back to article Apple blocks Java on the Mac over security concerns

It's been a rough couple of weeks for Java. Security issues are dogging the code, the latest fix may cause almost as many problems as it solves, and now Apple has decided to block Java completely. French blog MacGeneration originally picked up the blockade, noticing that an update to Apple's XProtect now blocks all versions of …

COMMENTS

This topic is closed for new posts.
  1. danR2

    Java is required to anything greater than plain text, to upload a file, to use HTML, etc. on one of our university's two brands of coursework discussion sites. It does not surprise me in the least that the New York Times hack was vectored through infected university servers. For all the computer nerdiness in so many of their faculties, they seem the least prepared for security. I shut off Java some time ago, but very few other people even seem to be paying attention.

    1. TRT Silver badge

      And it mediate our VPN solution... lots of calls from lecturers unable to access journals anymore...

    2. Anonymous Coward
      Meh

      Hmm.

      "Java is required to anything greater than plain text, to upload a file, to use HTML, etc."

      I don't know, is it? A lot of anybody and everybody is stuck on it because it seemed to people who weren't programmers like the "future language"...10 years ago. Now for those with relations to the JVM are, for the lack of a better word, stuck.

      I'm really not informed on the current state of things that can and can't be done in Java. However, with the push of the HTML 5 spec, companies letting C code (newlib) in as a plugin, JavaScript optimizations on all browsers all the time, and lastly, the push for better battery life on apparently everything, where does the future let room for the JVM?

      Consider the "The Java trap." How will Oracle reinforce those trap doors? Apparently not through security.

      1. Daniel B.

        Re: Hmm.

        JavaScript is a turd. Nothing even remotely related to security should be ever implemented in that. Not just for performance, but also because it can be modified by clients, so anything depending on JS to validate business rules is easily overridden.

  2. This post has been deleted by its author

  3. Nanners
    FAIL

    Jobs's greatest insight

    F flash, waiting for the alternative.

  4. koolholio
    FAIL

    Apple, ooh Apple!

    How many will have upgraded or even noticed Quicktime 7.7.3 was released recently! New Apple TV and iOS revisions? with all this finger pointing at Java and Flash, since Apple kits are supposedly 'exempt' from vulnerability? --- the common fanboi attitude -- perhaps even a misconception?

    At least Apple are trying to take a proactive approach! I'll give them kudos for that! But not for the prior TIFF bugs!

    Although, He who throw stones in glass houses be a little silly? Since no company could ever be perfect and it is unrealistic to believe so. Issac Newtons law of gravity isn't it? Or is it Murphy's law?

    1. ThomH

      Re: Apple, ooh Apple!

      Apple hasn't said anything on the record, it's merely blocked some software with known security issues. You seem to be implying that to do so is criticism and that Apple should be allowed to criticise only if its own software is perfect but if that's the standard then surely none of can criticise Apple unless we've written only flawless software?

    2. JohnsonVonJohnson
      WTF?

      Re: Apple, ooh Apple!

      Apple is just a company. You are investing too much emotion in something you supposedly despise.

      People like products, it doesn't define who they are, and there are always people who are enthusiastic for almost any platform/product. Something doesn't suck, just because you don't like it. Kids these days.

      Java is a cockup on every platform. Apple, and any other company that can do so, SHOULD block it. It is not a little bug, buddy, this is such a HUGE clusterfap that Oracle needs to get on. Oracle needs to stop screwing around and fix it, or shut it down. Chances are high that they CANNOT fix it, due to the cross-platform and backwards compatibility built into java.

      1. Anonymous Coward
        Anonymous Coward

        @JohnsonVonJohnson

        Chances are high that they CANNOT fix it, due to layers of corporate bureaucracy and having paid-off / pissed-off the developers able to implement such a fix.

        There, fixed it for you.

      2. teebie

        Re: Apple, ooh Apple!

        "People like products, it doesn't define who they are"

        I wish

  5. This post has been deleted by its author

  6. Flaco Dude
    Headmaster

    XProtect and Processing

    so Apple is killing my Processing? or is it? http://processing.org/

  7. Dana W

    All our Macs have been Java free for two years. I don't miss it at all.

    1. Wyrdness

      My Mac was Java-free for years. I only installed it because Libre Office moans constantly (with annoying pop-ups) if it's not installed. I'd be very happy if Libre Office could remove it's dependency on Java.

      I refuse to allow Firefox to have a java plug-in though, despite Outlook webmail also moaning about it not being installed.

