firstly Apple didn't just disable web applets. They disabled Java Web Start too, so whole corporations and government departments are suddently shut down. Secondly, they didn't provide any announcement, or a gui tool to re-enable at your own risk. It was just nuke everyone in silence.
Maybe im just so stuck on the privacy issues going on in the industry today that I am lumping in something unrelated. It is possible. I dont like that windows "phones home" (niether does anyone here) so why is this ok to many here based on the thread so far??
have you seen my sig? there are many others like it but none that are the same
Your information is woefully out of date. Oracle is where you get Java for OS X, and it's been that way for a couple years.
The summary is incorrect with saying Apple blocked Java 7 on 10.6. Actually, Snow Leopard can't run the new Java from Oracle, it can only run the Apple version of it which is still the 6 series. With this last round of blocking, Apple also blocked their own version on Snow Leopard and Apple has not yet released an update for it last time I checked. Now, in my opinion, this whole blocking thing without notice was extremely unprofessional and made me disappointed in Apple, and that's coming from a Mac fan. I got hit with it the other day and spent hours trying to figure out why in the world Java wasn't working on my machines. Ended up finding a work around editing a .plist file using a console text editor. Definitely not a solution for anyone not familiar with the command line.
Just not 12.10.
PS what is it with all you idiots talking about that one? It's been how long since we've all found out the release was a bit shite?
Yet still you come along with a story about how you have just changed over and it got all wrong.
Either
a) old news, you've whined time and time again about it. You've got your fix now shut the fuck up or we'll bring up apple failures from bloody years ago and see how you like it
b) made up, because you know it's both believable (because of the history of 12.10) and never going to be verified
c) redundant, you used to have this problem then either Ubuntu fixed it a couple of weeks later, but you still want mileage out of it, or you moved to some other distro. But still want more mileage out of it.
I'm figuring (b) myself.
No, I actually did this and that is a real story. If i'ts any consolation the upgrade from 11.04 to 12.04 also blew up in my face although not as badly as the upgrade to 12.10. If I was lying I would have posted AC... like you.
Only to idiots, are orders laws.
-- Henning von Tresckow
Depends on how it works, if it sends a list of installed software to Apple to check it's bad, but if it downloads a list of plugin signatures to disable because they're outdated and insecure that's not any worse or different than the antivirus downloading virus signatures. I don't see the privacy implications of that, would you elaborate?
Live today, because you never know what tomorrow brings
Is worse than Hitler.
Goodwin was an optimist.
again, If i run a 3rd party monitoring system, I allowed them into my system. If this is on by default, then I am not sure I am ok with this.. What if apple decides one day that they dont want YY running on macs anymore (they have remote wiped IOS apps that were not "harmful" in the past) they have that ability. I am sure most mac users dont even know about this. I asked a few of my friends who are die hard mac users in the past hour if they knew about this they had no idea.
have you seen my sig? there are many others like it but none that are the same
It doesn't bother me at all. You know why? Because I don't use Windows. You don't have to use it either. If you choose to do so, well, that's your choice. I have no objection to that, but I do get a little sick of people griping about the consequences of their own actions.
And that includes the "privacy issues".
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Given the recent problems are due problems in the class library, how do you conclude the language is at fault?
AS LONG as the information is presented in a way that users know what they are giving up. Meaning a fully secured system is close to useless because the onyl secure system is an unplugged system. We all know this, we are here on /. now having said that. In this day it is only right for these things to be made aware to the user. Instead of silently removing java, How about a popup explaining why it was disabled and options the user has? or a popup explaining that java is vulnerable, do you want to block it or continue to let it run. Silently blocking ANYTHING is wrong. just as silently installing anything is wrong.
have you seen my sig? there are many others like it but none that are the same
Firefox implemented 'click to play' for Java, Silverlight, and Flash. That just means that it only runs them is the user specifically requests it. There's a big difference between blocking outright and suggesting strongly not running it and then letting the user decide.
it is apple breaking into MY PC
so if you have automatic updates on - in any operating system or application - that means your system is getting 'broken into'?
No. Apple do not provide Java any longer. Oracle is where you get Java for OSX from. Historically you got Java from Apple - and it was BIG on their list of priorities - it was a major part of the platform (WebObjects).
Depends on how it works, if it sends a list of installed software to Apple to check it's bad, but if it downloads a list of plugin signatures to disable because they're outdated and insecure that's not any worse or different than the antivirus downloading virus signatures. I don't see the privacy implications of that, would you elaborate?
Apple has been using a blacklist that is updated daily to stop dangerous software from running. It is mostly used against trojans, but also to block Java running as a Safari plugin, which has some rather serious exploits (basically, an applet can replace the default Java security manager with its own, and from then on anything goes), _and_ it is known that these exploits are actually for sale.
