Apple Once Again Blocks Java 7 Web Plug-inEarlier this month, Apple took the unusual step of remotely blocking Oracle's Java 7 browser plug-in due to a major security vulnerability, using the "Xprotect" anti-malware system built into OS X to enforce a minimum version number that had yet to be released. Within days, Oracle updated Java to address the issue, with the new version number making the Java plug-in usable on OS X systems once more. As noted by French site MacGeneration [Google translation] and the Apple discussion forums, Apple has once again blocked the Java 7 plug-in using Xprotect. The updated blacklist enforces a minimum Java plug-in version of 1.7.0_11-b22, while the latest version of the plug-in is 1.7.0_11-b21. The exact reason for Apple's renewed block on the Java plug-in is unknown although reports immediately following the release of Update 11 earlier this month indicated that it fixed only one of the two bugs that contributed to the security vulnerability. In the wake of that news, cybersecurity officials recommended that most users disable Java even with the up-to-date plug-in installed.Oracle Security Alert CVE-2013-0422 states that Java 7 Update 11 addresses this (CVE-2013-0422) and an equally severe, but distinct vulnerability (CVE-2012-3174). Immunity has indicated that only the reflection vulnerability has been fixed and that the JMX MBean vulnerability remains. Java 7u11 sets the default Java security settings to "High" so that users will be prompted before running unsigned or self-signed Java applets. Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future.If this continued issue is indeed the reason for the new block by Apple, it is unclear why the company waited several weeks to update its plug-in blacklist. Recent Mac and iOS Blog Stories • Apple Issues SMC Firmware Update for MacBook, MacBook Pro, and MacBook Air Models • Apple Seeds Build 12D61 of OS X Beta 10.8.3 to Developers • Siri 'Eyes Free' Coming to 2013 Honda Accord, Acura RDX and ILX • iOS 6.1 Tidbits: Music Controls on Lock Screen, Maps 'Report a Problem' Button, Diagonal Swiping Bug • 128 GB iPad Launch Suggestive of Fall iPad 5 Release • Apple Plans First Berlin Store and Fourth San Francisco Store • Judge Koh Rules That Samsung Did Not Willfully Infringe Apple Patents • Best Buy Offering Refurbished Airport Extreme Base Station for $89.99
http://www.macrumors.com/2013/01/31/apple-once-again-blocks-java-7-web-plug-in/