      1. Wensleydale Cheese
        Go

        But you can run LibreOffice without Java

        @Wyrdness

        "My Mac was Java-free for years. I only installed it because Libre Office moans constantly (with annoying pop-ups) if it's not installed. I'd be very happy if Libre Office could remove it's dependency on Java."

        I caught an indication a few months ago somewhere on the LIbriOffice site that they were working on removing the Java dependency.

        The latest release didn't give me the nag messages about the lack of Java the first time i ran it, and where the previous release moaned when creating a new Text document, I haven't seen that in the latest release either.

        I haven't had any problems actually running LO without Java, of course with the caveat that I don't use the database side of LO.

      2. Anonymous Coward
        Anonymous Coward

        I'd be very happy if Libre Office could remove it's dependency on Java.

        Well, removing it could break your spell checker...

    2. Anonymous Coward
      Anonymous Coward

      I'm a Java developer but have to agree, while I have several (likely vulnerable) runtimes and JDKs installed, browsers are not allowed plugin access and haven't been for years.

      1. Gerard Krupa

        That's fine...

        ...until you need to work remotely using a Juniper VPN. I'd much rather be given the choice than have it thrust upon me by a manufacturer that never knowingly lets its users think for themselves.

  8. Neoc

    Maybe I'm reading this wrong, but the screenshot seems to indicate that it's the Java Applet PlugIn that is being blocked, not Java itself.

    1. Giles Jones Gold badge

      Which makes sense if it is just blocked in the browser.

      But blocking the execution of JAR files and being able to develop with Java, Eclipse and so on would be bad news.

    2. Daniel B.
      Boffin

      Indeed

      It is the browser plugin of Java. Though 1.7.13 is out, so it might actually be a matter of Apple putting the dependency *before* Oracle put out the update, not actually blocking Java intentionally.

      The JRE itself isn't blocked, attested by me being able to use LdapBrowser and NetBeans. :)

  9. Mark Simon
    Childcatcher

    AusKey

    If you run a business and need to deal with certain Government services, such as paying your tax, you need AusKey, which is their authentication system. AusKey runs on Java, which, if you’re trying to do this on a Mac is getting harder and harder.

    I have lodged a complaint that the Australian government therefore requires you to compromise your machine, and that this certainly disenfranchises people who do not have the technical experience to install, maintain and monitor Java. Still waiting on a resolution.

    Java is a nice idea, but it has proven to be flaky, impractical, antiquated insecure. Somewhat like the Australian Government, or at least its IT services.

    1. Anonymous Coward
      Anonymous Coward

      Re: AusKey

      "Still waiting on a resolution."

      Be careful what you wish for. The solution is more likely to be a Windows only .NET application than anything else.

      "Java is a nice idea, but it has proven to be flaky, impractical, antiquated insecure."

      Java works very well for cross-platform desktop applications, but as a browser plugin where any malicious site can interact with it, well, it's scary. The only people who would call it antiquated are non-(Java) devs IMO, since they likely have no idea of the benefits of Java 7 over Java 5 etc.

      1. JohnsonVonJohnson

        Re: AusKey

        Despite apparent benefits, Java IS antiquated.

        Sorry about your job, guy, but Java is toast, and you don't NEED to make something in .net just because you can't use Java.

        Learn something new.

        1. Androgynous Cupboard Silver badge

          Re: AusKey

          Thanks to JohnsonVonJohnson I have now seen the light and will be writing all my enterprise level applications in PHP.

  10. Dan 55 Silver badge

    I'm cancelling my subscription!

    This only affects Java applets running in Safari, right?

    Come on auntie Reg, etc...

    1. James O'Shea

      Re: I'm cancelling my subscription!

      "This only affects Java applets running in Safari, right?"

      Wrong. This affects _all_ browsers, except maybe Firefox. It kills Java for browsers.

      1. Dan 55 Silver badge
        FAIL

        Re: I'm cancelling my subscription!

        Nope.

  11. Anonymous Coward
    Unhappy

    :(

    well, i can't use directly java in-browser on my mac anymore so I have to run it in IE in parallels. That's not so bright. Unfortunately i need to use hob secure for VPN to clients. I would love to get rid of Java on mac, but even Adobe CS requires it.

    1. Dan 55 Silver badge

      Re: :(

      Why Parallels and IE, what's wrong with Firefox?

