Today Apple updated the XProtect.meta.plist file, which, among other things, causes XProtect to disable Java Plugins that don’t meet a minimum version.
The net effect was to disable the Java 6 plugin on all browsers, as well as Java 7 plugins older than 1.7.11.22.
If you need to continue to use the Java 6 plugin in your organization, you can revert the changes and disable the mechanism that updates the XProtect.meta.plist by installing this package:
https://dl.dropbox.com/u/8119814/DisableXProtectUpdater.pkg.zip
This is a payload-free package that runs this script as a postflight:
#!/bin/sh # don't check JavaWebComponentVersionMinimum XPROTECT_META_PLIST="$3/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist" /usr/libexec/PlistBuddy -c "Delete :JavaWebComponentVersionMinimum" "$XPROTECT_META_PLIST" # disable the xprotectupdater job LAUNCHD_JOB_PLIST="$3/System/Library/LaunchDaemons/com.apple.xprotectupdater.plist" /bin/launchctl unload -w "$LAUNCHD_JOB_PLIST"
I won’t tell you this is a smart thing to install; there are many reasons to leave things as they are. Apple disabled these plugins to protect from known exploits. By re-enabling them, you are opening up your managed machines to these exploits.
But if your org needs the Java 6 Web Plugin, this should get you running again. You should re-enable the XProtect updater as soon as you are able, though:
sudo /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist
NOTE: if you need to re-enable an older version of the Oracle Java 1.7 Plugin, you’ll need to edit the postflight script and add something like:
/usr/libexec/PlistBuddy -c "Set :PlugInBlacklist:10:com.oracle.java.JavaAppletPlugin:MinimumPlugInBundleVersion 1.7.10.19" "$XPROTECT_META_PLIST"
(Sadly, WordPress changes a colon followed by a P into a emoticon, even in pre-formatted text. Not helping…)
This sets the MinimumPlugInBundleVersion for the Oracle Java Web Plugin back to the value it was with the 10 Jan 2013 version of the XProtect.meta.plist. Again, if you do this, you are choosing to expose your machines to a known Java Web Plugin exploit. Do so at your own risk.
(Update 01 Feb 21013)
If you need to run the Oracle Java 1.7 Plugin (or are already running it and it’s been disabled) the best fix is to update the Java install. As of this writing, Java 7 Release 13 for OS X is available here. This installs a web plugin with BundleVersion 1.7.13.20.
(Update 02 Feb 2103)
Apple has released a Java 6 update for Snow Leopard. Installing this update will restore Java 6 web plugin functionality under Mac OS 10.6. This won’t help if you need to use the Java 6 web plugin under OS X 10.7 or later.
I eventually worked out an almost identical approach – the command line I ended up with was /usr/libexec/PlistBuddy -c “Set :PlugInBlacklist:10:com.oracle.java.JavaAppletPlugin:MinimumPlugInBundleVersion string 1.7.11.21” /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
But Safari is still blocked. I’m seeing some people report success and some not. Some use 1.7.11.19 and some use 21. I see the resulting XProtect.meta.plist being changed as you (and others) have stated but it seems to me something else must be in the picture….
We are not using the Oracle Java 1.7 plugin here, so I cant’t help! Sorry.
Figured it out – I had the word “string” in the command which was making it part of the version. My mistake. Now it’s working.
Thank you Greg!
I found this out the hard way trying to VPN into my work. They use Juniper. It would be nice if they had notified their users with a useful error message rather than silently wedging Java on pages wanting to load applications or silently “blocking” Java.
So, how in the heck did we get this update if we didn’t manually download/accept a System Update from Apple?
This isn’t a software update – it’s another kind. See Sys Preferences, Security,General, Advanced, check box for automatically update safe downloads list.
Wow, thanks for the clue on that one. They make it as obtuse as possible to find that switch. !#$!#@%!
Thanks Greg, 🙂 (needed for version 6)
From the Netherlands
Greetings
Peter-Erk
[…] Trials and Tribulations of an OS X Administrator « Disabled Java Plugins, XProtect Updater […]
Put simply, XProtect Updater is malware. Sure, you can disable, but only if you know where to look. It is not at all unlike the Windows malware we all know an love in that it is turned on by default and no easy way to undo or limit the backdoor.
I installed the package. Do I need to run the script given above? or does the package does this. Sorry for the stupid question
It’s probably not the _best_ idea to install a the package I’ve offered without understanding exactly what it does, but yes, it runs the script in the main post. That’s _all_ it does.
Thanks. I understood the risks of disabling XProtect as most of our corporate application doesn’t support JVM 7. I wasn’t sure if the package install a binary and later we had to run the script. Thanks for help. Lot of people here thank you for the fix.
Thank you, thank you, thank you. Must use Java 6 in a mission-critical application, at least until I can find a reasonable replacement.
[…] Java […]
[…] This new requirement cam in just after Apple disabled Java 6 on 10.7+ Macs (as detailed a little here: https://managingosx.wordpress.com/2013/01/31/disabled-java-plugins-xprotect-updater/ ). […]
Thank you. I’m sick of Apple deciding what versions of plugins I need to be running. I can make that assessment myself.
I every time spent my half an hour to read this web site’s content everyday along with a cup of coffee.
Terrific article! This is the kind of information that are supposed to be
shared around the net. Shame on Google for now not
positioning this publish higher! Come on over and visit my website .
Thank you =)