back to article Apple blocks Java on the Mac over security concerns

It's been a rough couple of weeks for Java. Security issues are dogging the code, the latest fix may cause almost as many problems as it solves, and now Apple has decided to block Java completely. French blog MacGeneration originally picked up the blockade, noticing that an update to Apple's XProtect now blocks all versions of …

COMMENTS

This topic is closed for new posts.

Page:

Java is required to anything greater than plain text, to upload a file, to use HTML, etc. on one of our university's two brands of coursework discussion sites. It does not surprise me in the least that the New York Times hack was vectored through infected university servers. For all the computer nerdiness in so many of their faculties, they seem the least prepared for security. I shut off Java some time ago, but very few other people even seem to be paying attention.

0
0
TRT
Silver badge

And it mediate our VPN solution... lots of calls from lecturers unable to access journals anymore...

0
0
Bronze badge
Meh

Hmm.

"Java is required to anything greater than plain text, to upload a file, to use HTML, etc."

I don't know, is it? A lot of anybody and everybody is stuck on it because it seemed to people who weren't programmers like the "future language"...10 years ago. Now for those with relations to the JVM are, for the lack of a better word, stuck.

I'm really not informed on the current state of things that can and can't be done in Java. However, with the push of the HTML 5 spec, companies letting C code (newlib) in as a plugin, JavaScript optimizations on all browsers all the time, and lastly, the push for better battery life on apparently everything, where does the future let room for the JVM?

Consider the "The Java trap." How will Oracle reinforce those trap doors? Apparently not through security.

0
2
Silver badge

Re: Hmm.

JavaScript is a turd. Nothing even remotely related to security should be ever implemented in that. Not just for performance, but also because it can be modified by clients, so anything depending on JS to validate business rules is easily overridden.

0
0

This post has been deleted by its author

FAIL

Jobs's greatest insight

F flash, waiting for the alternative.

0
0
FAIL

Apple, ooh Apple!

How many will have upgraded or even noticed Quicktime 7.7.3 was released recently! New Apple TV and iOS revisions? with all this finger pointing at Java and Flash, since Apple kits are supposedly 'exempt' from vulnerability? --- the common fanboi attitude -- perhaps even a misconception?

At least Apple are trying to take a proactive approach! I'll give them kudos for that! But not for the prior TIFF bugs!

Although, He who throw stones in glass houses be a little silly? Since no company could ever be perfect and it is unrealistic to believe so. Issac Newtons law of gravity isn't it? Or is it Murphy's law?

3
9
Silver badge

Re: Apple, ooh Apple!

Apple hasn't said anything on the record, it's merely blocked some software with known security issues. You seem to be implying that to do so is criticism and that Apple should be allowed to criticise only if its own software is perfect but if that's the standard then surely none of can criticise Apple unless we've written only flawless software?

4
0
WTF?

Re: Apple, ooh Apple!

Apple is just a company. You are investing too much emotion in something you supposedly despise.

People like products, it doesn't define who they are, and there are always people who are enthusiastic for almost any platform/product. Something doesn't suck, just because you don't like it. Kids these days.

Java is a cockup on every platform. Apple, and any other company that can do so, SHOULD block it. It is not a little bug, buddy, this is such a HUGE clusterfap that Oracle needs to get on. Oracle needs to stop screwing around and fix it, or shut it down. Chances are high that they CANNOT fix it, due to the cross-platform and backwards compatibility built into java.

2
0
Anonymous Coward

@JohnsonVonJohnson

Chances are high that they CANNOT fix it, due to layers of corporate bureaucracy and having paid-off / pissed-off the developers able to implement such a fix.

There, fixed it for you.

1
0
Bronze badge

Re: Apple, ooh Apple!

"People like products, it doesn't define who they are"

I wish

0
1

This post has been deleted by its author

Headmaster

XProtect and Processing

so Apple is killing my Processing? or is it? http://processing.org/

1
0

All our Macs have been Java free for two years. I don't miss it at all.

3
1

My Mac was Java-free for years. I only installed it because Libre Office moans constantly (with annoying pop-ups) if it's not installed. I'd be very happy if Libre Office could remove it's dependency on Java.

I refuse to allow Firefox to have a java plug-in though, despite Outlook webmail also moaning about it not being installed.

2
0
Anonymous Coward

I'm a Java developer but have to agree, while I have several (likely vulnerable) runtimes and JDKs installed, browsers are not allowed plugin access and haven't been for years.

