Apple blocks Java in the browser again
Apple has updated its XProtect system to block Java in the browser. Although the company has not officially announced the change, all versions of the Java plugin lower than Java 7 Update 11 (220.127.116.11), are blocked and this includes the current release of Java 7 for Mac OS X which has the version number 18.104.22.168.
Apple previously blocked Java early in January in response to a dangerous vulnerability in Java which had been used in the wild. In this case though, Apple appears to have pre-empted the appearance of an exploit in the wild. Researcher Adam Gowdiak revealed that he had a proof of concept that allowed an unsigned applet to completely bypass the new security measures Oracle had added in Java SE 7 Update 10 and 11.
Why Apple is reacting pro-actively to the potential threat is unclear. The company may already be expecting an update from Oracle to close the hole found by Gowdiak or it could be anticipating the appearance of a wild and malicious exploit.
Apple's XProtect scheme is a regularly updated listing of versions of applications that should not be allowed to run. The list updating is controlled from a checkbox in the System Preferences ➤ Security section, under the Advanced button and marked Automatically update safe downloads list. Unchecking and then rechecking that checkbox will force a download of the latest list.
A future update for Java should, without an update to XProtect, re-enable Java in the browser, though users who do not need Java in the browser should play it safe and keep it disabled.
- Deactivating the Java plugin in Firefox
- Deactivating the Java plugin in Chrome
- Deactivating the Java plugin in Safari