So there are no privacy problems whatsoever, and while blocking Java applets might be annoying, the alternative would be highly dangerous. By the way, Oracle has released a new software version fixing about 50 security problems, which is not blocked.
well, on one hand i think big software companies really need to get their act together (java especially!) and fill in the wholes before releasing. a certain amount of unforseen patching is probably needed, but with something that's not used very often like Java (not used often = once a week or so at work) we run up against the very annoying problem of updating a boatload of things every time you run it.
given the fanatical dependence mac users have on their apple masters, if i were apple i'd want to disable as much third party stuff as possible that stands a chance of making me look bad.
in windows land, every fault is blamed on windows, when most problems are either third party software or third party drivers. with apple it's the same, though they have more (too much?) control over what runs, and so can do something about it.
i'd be on Oracle's case to fix their shit so they don't have to keep releasing patches that appear to be introducing more holes for spamfucks to crawl through.
i love the Hurd logo - representing all 4 of it's users.
You can't handle the truth!
You are welcome on my lawn.
your spelt "fascists" wrong...
again, If i run a 3rd party monitoring system, I allowed them into my system. If this is on by default, then I am not sure I am ok with this..
It's updating a blacklist because people have auto-update on, nothing more. You are not 'allowing them into your system'.
What if apple decides one day that they dont want YY running on macs anymore
That would obviously be pointless given the only thing going on here is updating a blacklist - which is editable by the user - when automatic update is on. So clearly if they were to do that for some reason then the information would be disseminated pretty damn quickly about the simple fix to avoid it.
Hey, look on the bright side. At least people don't think you're a putz.
Maybe you don't have the latest MacBook with Mountain Lion. But you also don't wear pleather pants with the butt cut out.
You are welcome on my lawn.
"Apple hasn't issued any official statements advising users of the change or its reasons, but it's a safe bet that the company has deemed Oracle's most recent update to Java insecure"
Does this apply to the OpenJDK Runtime Environment
AccountKiller
No, you are the IT equivalent of the cast of Glee.
You are welcome on my lawn.
Worse: They installed their own code on your computer. At root level, no less. They did so before sending the computer to you. It takes over the complete computer, so I'd say it's clearly a root kit. The name of that root kit is OS X. :-)
The Tao of math: The numbers you can count are not the real numbers.
And in the mean time, the employee cannot work. This may well be more costly than the risk of a malware attack in that time frame.
The Tao of math: The numbers you can count are not the real numbers.
Yeah well, as someone tasked with fixing this for a government department, Apple hasn't told me how to do it. Yes, some hackers figured it out. Yes, I can google and get their knowledge. But Apple didn't give me any way to push the fix out. Nor did they give a gui tool so I can email the users with instructions. In short, we're a bit screwed right now. We'll get over it sure, but in the mean time, tons of legal centres are out of action. is this good enough behavior? Surely not! Please don't defend this crap.
The logo looks to me like someone tried, and failed miserably, to map out a token ring network.
If you can't convince them, convict them.
If you ask this then maybe you shouldn't run Apple (or Microsoft for that matter) software.
thegodmovie.com - watch it
Ehm, doesn't Firefox also block vulnerable versions of Java? I guess maybe they are fascist as well.
Yes. FF puts up a nice warning and then lets you click through it if you so desire.
That's fine. No problems. Shutting down Java without any user identifiable explanation is a dick move. Interesting it's just on 10.6. 10.7 seems to trundle along just fine.
Faster! Faster! Faster would be better!
I think the bigger deal is they don't ask before they do it and while its been awhile since i ran vanilla FF I seem to remember it asking about such things before flipping any switches.
But you should already know what you are getting into if you buy Apple and their being the largest corp on the planet obviously means more people are happy about their way of doing things than not, so if that level of top down control makes you happy? Good for you, I sincerely mean that. I'm all for voting with your wallet and Apple is obviously doing what their customers want or their sales figures would be dropping, so good for them.
ACs don't waste your time replying, your posts are never seen by me.
if you mean in the realm of data processing automating, yeah Hitler didn't roll his own systems, he contracted IBM to do it for him.
No, you are the IT equivalent of the cast of Glee.
Young, geeky, bullied by retards who hate them for liking something that the retards don't like? ;)
Firefox DOES warn you about vulnerable versions of plugins and suggests disabling as the better option. Here is a list of blocked versions: https://addons.mozilla.org/en-US/firefox/blocked/
Is to be commended. Unless, of course you are apple.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
It's NOT your computer. You're just renting it from Steve. You could rent one from Bill instead, if you think it'l help any ;)
Its really easy for some nerd to say your a fool for using Java, but when you have a business line application line Sungard Banner (which uses Oracle Forms which is Java based) with 30 years of prior use its not so simple to just move on - yes we may be foolish, but what can one do at this point?