1
0

That's fine...

...until you need to work remotely using a Juniper VPN. I'd much rather be given the choice than have it thrust upon me by a manufacturer that never knowingly lets its users think for themselves.

4
0
Bronze badge
Go

But you can run LibreOffice without Java

@Wyrdness

"My Mac was Java-free for years. I only installed it because Libre Office moans constantly (with annoying pop-ups) if it's not installed. I'd be very happy if Libre Office could remove it's dependency on Java."

I caught an indication a few months ago somewhere on the LIbriOffice site that they were working on removing the Java dependency.

The latest release didn't give me the nag messages about the lack of Java the first time i ran it, and where the previous release moaned when creating a new Text document, I haven't seen that in the latest release either.

I haven't had any problems actually running LO without Java, of course with the caveat that I don't use the database side of LO.

0
0
Anonymous Coward

I'd be very happy if Libre Office could remove it's dependency on Java.

Well, removing it could break your spell checker...

0
0
Bronze badge

Maybe I'm reading this wrong, but the screenshot seems to indicate that it's the Java Applet PlugIn that is being blocked, not Java itself.

7
0
Gold badge

Which makes sense if it is just blocked in the browser.

But blocking the execution of JAR files and being able to develop with Java, Eclipse and so on would be bad news.

4
0
Silver badge
Boffin

Indeed

It is the browser plugin of Java. Though 1.7.13 is out, so it might actually be a matter of Apple putting the dependency *before* Oracle put out the update, not actually blocking Java intentionally.

The JRE itself isn't blocked, attested by me being able to use LdapBrowser and NetBeans. :)

0
0
Childcatcher

AusKey

If you run a business and need to deal with certain Government services, such as paying your tax, you need AusKey, which is their authentication system. AusKey runs on Java, which, if you’re trying to do this on a Mac is getting harder and harder.

I have lodged a complaint that the Australian government therefore requires you to compromise your machine, and that this certainly disenfranchises people who do not have the technical experience to install, maintain and monitor Java. Still waiting on a resolution.

Java is a nice idea, but it has proven to be flaky, impractical, antiquated insecure. Somewhat like the Australian Government, or at least its IT services.

2
1
Anonymous Coward

Re: AusKey

"Still waiting on a resolution."

Be careful what you wish for. The solution is more likely to be a Windows only .NET application than anything else.

"Java is a nice idea, but it has proven to be flaky, impractical, antiquated insecure."

Java works very well for cross-platform desktop applications, but as a browser plugin where any malicious site can interact with it, well, it's scary. The only people who would call it antiquated are non-(Java) devs IMO, since they likely have no idea of the benefits of Java 7 over Java 5 etc.

5
0

Re: AusKey

Despite apparent benefits, Java IS antiquated.

Sorry about your job, guy, but Java is toast, and you don't NEED to make something in .net just because you can't use Java.

Learn something new.

0
10
Bronze badge

Re: AusKey

Thanks to JohnsonVonJohnson I have now seen the light and will be writing all my enterprise level applications in PHP.

3
0
Silver badge

I'm cancelling my subscription!

This only affects Java applets running in Safari, right?

Come on auntie Reg, etc...

1
1
Bronze badge

Re: I'm cancelling my subscription!

"This only affects Java applets running in Safari, right?"

Wrong. This affects _all_ browsers, except maybe Firefox. It kills Java for browsers.

0
0
Silver badge
FAIL

Re: I'm cancelling my subscription!

Nope.

0
0
Unhappy

:(

well, i can't use directly java in-browser on my mac anymore so I have to run it in IE in parallels. That's not so bright. Unfortunately i need to use hob secure for VPN to clients. I would love to get rid of Java on mac, but even Adobe CS requires it.

1
0
Silver badge

Re: :(

Why Parallels and IE, what's wrong with Firefox?

0
0
Anonymous Coward

Re: :(

doesn't run perfectly abap wd (SAP). besides, i keep my vm's as thin as possible, so i don't install what I don't need.

and now I get it, what's wrong with Firefox on mac. Well let's say it doesn't have a good fame - i have a bad opinion about it (initially it scored very badly for vulnerabilities). Being of non-apple conception, it probably doesn't have yet the right mechanics (as I noticed with Opera - bad gestures and animations that go with it). I will test it at some point - but that will take months to try and test firefox again. I tried firefox in one of the first versions, and after that my experience is limited to what I saw while colleagues were using it - maybe I'll be pleasantly surprised.