      1. Anonymous Coward
        Anonymous Coward

        Re: :(

        doesn't run perfectly abap wd (SAP). besides, i keep my vm's as thin as possible, so i don't install what I don't need.

        and now I get it, what's wrong with Firefox on mac. Well let's say it doesn't have a good fame - i have a bad opinion about it (initially it scored very badly for vulnerabilities). Being of non-apple conception, it probably doesn't have yet the right mechanics (as I noticed with Opera - bad gestures and animations that go with it). I will test it at some point - but that will take months to try and test firefox again. I tried firefox in one of the first versions, and after that my experience is limited to what I saw while colleagues were using it - maybe I'll be pleasantly surprised.

      2. JohnsonVonJohnson

        Re: :(

        He's just firing up a virtual machine to do a few tasks... why bother installing anything you don't need?

        If all you need is to look at something or quickly interact, a VM can be quickly setup and it doesn't matter what browser you use.

        1. Dan 55 Silver badge
          Holmes

          Re: :(

          Because it wasn't obvious from the first post that he also had to use some horrible IE-only SAP-driven abomination? Whatever the complaints about Mac Firefox (and to be honest I have the same amount of complaints about Mac Firefox as I do Windows Firefox), it's certainly more integrated with Mac OS than IE running in a VM is.

  12. Lars Silver badge
    Pint

    For you Danes

    I read that Den Danske Bank has decided to get rid of Java. Good decision I suppose.

    1. skytrench
      Paris Hilton

      Re: For you Danes

      Don't know where you read that, but Danske Bank NemID now requires Java7 update11, which is unavailable for Mac OSX < version 10.7. This is bound to cause a bunch of bother ...

  13. This post has been deleted by its author

  14. @chriswhocodes
    Mushroom

    Fixable by editing XProtect.meta.plist

    I'm not 100% sure this wasn't done accidentally by Apple.

    They've updated the required version of Java to be 1.7.11 build 22 when the release build from Oracle is actually release 21

    type java -version

    result:

    java version "1.7.0_11"

    Java(TM) SE Runtime Environment (build 1.7.0_11-b21)

    Java HotSpot(TM) 64-Bit Server VM (build 23.6-b04, mixed mode)

    Edit the plugin whitelist file using

    sudo nano /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

    and change

    <string>1.7.11.22</string>

    to

    <string>1.7.11.21</string>

    Java will now work again in Safari.

    -Chris

    1. Captain Underpants

      Re: Fixable by editing XProtect.meta.plist

      @chriswhocodes

      Ta muchly, got it sorted with that fix. Cheers!

    2. jubtastic1

      Re: Fixable by editing XProtect.meta.plist

      It's not an accident, raising the minimum allowed version to an increment of the current version is how Apple disables java*, because when the next release comes out it will work without having to undo anything, well assuming oracle have fixed it, but if they haven't Apple will just increment the minimum allowed version again.

      * not the first time this has happened.

    3. Daniel B.

      Re: Fixable by editing XProtect.meta.plist

      Indeed, yesterday had 1.7.13 come out, so I do wonder if it is more of an issue with Apple sending the minimum version update before the actual update came out.

  15. Annihilator
    Flame

    "(with the obligatory offers to install crapware at the same time)."

    Urgh, that. 100x that. Not so much that it offers, but that the Yahoo (!) tool bar is selected for install by default is beyond annoying.

  16. Bronek Kozicki

    this raises a number of questions

    I think we can conclude that Java in browser is in death throes. Only clueless, careless and those without choice continue to use it.

    However, is there a future for Java in server environment? On one hand, in this environment no one will try to load a random applet picked from random web site, since all the code is either 3rd part libraries or own. On the other hand, both JVM and 3rd party libraries do have to be occasionally patched, and if Oracle or 3rd parties are not forthcoming this makes Java less viable proposition. Since Oracle started automatically removing JVM version 6 installation when patching JVM version 7 this would point that they no longer want to support version 6. What will Oracle with version 7 when number 8 rolls out?

    Also, given that Java seems to be "the language of choice" in many computer science classes I do wonder what future graduates will do? The fact of the matter is that currently CS graduates are ill-prepared for real world computer programming anyway, so I suppose if the language of choice for learning is slipping into irrelevance probably won't make much of the difference anyway. Academia will notice this eventually, though, and switch to something else (Scala? Python? C++?) . It would be in everyone interest if graduates knew more than one language, too.

    I would not be surprised if Java succumbed to death by a thousands cuts in the next 10 years.

    1. Anonymous Coward
      Flame

      Re: this raises a number of questions

      "I would not be surprised if Java succumbed to death by a thousands cuts in the next 10 years."