Apple shuts off Java and they essentially killed off our front line application.
Really all this does is make us move more towards Windows and Linux desktops for anyone who has a business need for a computer.
Its old news now, but they disabled Java and only let you run a version that wasn't even out yet.
And there I was thinking it was FDDI...
I'm pretty sure Microsoft would at least announce they are disabling Java before actually doing it.
Spelt is a noun. Ask any hippie. /ot
$
No, you are the IT equivalent of the cast of Glee.
You owe me a new keyboard, mate. *And* a cup of tea. I will not charge you for the damage to my nasal mucosa.
Do not mock my vision of impractical footwear
Firstly, I have nothing against Apple. I bought my first Mac, a Mac Plus in 1985 and I've owned one or more ever since. I find the current track that Apple is following to be very disturbing. Apple always used to be about the customer experience but that seems to be dead and gone. Yes, there was/is a security hole in the Java plugin but completely disabling the plugin is NOT a customer friendly solution and is disproportionate to the risk. Despite the vulnerability I have yet to hear of ANYONE who has been the victim on a Mac. Despite this Apple disabled a plugin that is critical to many people ranging from people running games like Runescape to companies who have legacy point of sale and inventory systems that use Java applets to access database backends. What is next? Disable Flash because of "security risks" what about OSX Applications? They are already forcing sandboxing and draconian rules on developers wanting to sell via the App store.
Keep this up and this is one Apple customer who is going to be looking for alternatives, and where there is one there are probably many.
This is not the first time they've done stuff like this.
If you update your JDK using Software Update, it overwrites all previous versions and turns them into symbolic links to the current version. You then receive an unpleasant surprise when software which relies on a particular JDK breaks for no apparent reason.
The problem is not the changes themselves, but just unilaterally making these decisions and then not telling anyone. If I was working in an enterprise environment and this happened, I too would be incandescent with rage.
Plan My Week for iPhone
Steve Jobs took flash out behind the woodshed and flash didn't come back for dinner. I can say without a doubt that flash is dead, yet if I wanted to counter my own statement I could easily pullup a massive pile of stats that would show Flash on a huge percentage of machines and websites but I can see clearly that no even vaguely bleeding edge websites use it. Flash is just not where the cool kids are. HTML5 has almost entirely taken over all the basic requirements of making a dazzling website that dances about on your screen. I also won't argue that feature for feature HTML+Javascript is better. I know my HTML5 will work on the tidalwave of mobile devices and that is enough for most people.
That all said Jobs killed it because Flash bugs were making him look bad. So now we have round 2 and Java is the one on the Apple chopping block. I think we can all agree that Java in the browser is dead and killing Java on Apple machines might not seem like it is going to ruin things marketshare-wise but keep in mind that many top top top executives are running Apple machines (often to the chagrin of their IT people) these same executives will now resent Java at tiny more than they did before (which might have been zero).
But all that said, I am pretty sure that 90% of the Java being written these days is for the server side of things in large organizations and thus is completely unaffected in theory.
A simple example of how irrelevant such an Apple technology choice can be would be the penetration of Objective-C outside of the Apple ecosystem. I code Objective-C every day and would never consider using it one inch outside of the apple ecosystem. But Apple's move underlines my experience that Java is just not the "Hot" language it was; not dead just not "hot". The mathematical problem with not being the "Hot" language is that it is starting to be nibbled away at the edges without any growth to replace this nibbling. I am seeing Python replacing it as the defacto learning language much as I watched Java replace Pascal as one of the defacto learning languages of the pre 2000's. In science Python is taking over, in finance I am seeing the academic world switching over but not the business world; the business world has a full on love of all things Java.
But before you cast any stones these are all trends; you can yell Hey Mindcraft is Java and it is cool. But what I am saying is that the surface area of Java is retreating toward a core of the business world and it is severely losing its grip on the "programming 101" world; which is where hearts and minds are won. Also keep in mind that many of the kids who may have been learning Java in their programming 101 classes just had all their code die seeing that university students so love their Apple laptops. Hearts and minds baby.
Goodbye old friend.
I would up-mod this had I the points. I can just see the whole appendix thing; awesome visualization. My guess is that some prude downmodded you. Or some PR flunkies. Too bad you went with the Anonymous thing.
It sounds like his users require Java for some crucial work-related application. So, if the choice was expose users to possibility of an exploit, or not get any work done, enabling a vulnerable Java is probably the less costly measure to take.
If you write Java, to hell with you. Worst language on the planet.
C++11 is the best language on the planet. Well, at least a very good candidate.
Fast compiled language, great toolchain, expressive, classy, and you can write any type of programs.
