Apple on Thursday quietly disabled Java 7 on Macs that already have the plugin installed. The news comes soon after we learned of new vulnerabilities discovered in the latest version of Oracle’s software, including at least one being sold for $5,000 on January 16, two we reported about on January 18, and another one on January 28.
It’s currently unclear which of these caused Apple to react, but we can safely say that it wasn’t the last one. That’s because the company rolled out the update on January 27, according to a quick check by my colleague Matthew Panzarino:
F**k it, we'll do it live!
Our biggest ever edition of TNW Conference is fast approaching! Join 10,000 tech leaders this May in Amsterdam.
The company has disabled Java 7 by updating its antimalware protection system. For reference the file in question is located on Macs here: “/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/Xprotect.plist.”
As pointed out on Apple’s forums, the blacklist now requires a minimum of Java 1.7.12.x. Since the latest current publicly-available version of Java is 18.104.22.168, all Macs running Java 7 are now marking it as malware. This will stop once Oracle releases a patch, in the form of Java 7 Update 12.
Last time Apple did this was on January 10, the same day a Java vulnerability was discovered as being exploited in the wild. Mozilla took similar steps, adding all recent versions of Java to its Firefox add-on blocklist at the time.
This time Apple seems to be precautionary steps to avoid Mac users getting infected. Mozilla, meanwhile, has completely changed its stance on plugins in general, announcing plans to enable Click to Play for all of them except for the most recent version of Flash.
In any case, when it comes to Java, if you’re on OS X 10.6 Snow Leopard or higher, Apple has once again taken care of things for you. If you are using Windows or Linux, we recommend uninstalling Java if you don’t need it and disabling it if you do.
See also – New vulnerability bypasses Oracle’s attempt to stop malware drive-by-downloads via Java applets and Less than 24 hours after last patch, criminals were selling a new Java exploit for $5,000 per buyer
Image credit: Manu Mohan
Read next: Here are January's 10 biggest tech stories