Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Angers Mac Users With Silent Shutdown of Java 7

Posted by samzenpus on from the a-thief-in-the-night dept.

An anonymous reader writes in with news of the continuing saga of Java patches and exploits. "If you're a Mac user who suddenly can't access websites or run applications that rely on Java, you're not alone. For the second time in a month, Apple has silently blocked the latest version of Java 7 from running on OS X 10.6 Snow Leopard or higher via its XProtect anti-malware tool. Apple hasn't issued any official statements advising users of the change or its reasons, but it's a safe bet that the company has deemed Oracle's most recent update to Java insecure. That's why the company stealthily disabled Java on Macs back on Jan. 10, the same day a Java vulnerability was being exploited in the wild."

15 of 451 comments (clear)

  1. Run Linux by Anonymous Coward · · Score: 5, Funny

    If you ran Linux you wouldn't have to worry about software not being able to run.

    1. Re:Run Linux by dririan · · Score: 5, Informative

      Almost all of the plugins are soft blocked. They'll be automatically disabled when you start Fx, but you can easily re-enable them without patching or updating anything. In fact, the same dialog that tells you about the soft block lets you uncheck "Disable" to prevent it from being disabled. Very nearly all plugins that are blacklisted are soft blocked. Their criteria for hard blocking plugins (which means the plugin cannot be re-enabled) is that the plugin either "is malicious" or "a soft-block will not resolve the issue in question, such as a start-up crash". See Mozilla's wiki for more information, especially the sections "A High Bar", "Block Conditions", and "Block Severity".

      Please don't spread misinformation and FUD about Mozilla's blocklisting when it really is done properly.

  2. Old News by swimboy · · Score: 5, Informative

    Update 13 is already out, and *not* blocked by Apple. All that's blocked are the old, insecure (well, more insecure) versions.

    --
    Ask me how the Heisenberg Principle may or may not have saved my life.
    1. Re:Old News by R.Mo_Robert · · Score: 5, Informative

      I am not stupid and know how to disable it for web browsing, but many apps use older java versions.

      First, I'm not sure why Slashdot chose to run this article as opposed to any of dozens of others that actually explain the situation better, not that it matters because nobody reads them. Apple is not blocking Java applications. They are blocking only the plug-in. Further, from what I've read, they were not blocking Java 6, only insecure (well, more insecure) versions of Java 7 applets. Additionally, you can get around this with just about any Web browser besides Safari. Finally, at the moment, at least, the latest version of the plug-in is once again perfectly capable of running.

      For competent reporting on this subject, see, among others, the MacRumors article about the most recent block.

      --
      R.Mo
  3. Oh no, I can't run Java applets?! by MrEricSir · · Score: 5, Funny

    Without Java applets, my plan to time travel back to 1997 and surf the web is completely ruined!

    --
    There's no -1 for "I don't get it."
  4. Re:Good for them. by Anonymous Coward · · Score: 5, Funny

    This is why I run GNU Hurd, the only truly free operating system, on my Lemote Yeeloong. My freedom is incredible. I can run ls and cat and EVERYTHING. I look forward to support for manpages in 2017.

  5. Re:I sure the EULA will tell me I cant do anything by SteveTheNewbie · · Score: 5, Informative

    You do realise you can disable this right?

    https://discussions.apple.com/thread/4762386?start=0&tstart=0

    Quite amazing what a google search for 'disable XProtect' turns up..

  6. Re:Good by Colonel+Korn · · Score: 5, Informative

    Java... free. VirtualBox... free. Oracle Linux... free. How can you say they're greedy?

    On Windows, Java installs the Ask Toolbar (for now - other times it installs other shit) every time it updates to a new version unless the user realizes Oracle is a two bit hole in the wall company and unchecks the default boxes to opt out. That's greedy. To an even greater extent that's sleazy and just...trashy.

    --
    "I zero-index my hamsters" - Willtor (147206)
  7. Re:Good for them. by Anonymous Coward · · Score: 5, Informative

    a) it's old news
    b) both the Java 7 (from Oracle) and Java 6 (from Apple) updates that address this are already out . Is the new motto Recycling obselete news that matters ;)
    c) if you want to opt out from Xprotect, how to guides abound
    d)it's the Safari plugin only - other browsers are not effected
    e) Apple have pulled the trigger on Xprotect maybe 4 times in 3 years, its not like they are shotgunning

    The vulnerabilities from Java 7 were hideously large, and Apple probably did the right thing for the 99 percent who don't know any better. Driveby root access isn't all that fun for the target.

    The 1 percent who care, can disable Xprotect temporarily if they want to.

    For anyone in between, they could always use another browser.

    If you are using a Mac , you are not generally the IT equivalent of a Yukon Frontiersman

  8. Wow... Apple can't catch a break... by thestudio_bob · · Score: 5, Insightful

    Wow... Apple can't catch a break... You know damn well people would be bitching if they hadn't done this... Apple Fails To Disable Java 7. Millions of Macs Vulnerable. News at 11.

    --
    The real Sig captains the Northwestern. This one captains /.
  9. Re:Good for them. by countach · · Score: 5, Informative

    Two issues. Firstly Apple didn't just disable web applets. They disabled Java Web Start too, so whole corporations and government departments are suddently shut down. Secondly, they didn't provide any announcement, or a gui tool to re-enable at your own risk. It was just nuke everyone in silence.

  10. Re:I'm Pretty Sure They Just Needed An Excuse by FreakyGeeky · · Score: 5, Informative

    Your information is woefully out of date. Oracle is where you get Java for OS X, and it's been that way for a couple years.

  11. Re:I sure the EULA will tell me I cant do anything by gnasher719 · · Score: 5, Informative

    Depends on how it works, if it sends a list of installed software to Apple to check it's bad, but if it downloads a list of plugin signatures to disable because they're outdated and insecure that's not any worse or different than the antivirus downloading virus signatures. I don't see the privacy implications of that, would you elaborate?

    Apple has been using a blacklist that is updated daily to stop dangerous software from running. It is mostly used against trojans, but also to block Java running as a Safari plugin, which has some rather serious exploits (basically, an applet can replace the default Java security manager with its own, and from then on anything goes), _and_ it is known that these exploits are actually for sale.

    So there are no privacy problems whatsoever, and while blocking Java applets might be annoying, the alternative would be highly dangerous. By the way, Oracle has released a new software version fixing about 50 security problems, which is not blocked.

  12. Re:Good for them. by mug+funky · · Score: 5, Funny

    i love the Hurd logo - representing all 4 of it's users.

  13. Re:Good for them. by countach · · Score: 5, Informative

    Yeah well, as someone tasked with fixing this for a government department, Apple hasn't told me how to do it. Yes, some hackers figured it out. Yes, I can google and get their knowledge. But Apple didn't give me any way to push the fix out. Nor did they give a gui tool so I can email the users with instructions. In short, we're a bit screwed right now. We'll get over it sure, but in the mean time, tons of legal centres are out of action. is this good enough behavior? Surely not! Please don't defend this crap.