I find it funny how yet another Windows8 story ran last week, and there were many suggestions that businesses should all switch to the Mac.
I obtained a patch from my IT department that reversed the change. My understanding is that it modified a PLIST to change the minimum version of Java required.
Our VPN software uses Java, so it is a pain to not have it.
What is still annoying about it is that there is no way to selectively enable it. I understand that it is secure, that's fine. Consequently, I'd like to be able to whitelist Java applications that I trust (i.e. ones that come from corp) and not become vulnerable to ones that aren't trusted. Firefox has accomplished this by replacing the app with an 'Enable Javascript' button. With Safari you're either unable to work or you're letting it all hang out there.
So why didn't the fools at Apple allow disabling for applets, but enabling for Java web start and regular Java apps? If we are exposed unnecessarily to exploits, it is now Apple's fault.
I have no problem with Apple disabling Java. I would like them to provide some notice and I would like them to provide a way to whitelist trusted applications. That doesn't seem unreasonable.
... I had a cloud server get funky on me and the java console for it ran in java. I had used it before, but suddenly...nothing.
Good thing I had a trusty Ubuntu box nearby.
Well they disabled it, and would only permit a version that wasn't even released - no documentation or anything.
I think us big customers could have been treated a bit nicer.
Anyhow yes I want it to still be enabled - our front desk machines can't browse anywhere they want ;).
How was I supposed to know to search for 'disable XProtect' when the Java download link failed? I was cursing Oracle.
Not until he uses prisoners at Auschwitz to develop software.
So, in the name of security, Apple XProtects users of Snow Leopard and higher from the evil Java.
In the meantime Oracle's update is only good for Lion or better.
But usage numbers from last month showed 10.6 and lower as being the largest installed base of Mac OS.
I'm not seeing how either action works to the greater good of Mac users, especially since Oracle has updates good for XP.
Some days it's just not worth
chewing through my restraints.
Java != Javascript
Woo-Hoo! Good one!
Whole corporations and government agencies? Which corporation other than Apple relies exclusively on Apple computers? I'm very curious which government departments are exclusively Apple shops...
Ken
On Windows (and most other OS I've ever worked with) there would be an audit trail a system admin could follow that would document the changes to the OS. Did this change require users to "opt-in" to automatic updates, or was it done without notice to the end-user/system admins?
Ken
I'm not seeing this here. But since this is /. if you want to override:
look for your /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
downgrade the java version. So for today this means change:
from:<string>1.6.0_37-b06-435</string>
to: <string>1.6.0_37-b06-434</string>
Card sorters, punches, and printers... The IBM emplyees that strung them together were German.
Ken
You shouldn't be emailing this to users. Apple offers administrative servers that allow you to make the change directly. The charge is I think $50.
The "fools at Apple" make the security system a standard XML file which is editable by admins. You can do anything you want with it.
As I see it around here, the elite (i.e. the ones best placed on the political game) are the one that get fancy apple hardware (plebs get cheapo Dell and keep it for 6 years - getting a company Blackberry instead of continuing to use your iPhone is a sure sign of disgrace). There are maybe few of them, but when something wrong happens to them, all the work stop suddenly with everybody put into crisis meeting with additional status meeting 4 times a day.
Design as in: Apple controls what you can and can not do on "your" device.
The dictionary disagrees with you:
http://dictionary.reference.com/browse/spelt
spelt1 [spelt] verb
a simple past tense and past participle of spell1 .
spelt2 [spelt] noun
a wheat, Triticum aestivum spelta, native to southern Europe and western Asia, used chiefly for livestock feed.
http://www.merriam-webster.com/dictionary/spelt
1. chiefly British past and past participle of spell
2. Subspecies (Triticum aestivum spelta) of wheat that has lax spikes and spikelets containing two light red kernels. A related species, Triticum dicoccon, commonly known as emmer wheat or farro, was cultivated by the ancient Babylonians and the ancient Swiss lake dwellers; it is now grown for livestock forage and used in baked goods and cereals.
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
I called AppleCare as soon as the plug-in showed up as invalid. The two most infuriating aspects of the call were the impression I got that Apple could hack into my Mac at any time (assuming a network connection to Apple) and the claim that Apple had not installed Java on my machine in the first place. After the call, I checked and indeed Java was installed when I bought the computer, directly contradicting the support supervisor's assertion, but I still have no proof of whether or not Apple has the power to silently force updates.
The security implications of promiscuously running Java applets, so Apple was right to do something. The problem is that they did so without warning; without asking permission; and with no obvious way to re-enable the plug-in. I understand that some people successfully re-enable applets by modifying XProtect.meta.plist, but all I managed was to eliminate the "inactive plug-in" message, leaving a completely empty gray rectangle.