      IMO Java is the biggest con perpetrated upon the IT industry in decades. The language itself is less powerful and less flexible than C++ (not that C++ is a shining beacon of how a language should be designed but i digress..) that it was supposed to replace, still generally runs slower and uses more memory than an equivalent C++ binary, requires the correct JVM to be installed before it'll work (write once run anywhere? Do me a favour!). and the JVM as we know is subject to security holes not to mention bugs.

      If java ever had a purpose its rapidly losing it. My personal opinion is C++ will regain ground on unix server side development along with python and for windows C# will - if it hasn't already - kill java stone dead in the years to come. Assuming MS can get its act together. As for the web , forget it, java died there long ago. It might limp on for a few more years on android until they realise the pointlessness of double compilation but even that will stop eventually.

      1. Ken Hagan Gold badge

        Re: this raises a number of questions

        "If java ever had a purpose its rapidly losing it."

        Java's original purpose was to provide a provably secure sandbox for running untrusted applets. (If you have to trust the app, you might as well run native code.) It is debatable whether the implementation was ever good enough to realise that noble aim, but it certainly isn't today.

        No matter. In order to achieve that, it had to provide safe equivalents to enough of the native API to be useful. Consequently, it acquired a secondary purpose of "write once run anywhere". This is now its sole purpose. Java is therefore an alternative to frameworks like Qt.

        Given some effort, one presumably *could* resurrect the "provably secure" aspect and that would be of interest to a lot of people. Clearly, however, neither Sun nor Oracle could/can be bothered and as long as Oracle have a final veto on what one can call "Java", their lack of support makes "secure Java" impossible. The best possible outcome, therefore, is for Oracle to throw a hissy fit and discard Java altogether, only for it to be picked up by freetards who are actually willing to do justice to the original design.

        1. Michael Wojcik Silver badge

          Re: this raises a number of questions

          Java's original purpose was to provide a provably secure sandbox for running untrusted applets.

          No, Java's original purpose was as a language for embedded software. Gosling designed it to replace C as the (then) language of choice for embedded applications on hardware powerful enough to want something more than bare metal or a minimal monitor. The idea was to provide a language with high-level constructs (OO, type safety, a framework for common tasks) to reduce development costs; avoid dangerous constructs to improve software quality in embedded environments where patching software could be more difficult; and simplify porting to new hardware by making the application code itself portable.

          This is widely documented; look into the history of Sun's "Green Project" and the Oak language, the precursor to Java. See this (PDF) for example, or this bit from the Java Programming Wikibook.

          While it's debatable how well Java has achieved its design goals, it certainly has been successful in embedded applications.

          When set-top boxes and fancy remote-control units - the original demonstration platforms for Oak/Java - turned out to be underwhelming and of relatively little interest in the market, Sun recognized the growing interest in graphical web browsers (spawned by NCSA Mosaic) and in 1995 introduced the HotJava browser, which was written in Java and was the first to support Java applets. Since browsers did not then have scripting languages (LiveScript appeared later that year), developers seized on Java applets as a way to cram additional (some would argue unnecessary) functionality into browser-based UIs.

    2. Anonymous Coward
      Anonymous Coward

      Re: this raises a number of questions

      There are always questions.

      Was Sun wise to accept and implement invokedynamic for all those dynamic-scripting-language *ktards that were not interested to write a VM for their science fair project?

  17. radioaktivty
    FAIL

    Most of Android is effectively Java. It's not going anywhere. Java browser plugins are another matter.

    1. Bronek Kozicki

      "... effectively Java" is not the same as "actually Java". It is different VM , different bytecode and different compiler. Google decided to reuse Java syntax and API for its own platform, effectively forking Java. If Google are forced by courts (as Oracle is trying to do) they might change s/java/dalvik/g (or any other name, I particularly like Espresso and Mocha).

      Of course if a sense, Dalvik is Java, and (if names of Dalvik APIs remains unchanged) in 10 years time, it might be the only Java. It would be very interesting example of evolution of a programming language by forking and survival.

    2. Michael Wojcik Silver badge

      There's also a tremendous amount of Java code running enterprise back-office applications, some as POJOs but much of it J2EE components and JSP. Anyone who understands enterprise software knows that isn't going anywhere any time soon either. Corporations are still running COBOL apps written in the 1960s, many of which they aren't even trying to update to newer COBOL syntax (even though that would likely reduce future maintenance costs). There is no compelling economic driver for those organizations to rewrite those Java applications either. Security flaws in the applet container are utterly irrelevant.