0
2

Re: :(

He's just firing up a virtual machine to do a few tasks... why bother installing anything you don't need?

If all you need is to look at something or quickly interact, a VM can be quickly setup and it doesn't matter what browser you use.

0
0
Silver badge
Holmes

Re: :(

Because it wasn't obvious from the first post that he also had to use some horrible IE-only SAP-driven abomination? Whatever the complaints about Mac Firefox (and to be honest I have the same amount of complaints about Mac Firefox as I do Windows Firefox), it's certainly more integrated with Mac OS than IE running in a VM is.

0
0
Silver badge
Pint

For you Danes

I read that Den Danske Bank has decided to get rid of Java. Good decision I suppose.

1
0
Paris Hilton

Re: For you Danes

Don't know where you read that, but Danske Bank NemID now requires Java7 update11, which is unavailable for Mac OSX < version 10.7. This is bound to cause a bunch of bother ...

0
0

This post has been deleted by its author

Mushroom

Fixable by editing XProtect.meta.plist

I'm not 100% sure this wasn't done accidentally by Apple.

They've updated the required version of Java to be 1.7.11 build 22 when the release build from Oracle is actually release 21

type java -version

result:

java version "1.7.0_11"

Java(TM) SE Runtime Environment (build 1.7.0_11-b21)

Java HotSpot(TM) 64-Bit Server VM (build 23.6-b04, mixed mode)

Edit the plugin whitelist file using

sudo nano /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

and change

<string>1.7.11.22</string>

to

<string>1.7.11.21</string>

Java will now work again in Safari.

-Chris

5
0

Re: Fixable by editing XProtect.meta.plist

@chriswhocodes

Ta muchly, got it sorted with that fix. Cheers!

1
0

Re: Fixable by editing XProtect.meta.plist

It's not an accident, raising the minimum allowed version to an increment of the current version is how Apple disables java*, because when the next release comes out it will work without having to undo anything, well assuming oracle have fixed it, but if they haven't Apple will just increment the minimum allowed version again.

* not the first time this has happened.

0
0
Silver badge

Re: Fixable by editing XProtect.meta.plist

Indeed, yesterday had 1.7.13 come out, so I do wonder if it is more of an issue with Apple sending the minimum version update before the actual update came out.

0
0
Silver badge
Flame

"(with the obligatory offers to install crapware at the same time)."

Urgh, that. 100x that. Not so much that it offers, but that the Yahoo (!) tool bar is selected for install by default is beyond annoying.

5
0
Bronze badge

this raises a number of questions

I think we can conclude that Java in browser is in death throes. Only clueless, careless and those without choice continue to use it.

However, is there a future for Java in server environment? On one hand, in this environment no one will try to load a random applet picked from random web site, since all the code is either 3rd part libraries or own. On the other hand, both JVM and 3rd party libraries do have to be occasionally patched, and if Oracle or 3rd parties are not forthcoming this makes Java less viable proposition. Since Oracle started automatically removing JVM version 6 installation when patching JVM version 7 this would point that they no longer want to support version 6. What will Oracle with version 7 when number 8 rolls out?

Also, given that Java seems to be "the language of choice" in many computer science classes I do wonder what future graduates will do? The fact of the matter is that currently CS graduates are ill-prepared for real world computer programming anyway, so I suppose if the language of choice for learning is slipping into irrelevance probably won't make much of the difference anyway. Academia will notice this eventually, though, and switch to something else (Scala? Python? C++?) . It would be in everyone interest if graduates knew more than one language, too.

I would not be surprised if Java succumbed to death by a thousands cuts in the next 10 years.

1
2
Silver badge
Flame

Re: this raises a number of questions

"I would not be surprised if Java succumbed to death by a thousands cuts in the next 10 years."

IMO Java is the biggest con perpetrated upon the IT industry in decades. The language itself is less powerful and less flexible than C++ (not that C++ is a shining beacon of how a language should be designed but i digress..) that it was supposed to replace, still generally runs slower and uses more memory than an equivalent C++ binary, requires the correct JVM to be installed before it'll work (write once run anywhere? Do me a favour!). and the JVM as we know is subject to security holes not to mention bugs.

If java ever had a purpose its rapidly losing it. My personal opinion is C++ will regain ground on unix server side development along with python and for windows C# will - if it hasn't already - kill java stone dead in the years to come. Assuming MS can get its act together. As for the web , forget it, java died there long ago. It might limp on for a few more years on android until they realise the pointlessness of double compilation but even that will stop eventually.