Now, with Apple having repaired the problem, I'm calming down, but I've set up a blog, AppleHackedMyMac to discuss this, the possibly encroaching walled garden, security, and the like.
Apple doesn't write Java, Oracle does. If you want a work around you are talking to the wrong large company.
How is it OK? Because you are running Apple's anti-malware tool and have configured it to pull the list from Apple's servers. A list which you can at will. So if you don't like it.
a) Disable their anti-malware
b) Pull the definitions from somewhere else
c) Modify the file however you want.
Yeah it is isn't like Apple writes books on the design on Darwin, documents the add on services and makes the whole things open source. Oh wait.
Apple runs dozens of these protection services. The average end user has no idea where they do. Apple's position is pretty clear. If you don't know enough to be able to use launchctl and see what Apple is loading you don't know enough to make an informed decision about what should be running.
AC is a total D-bag for ripping such a sweet, fast, open-hardware, low-power device. If any grownups are interested in the specs on this 12-watt, 4-core laptop that runs without any proprietary bios or drivers, check here: http://www.lemote.com/en/products/Notebook/2010/0310/112.html
Just so you know, Apple only adds versions of Java to this list that are actively being exploited in the wild. Are you sure you want to take this risk?
If so, you should probably be using an npapi wrapper that limits java plugin to your specific domain, and while you're rolling that out, you can bypass the xprotect setting.
The Enterprise SDK lets you push out new provisioning files to managed devices. If you were to send an invalid provisioning file the app wouldn't run. Presuming that Apple can do anything you can do with the Enterprise SDK... does that count as a cite?
Maybe you don't have the latest MacBook with Mountain Lion. But you also don't wear pleather pants with the butt cut out.
[citation needed]
Ah, yeah, typo sorry. I meant Java.
get real, OpenBSD and FreeBSD let you choose a browser; chromium for example is in the packages. HURD? pffft, who gives a shit
IBM USA collected the profits made by Dehomag (the german subsidiary). what was your point?
i thought that was all four of its device drivers
No, you are the IT equivalent of the cast of Glee.
Young, geeky, bullied by retards who hate them for liking something that the retards don't like? ;)
Disproportionately gay?
Jesus was all right but his disciples were thick and ordinary. -John Lennon
I don't know, i'm aware automatic updates is on, i can't remember whether it asked directly about it. In any case that doesn't answer my question.
I'm running ML I could be very upset but actually, I hadn't noticed the blocking of Java. Perhaps the fact that I have it and Flash (along with a lot of other cruft) disabled in my browsers masked that fact.
Suppose you were an idiot. And suppose you were a member of congress. But then I repeat myself. -- Mark Twain
My wife has an an Apple MAC OS/X. I don't recall ever giving Apple permission to modify my machine. Does Apple have a back door built into all OS/X systems that allows them to disable whatever they want at will without me knowing? What else can they do? Should I be encrypting all my disk partitions?
pgmer6809
Apple hasn't told me how to do it. Yes, some hackers figured it out.
Did you call Apple Enterprise support? Does your organization have the proper agreements in place with Apple, for them to support use of OS X by a business (instead of ordinary consumer use) ?
Did you voice the concerns with your Apple rep?
with 30 years of prior use its not so simple to just move on - yes we may be foolish, but what can one do at this point?
Since Java was not commercially available until 1995; it's not possible that there is 30 years of prior use.
Although the point is well taken that Apple broke for some users a business line application with its security policy decision .
For consumer devices it's the right choice. IT needs to override Apple's policy decision, for their businesses; and not allow vendors to make configuration changes like blacklisting software -- without IT validating the change.
Apple's security policies should always be what will keep the greatest number of users in the safest situation -- even while inconveniencing the few who are using an uncommon functionality.
Change control 101. The proper response was for IT to disable blacklisting in the first place, and carefully monitor any blacklisting activity by the software vendor, to determine if they need to do anything for their Enterprise environment.
It's just one of the risks you take, if you allow an outside vendors to define patterns, version, or identity of applications that are not allowed to run, or patterns that are deemed risks; and change those patterns without review.
Uh this was a zero day active exploit. Are you saying you WANT to deal with that? Apple did you a favor. Are you so confident in your staff's ability to avoid getting owned. That's a lot of very sensitive info you would be compromising.
Sometimes being able to work, AND being vulnerable: is not as bad as a complete work stoppage.
There is a risk that you might be targetted by a zero day exploit, that might be successful. Say that risk is 1%; and the cost of a breach is 15 million$; mostly spent in legal fees, compliance fees -- sending letters to customers about the data breach, settling any legal complaints, etc.
Now let's say you rely on Java for many critical business functions, and you have a 50% work stoppage, if your workers can't start Java -- they can't access CRM, ERP, customer support systems, billing, Order taking, etc.
