Disabled Java Plugins, XProtect Updater
Today Apple updated the XProtect.meta.plist file, which, among other things, causes XProtect to disable Java Plugins that don’t meet a minimum version.
The net effect was to disable the Java 6 plugin on all browsers, as well as Java 7 plugins older than 1.7.11.22.
If you need to continue to use the Java 6 plugin in your organization, you can revert the changes and disable the mechanism that updates the XProtect.meta.plist by installing this package:
https://dl.dropbox.com/u/8119814/DisableXProtectUpdater.pkg.zip
This is a payload-free package that runs this script as a postflight:
#!/bin/sh # don't check JavaWebComponentVersionMinimum XPROTECT_META_PLIST="$3/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist" /usr/libexec/PlistBuddy -c "Delete :JavaWebComponentVersionMinimum" "$XPROTECT_META_PLIST" # disable the xprotectupdater job LAUNCHD_JOB_PLIST="$3/System/Library/LaunchDaemons/com.apple.xprotectupdater.plist" /bin/launchctl unload -w "$LAUNCHD_JOB_PLIST"
I won’t tell you this is a smart thing to install; there are many reasons to leave things as they are. Apple disabled these plugins to protect from known exploits. By re-enabling them, you are opening up your managed machines to these exploits.
But if your org needs the Java 6 Web Plugin, this should get you running again. You should re-enable the XProtect updater as soon as you are able, though:
sudo /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist
NOTE: if you need to re-enable an older version of the Oracle Java 1.7 Plugin, you’ll need to edit the postflight script and add something like:
/usr/libexec/PlistBuddy -c "SetlugInBlacklist:10:com.oracle.java.JavaAppletPlugin:MinimumPlugInBundleVersion 1.7.10.19" "$XPROTECT_META_PLIST"
(Sadly, WordPress changes a colon followed by a P into a emoticon, even in pre-formatted text. Not helping…)
This sets the MinimumPlugInBundleVersion for the Oracle Java Web Plugin back to the value it was with the 10 Jan 2013 version of the XProtect.meta.plist. Again, if you do this, you are choosing to expose your machines to a known Java Web Plugin exploit. Do so at your own risk.
(Update 01 Feb 21013)
If you need to run the Oracle Java 1.7 Plugin (or are already running it and it’s been disabled) the best fix is to update the Java install. As of this writing, Java 7 Release 13 for OS X is available here. This installs a web plugin with BundleVersion 1.7.13.20.
(Update 02 Feb 2103)
Apple has released a Java 6 update for Snow Leopard. Installing this update will restore Java 6 web plugin functionality under Mac OS 10.6. This won’t help if you need to use the Java 6 web plugin under OS X 10.7 or later.
January 31, 2013 at 12:10 pm
I eventually worked out an almost identical approach – the command line I ended up with was /usr/libexec/PlistBuddy -c “Set
lugInBlacklist:10:com.oracle.java.JavaAppletPlugin:MinimumPlugInBundleVersion string 1.7.11.21″ /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
But Safari is still blocked. I’m seeing some people report success and some not. Some use 1.7.11.19 and some use 21. I see the resulting XProtect.meta.plist being changed as you (and others) have stated but it seems to me something else must be in the picture….
January 31, 2013 at 12:11 pm
We are not using the Oracle Java 1.7 plugin here, so I cant’t help! Sorry.
January 31, 2013 at 12:50 pm
Figured it out – I had the word “string” in the command which was making it part of the version. My mistake. Now it’s working.
January 31, 2013 at 12:59 pm
Thank you Greg!
February 1, 2013 at 12:32 am
I found this out the hard way trying to VPN into my work. They use Juniper. It would be nice if they had notified their users with a useful error message rather than silently wedging Java on pages wanting to load applications or silently “blocking” Java.
So, how in the heck did we get this update if we didn’t manually download/accept a System Update from Apple?
February 1, 2013 at 3:02 am
This isn’t a software update – it’s another kind. See Sys Preferences, Security,General, Advanced, check box for automatically update safe downloads list.
February 1, 2013 at 10:16 am
Wow, thanks for the clue on that one. They make it as obtuse as possible to find that switch. !#$!#@%!
February 1, 2013 at 2:56 am
Thanks Greg,
(needed for version 6)
From the Netherlands
Greetings
Peter-Erk
February 1, 2013 at 9:07 am
[...] Trials and Tribulations of an OS X Administrator « Disabled Java Plugins, XProtect Updater [...]
February 1, 2013 at 9:44 am
Put simply, XProtect Updater is malware. Sure, you can disable, but only if you know where to look. It is not at all unlike the Windows malware we all know an love in that it is turned on by default and no easy way to undo or limit the backdoor.
February 4, 2013 at 12:13 pm
I installed the package. Do I need to run the script given above? or does the package does this. Sorry for the stupid question
February 4, 2013 at 1:01 pm
It’s probably not the _best_ idea to install a the package I’ve offered without understanding exactly what it does, but yes, it runs the script in the main post. That’s _all_ it does.
February 5, 2013 at 6:35 pm
Thanks. I understood the risks of disabling XProtect as most of our corporate application doesn’t support JVM 7. I wasn’t sure if the package install a binary and later we had to run the script. Thanks for help. Lot of people here thank you for the fix.
February 6, 2013 at 8:26 am
Thank you, thank you, thank you. Must use Java 6 in a mission-critical application, at least until I can find a reasonable replacement.
February 17, 2013 at 12:24 pm
[...] Java [...]
February 18, 2013 at 3:00 pm
[...] This new requirement cam in just after Apple disabled Java 6 on 10.7+ Macs (as detailed a little here: http://managingosx.wordpress.com/2013/01/31/disabled-java-plugins-xprotect-updater/ ). [...]
March 12, 2013 at 5:06 pm
Thank you. I’m sick of Apple deciding what versions of plugins I need to be running. I can make that assessment myself.