A major security breach in Oracle’s Java 7 browser plugin earlier this month caused Apple to remotely disable Java for all OS X Safari users. Oracle updated Java to address the security issues but after a short delay, Apple has again remotely blocked Java on OS X, as reported by French site MacGeneration.
In early January, the U.S. Department of Homeland Security issued an urgent warning to computer users that a serious exploit had been found in the popular Java plugin. Java had already been the source of several past OS X vulnerabilities so the Cupertino company proactively disabled the plugin in Safari rather than risk another security crisis.
Apple used OS X’s built-in “Xprotect” anti-malware system that was introduced in 2009 with OS X 10.6 Snow Leopard. The company configured the system so that a minimum version number of Java had to be installed in order for it run automatically. As a precaution, Apple set the version number to one that did not yet exist.
A few days after the news broke, Oracle released an update to address the vulnerabilities, and changed the version number so that Xprotect would no longer block it. Unfortunately, MacRumors points out that security researchers found that Oracle only addressed one of the two vulnerabilities, leaving the plug-in a still serious security threat.
In response, Apple today again updated Xprotect to block the current version of Java, 1.7.0_11-b21, by setting a minimum version number of 1.7.0_11-b22.
For those interested in learning more about the Java exploit TMO’s John Martellaro has a detailed explanation of the risks and instructions on how users can check to see if they are vulnerable.
Those using software that relies on the desktop version of Java, which is separate from the browser plugin, need not take further action at this time. Those applications, such as CrashPlan, are still functional and there are no known vulnerabilities for that configuration.