The work stoppage for 1 hour costs $3 million.
Now: What is worse: A 1% risk of losing $15 million, OR a 100% risk of losing $3 million, due to shuttering of the business applications, not being able to take orders, and losing customers, due to CSR unable to provide satisfaction, without working CSR applications?
Let's try a bank analogy....
A new zero-day vulnerability has just been discovered in a certain vendor's ATM; that allows a criminal to possibly use a simple technique to enumerate account numbers of other bank customers, and withdraw arbitrary amounts of money from their account without entering a PIN number.
Upon discovering this, does the bank immediately shut down all their ATMs, for fear, a thief will abuse it? [Despite angering all their customers, denying everyone access to their money, and losing 20+ millions of dollars a day due to account closures -- versus the 2 or 3 million in expected losses due to thievery]
or do they begin discretely working with the software vendor to develop a patch, while putting in place monitoring to search for signs of abuse?
Java != Javascript
If you're writing JavScript, don't forget to use the !== operator instead of !=
Long live the BSD license
I think you're extremely misguided with regards to how xprotect works.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
I'd go so far as to suggest not believing ANYTHING you read about apple posted on slashdot until you have verified the facts yourself.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
And so you should be cursing oracle. If the software wasn't so hideously insecure, it wouldn't be on the blacklist.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
See also: http://phys.org/news/2013-01-false-beliefs-persist-instant-online.html
thereby defeating the purpose of disabling it, if the click-drool uninformed end user can just turn it back on without having to look it up and perhaps be told why it is a bad idea.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
It's easy to override for those who need it. A competent IT department will do so remotely.
Well that depends doesn't it. If the end user is hacked and divulges sensitive information, it could cost the company millions in fines/lost business/etc.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Jobs wasn't greedy. he just had a low tolerance for bullshit, and his view of what "bullshit" is may or may not align with others.
I too, after nearly 20 years in IT, have a very low tolerance for bullshit. I'm willing to pay extra for bullshit problems to go away. This is why I run a Mac at home these days.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
It is mostly immune because apple is proactive about security by doing things like this. For the average end user who thinks passwords are too difficult to deal with and would rather just have a blank password, this helps protect end users from themselves. If you know you need otherwise, you can work around it.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
...They disabled Java Web Start too, so whole corporations and government departments are suddently shut down...
That's terrible. Just terrible. So, hypothetically, how often would someone need to find Java bugs to keep them shut down?
Oracle owns the rights to the Java VM, but Java language is also used with the Davlik VM on Android. The less people are able to use and develop for Java, the less potential they have to create code that is cross platform (runs on many OSs, not just targeting a single OS), and the less potential they might take up coding applications for Android.
Other languages can compile down to Java byte-code too.
I'm not saying this was Apple's motive, but they're not exactly strong points that would presuade Apple to not make it hard to use Java on Macs either...
That's two more users that sites that still use Java.
I shut it off years ago. Every year or so it whines about a missing plugin. But realistically, at this point nobody sane uses Java and there's so little out there it's not worth worrying about.
Need Mercedes parts ?
Yeah you can quote Einstein in the XML or introduce the complete works of Shakespeare, anything you like, but that doesn't mean it will work.
Here's something for you to include in all your XML: />
<Idiot
If I owned a Mac, the first thing I would do is to investigate disabling automatic updates, remote control, and other internet access that I didn't approve of.
It's standard procedure. FFS, it's so standard, that even my sons do as much with all their devices. They demand that WHATEVER THE HELL they are running, it runs THE WAY THEY WANT IT to run.
There's this newfangled tool that you've likely never heard of: http://lmgtfy.com/?q=How+to+disable+automatic+updates+on+Mac
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Nice in theory. In practice you're describing almost every middle class person in western countries. And I'd wager to say most people in general. Even if the middle class in the west is the single greatest representation of it.
Everything will be taken away from you.
Was this article about Apple blocking Java just in Safari or completely on their entire OS?
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
You're picking a fight with AC?
You just lost everything.
Yawn... my point still stands Linux software can be just as crappy as any other software. The OP pretty much lost everyting when he claimed the contrary. All you have to do to see that is visit the Ubuntu AQ site.
Only to idiots, are orders laws.
-- Henning von Tresckow
I want my bank to yank the machines. I don't want my money stolen because you can't plan ahead and visit a branch during business hours.
Memory is deceptive because it is colored by today's events. - Albert Einstein
Oracle didn't block java, you tool
-- Linux user #369862
BiOS?
In Denmark we have a login system (NemID) which is needed to log in to all home-banking systems and all government websites like administration of taxes, social security etc. The login is done with a Java applet (which doesn't even work in OpenJDK, only Oracle).