      People like Bronek who are predicting "the end of Java" should look at how successful similar predictions have been over the years. We heard a lot about the end of the mainframe starting in the 1980s with the rise of personal computing; mainframes are still going strong. There have been several cycles of "the end of Microsoft Windows", "the end of UNIX", etc - they're all still around. Since I work for the major COBOL vendor, I'm more than familiar with "the end of COBOL" - our own CEO at the time announced in public that COBOL was dead in 1999 - but we're selling more of it than ever. Entrenched IT technologies generally take a long time to die. There are arguably a few exceptions (eg Token Ring, 8-bit PCs), but in those cases the replacement had compelling advantages.

      As for C++ replacing Java - it hasn't even managed to replace C.

  18. Tim 11
    Thumb Down

    wasted opportunity

    done properly, sandboxed java in a browser (or any other language for that matter) could have been a whole lot better than the kind of buggy javascript web sites we've got at the moment.

    1. John Sanders
      Linux

      Re: wasted opportunity

      Well you can not sandbox an ever expanding sandbox very effectively isn't?

      Not to mention the ground under the sandbox is also full of hidden sinkholes (Win/Mac)

    2. Michael Wojcik Silver badge

      Re: wasted opportunity

      Developers who can't write decent ECMAScript[1] probably wouldn't be able to write decent Java either.

      It's true that there are problems with ECMAScript for writing non-trivial programs, notably the lack of a real type system. (Prototype-based OO languages, it turns out, just don't work as well as class-based ones once the number of distinct types gets significant; remembering constraints is simply too hard for developers.) But most of the problems with ECMAScript are because most of the people writing it - particularly including self-anointed "experts" like Resig[2] - can't be bothered to actually learn the language or write correct code.[3]

      The root problem is that the vast majority of software is crap. It will continue to be crap for the foreseeable future, since few developers or development organizations show any real interest in improving quality. And while there have been innumerable proposals for improving software quality, few have seen widespread attempts at adoption, and it's very probable that, as Fred Brooks and others argued, there is no silver bullet anyway.

      [1] "Javascript" refers either to the now-obsolete ancestor (originally named "LiveScript") of ECMAScript, or one implementation of ECMAScript. If people can't even get the name right, I suppose it's no wonder they can't get the code right.

      [2] Original author of the popular, execrable jQuery library.

      [3] As of a few years ago, jQuery still contained erroneous constructs such as "typeof x == 'array'" (which is always false). More damning was Resig's public hissy fit when Google's correct implementation didn't behave the way he wanted it to, with regard to iterating over properties; his code was based on a schoolboy error that anyone with even glancing familiarity with the ECMAScript spec would have spotted, but Resig insisted it was correct because it worked in most implementations. Someone with that attitude shouldn't be writing software at all.

  19. Elmo Fudd
    FAIL

    50% Java - This SUCKS!

    I keep a laptop on he kitchen table so I can check out the news over breakfast - My Firefox browser is set to open with 6 tabs as a home page- My local (Calgary) newspapers home page, Google news, my online brokerage home page, The Register, Gmail and my Digital newpaper subscription (Postmedia).

    This morning I shut off Java script to see what would happen.

    Calgary Herald website - Can't see any problems, so far so good.

    Google news- Works but the formatting is off- text overlaps images slightly.

    RBC Direct- Some graphics appear but site is totally nonfunctional- cannot log in.

    El Reg - Works fine- no problems.

    Gmail- Blank screen - wants java turned back on - offers HTML only version.

    Postmedia- Top header appears- otherwise screen is blank - No login available.

    50% of my home pages are totally gone, one is affected and two work fine.

    I suspect that many of you would have the same problems - lets hear from you.

    Java is back on! I can't run without it.

    1. DJV Silver badge
      FAIL

      Re: 50% Java - This SUCKS!

      How many more times do people need to be told that Java is NOT JavaScript - aargh!

      Wall, head, hit.

      1. Ken Hagan Gold badge

        @DJV (Re: 50% Java - This SUCKS!)

        "Wall, head, hit."

        Ain't the interwebs wonderful? Young Elmo there managed to launch a denial of service attack on your head and he doesn't even know where you live!

        Great troll, Elmo! Er .. it *was* a troll, right?

    2. Anonymous Coward
      Anonymous Coward

      Re: 50% Java - This SUCKS!

      Thank Netscape for this confusion. JavaScript is not Java.

    3. Daniel B.
      Trollface

      hehehe

      The difference between Javascript and Java is:

      One is a steaming pile of bull used a lot in web stuff ... and the other can actually be compiled to bytecode. ;)

  20. Anonymous Coward
    Anonymous Coward

    ..blocks not "Java" but the Java **browser plugin**...

    ...or is my French too rusty?

This topic is closed for new posts.

Other stories you might like