6
0
Gold badge

Re: this raises a number of questions

"If java ever had a purpose its rapidly losing it."

Java's original purpose was to provide a provably secure sandbox for running untrusted applets. (If you have to trust the app, you might as well run native code.) It is debatable whether the implementation was ever good enough to realise that noble aim, but it certainly isn't today.

No matter. In order to achieve that, it had to provide safe equivalents to enough of the native API to be useful. Consequently, it acquired a secondary purpose of "write once run anywhere". This is now its sole purpose. Java is therefore an alternative to frameworks like Qt.

Given some effort, one presumably *could* resurrect the "provably secure" aspect and that would be of interest to a lot of people. Clearly, however, neither Sun nor Oracle could/can be bothered and as long as Oracle have a final veto on what one can call "Java", their lack of support makes "secure Java" impossible. The best possible outcome, therefore, is for Oracle to throw a hissy fit and discard Java altogether, only for it to be picked up by freetards who are actually willing to do justice to the original design.

7
0
Anonymous Coward

Re: this raises a number of questions

There are always questions.

Was Sun wise to accept and implement invokedynamic for all those dynamic-scripting-language *ktards that were not interested to write a VM for their science fair project?

0
0
Silver badge

Re: this raises a number of questions

Java's original purpose was to provide a provably secure sandbox for running untrusted applets.

No, Java's original purpose was as a language for embedded software. Gosling designed it to replace C as the (then) language of choice for embedded applications on hardware powerful enough to want something more than bare metal or a minimal monitor. The idea was to provide a language with high-level constructs (OO, type safety, a framework for common tasks) to reduce development costs; avoid dangerous constructs to improve software quality in embedded environments where patching software could be more difficult; and simplify porting to new hardware by making the application code itself portable.

This is widely documented; look into the history of Sun's "Green Project" and the Oak language, the precursor to Java. See this (PDF) for example, or this bit from the Java Programming Wikibook.

While it's debatable how well Java has achieved its design goals, it certainly has been successful in embedded applications.

When set-top boxes and fancy remote-control units - the original demonstration platforms for Oak/Java - turned out to be underwhelming and of relatively little interest in the market, Sun recognized the growing interest in graphical web browsers (spawned by NCSA Mosaic) and in 1995 introduced the HotJava browser, which was written in Java and was the first to support Java applets. Since browsers did not then have scripting languages (LiveScript appeared later that year), developers seized on Java applets as a way to cram additional (some would argue unnecessary) functionality into browser-based UIs.

0
0
FAIL

Most of Android is effectively Java. It's not going anywhere. Java browser plugins are another matter.

1
0
Bronze badge

"... effectively Java" is not the same as "actually Java". It is different VM , different bytecode and different compiler. Google decided to reuse Java syntax and API for its own platform, effectively forking Java. If Google are forced by courts (as Oracle is trying to do) they might change s/java/dalvik/g (or any other name, I particularly like Espresso and Mocha).

Of course if a sense, Dalvik is Java, and (if names of Dalvik APIs remains unchanged) in 10 years time, it might be the only Java. It would be very interesting example of evolution of a programming language by forking and survival.

3
0
Silver badge

There's also a tremendous amount of Java code running enterprise back-office applications, some as POJOs but much of it J2EE components and JSP. Anyone who understands enterprise software knows that isn't going anywhere any time soon either. Corporations are still running COBOL apps written in the 1960s, many of which they aren't even trying to update to newer COBOL syntax (even though that would likely reduce future maintenance costs). There is no compelling economic driver for those organizations to rewrite those Java applications either. Security flaws in the applet container are utterly irrelevant.

People like Bronek who are predicting "the end of Java" should look at how successful similar predictions have been over the years. We heard a lot about the end of the mainframe starting in the 1980s with the rise of personal computing; mainframes are still going strong. There have been several cycles of "the end of Microsoft Windows", "the end of UNIX", etc - they're all still around. Since I work for the major COBOL vendor, I'm more than familiar with "the end of COBOL" - our own CEO at the time announced in public that COBOL was dead in 1999 - but we're selling more of it than ever. Entrenched IT technologies generally take a long time to die. There are arguably a few exceptions (eg Token Ring, 8-bit PCs), but in those cases the replacement had compelling advantages.

As for C++ replacing Java - it hasn't even managed to replace C.

0
0

Page:

This topic is closed for new posts.

Forums