Uh this was a zero day active exploit. Are you saying you WANT to deal with that? Apple did you a favor. Are you so confident in your staff's ability to avoid getting owned. That's a lot of very sensitive info you would be compromising.
if you're running it for webstart it doesn't matter that much if there's an exploit.
what apple should have done is that they should have added a "do you really want to run this applet??" dialog to their fuckin browser like every other decent browser has. that then again doesn't have as much to do with webstart, though that as well should have the same question because webstarted programs can do pretty much anything anyways(exploits or not!).
apple did no favors to anyone here. and they can still get and run a dmg with no warnings whatsoever. however they'll be sure to disable that in an osx update in 2014 "to protect users"(to get everone to download their apps from appstore exclusively).
world was created 5 seconds before this post as it is.
How does Apple know what Java apps to whitelist?
Your number is too low for you to be acting this young.
Considering I had a commercially available, off the shelf java development environment in 1998/1999, I think you might like to reconsider - Java may not be 30 years old, but it's older than 10.
They don't ask unless by "ask" you mean "telling you about it afterwards".
Yes Mozilla is a little bit less fascist than Apple, but not much
It must be so hard for you, having to click the big grey warning Firefox shows to run Java applets. The effort required to move the mouse an inch and the button a millimetre is such a huge PITA I'm surprised it hasn't caused World War III.
No colour or religion ever stopped the bullet from a gun
I only realize a computer doesn't have Java installed when I try to start Minecraft.
Fear is the mind killer.
Keep apologising for Apple you dufus fanboi.
If you don't know the difference between a language and a runtime, then you don't get to comment on the situation...
That may work now, but it certainly wasn't the case at the beginning of last week.
My other half has a remote desktop system so she can work from home if required that uses a java plugin. Last week, all of a sudden, it didn't work, with just a 'plugin inactive' message on screen. Clicking on that took you to software update, which showed no available updates, because this is on a Snow Leopard machine that there wasn't an update for yet.
There was no explanation of what was going on (plugins showed as allowed in the preferences pane) or whether it was an issue with the remote desktop provider or Apple, or anything. Somewhat frustrating and took me far longer than it needed to have done to sort, including raising a ticket with remote desktop software provider, which we now have to cancel.
I do like Apple hardware and software under most circumstances, but this wasn't one of their better moves.
-Never argue with an idiot. They drag you down to their level, then beat you with experience-
When judging this move, I think it's important to keep in mind the intended user base of MacOS systems. These are not intended to run legacy, mission-critical business apps. In fact, Apple has never really cared that much about legacy support – backwards compatibility has always been a Windows thing. (Steve Ballmer seems to be forgetting why people stick with his company, but that's a different issue.) Macs are aimed primarily at home users, with a secondary but still strong user base among graphics arts professionals. For both of these demographics, the risks of leaving obsolete, bug-ridden versions of Java enabled far outweigh any potential benefits. Most of these people will never run any Java applications at all, and of the few who do, almost all will be able to use the up-to-date version of Java to do so. Yes, I know there are crappy "enterprise" apps that only work on 1.4.2 beta or some such nonsense, but Apple doesn't care about that – and frankly, they shouldn't. That isn't their target market. If you run a business you should be using Windows 7 for your desktops – it's designed from the ground up to be suitable for both home users and enterprises, and lets you control all the security stuff through group policy.
I spent all day Thursday troubleshooting one of our all-Mac customers with six other people in the room, all shouting different ideas. Only at the end of the day did we discover the news. I was really shocked Slashdot hadn't reported it.
I went home and had nightmares about installing and reinstalling Java on Mac.
Secession is the right of all sentient beings.
I'm at work during business hours, you insensitive clod!
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
get real, OpenBSD and FreeBSD let you choose a browser; chromium for example is in the packages. HURD? pffft, who gives a shit
I'm sure it's a serious issue to the Hurd users. Both of them.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
So let them provide a pop up warning of the dangers instead of making the data completely inaccessible. And no, if the in house Java app is the only java running on the system, it no more compromising then it was before.
You can disable Java in most all browsers and still have it run applets and programs on the desktop. This is what I have done with windows machines so we aren't needing to replace $60k software packages because apple doesn't understand things.
A lot of people are mad because so many online banks use java. I understand Apple trying to protect there uses but people need to pay bills. At least make an announcement on apple.com or something.
http://www.thetechnologygeek.org
All 7 remaining people using Java are angered?
I haven't thought of anything clever to put here, but then again most of you haven't either.
Meaning a fully secured system is close to useless because the onyl secure system is an unplugged system.
Dude, do us all a favor, and make your system super safe.
Of course news about a fake are Fake News.
Erk... does it even allow disabling only applets? Is it even documented anywhere?? Is there a gui for it? Nobody knows the answers to these questions. We only know about this XML because hackers found it.
And OS X doesn't let you choose a browser?
Scorta futuere amo!
Does it even allow disabling only applets?
No.
Is it even documented anywhere??
It is a pretty clear file.
Is it even documented anywhere??
It is at the Darwin layer. Darwin is open source.
Is there a gui for it?
There are lots of XML editing GUIs.
MINIX 3 ate all HURD's market share, what with its features including actually being functional
You would be surprised at how many sites still use it. It is fine as long as you are writing a servlet or using JSP or something like that. Just don't use EJBs. Please. Most abused misfeature I have ever seen.
Oh and if you check the TIOBE index Java is increasing the lead over C# again. Probably because C# popularity is falling like a rock. Even Miguel de Icaza has stopped pushing for it. I do not know if it is from all the Android programmers, or how Microsoft is falling out of grace even from general purpose computing applications, or what.
No, its because people KNOW not to put Windows on the internet. The thinking that "oh, it's linux it is secure, we can put it on the internet" by people without a clue means they get hacked.
Yes, the circumstances are different. It's the delusional thinking above that creates those circumstances.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Actually, he wasn't saying that, he was asking why people expect double standards for Apple when they are doing what he perceives as phoning home too.
The whole thing IS NOT open source. If you pulled the FOSS parts of OS X out of OS X you would have no boot, no interface (due to dsmos crypto), no sound or graphics (CoreAudio and Quartz are closed source), no code execution, and so many other things that need no mention.
The only part of OS X that is open source is the low level part and that's because they assimilated an Open Source project to make it in the first place. All edits and additions to the code are the result of needing to update the low level API and kernel infrastructure to support new functionality for themselves. All the mid-level API's are proprietary, and as a result OS X as a whole is NOT open source.
Disbelieve me, please post xprotects source.
I have to admit I'm not an expert but I believe they are just using: http://www.clamav.net/lang/en/ to implement File Quarantine.
Why would software written in 100% Pure Java or otherwise using the Java libraries correctly rely on a particular JDK?
Flash is just not where the cool kids are. HTML5 has almost entirely taken over all the basic requirements of making a dazzling website that dances about on your screen.
So where's HTML5 CS that can be used to make self-contained animations and games like what you see on Newgrounds? Let me know when something like French Erotic Film (safe for work, despite the name) is ported to HTML5 without bloating it by a factor of ten by rendering it to video
I have that at work, with firefox and chrome also installed, but for some things the Safari just pops up. Apple controls your horizontal and your vertical....
>Does it even allow disabling only applets?
>
>No.
So it's completely broken then, and promotes insecurity.
And if the XML isn't documented, no matter how "clear" it may or may nor appear to be, then I risk in the future having entire companies shut down because some update assumed something I didn't know. Nice one Apple.
So it's completely broken then, and promotes insecurity.
How is it completely broken? It doesn't look inside applications and from Apple's perspective that's inside. If you want to enable specific things you turn them on.
And if the XML isn't documented, no matter how "clear" it may or may nor appear to be, then I risk in the future having entire companies shut down because some update assumed something I didn't know. Nice one Apple.
Apple provides a management interface to push updates on managed computers. You don't have any risk because managed computers update from the management servers not Apple.
My Mac users are childlike creative spirits, there are bad things out there, they will get eaten, I must protect my own, what else can I do?
Impossible. ClamAV uses Windows binary heuristics. Mac OSX would not be able to detect any viruses for itself with that but would detect Windows viruses, and I have tested first hand as to how well Mac OSX detects Windows viruses - it doesn't.
OK. Interesting so is your theory they are buying it from someone or just keeping it in house? And if so why?
Apple integrating third party software into their core would be like Labi Siffre making a record with Skrillex. Apple's main marketing line is that everything they make 'just works' and that is based on the fact that the entirety of OS X is made in house aside from the FOSS bits. Apple couldn't FOSS the antivirus as that would just invite workarounds, cracks and attack vectors to be developed. Apple's style would be to buy a small nimble security company and re-purpose their tech, and I've seen zero security tech purchases so far.
Apple Open-Sourcing their antivirus would be like sending North Korea a complete library of blueprints on American military equipment because hackers would have access to the source code so they could see any flaws or holes that exist. Sure after a couple of battles/major viruses those holes would be patched going forward, and that's why AVs like ClamAV are so robust, but Apple has share prices to think about and one major outbreak is all it takes for that to nosedive.
Right now I suspect Apple don't even have heuristics (scanning of application files for bits of code that look malicious in order to catch new virii), they work on sigs, where Apple find a virus then update your list silently. Java is now being identified and blocked in a similar manner.