Java 7.10 Plugin blocked on Mac

Alan_W · January 11, 2013, 4:40am

This morning, my mac (safari) blocked the 7.10 plugin, stating I needed to download the latest version. However since that is the latest version, obviously that isn’t going to help. Presumably this is apple’s response to the latest zero-day exploit, putting the ball in oracle’s court to produce a fix.

Fine in many ways, but it stops me checking for compatibility on the mac. Hopefully this is less of an issue these days anyway, since oracle is now supplying the jvm, but grouch grouch grouch.

I suppose I ought to disable the java plugin on my PC too for the time being. Maybe I should run two browsers, one for general use with no java, and one for sites where I specifically need java.

ReBirth · January 11, 2013, 4:47am

Ya that’s all hiccup today about Java 7u10 applet exploit.

davedes · January 11, 2013, 8:22am

Java 7 won’t work in Chrome at all.

Java 7 also doesn’t work on any Macs earlier than 10.7. A large percentage of users are still running Snow Leopard (myself included).

And of course the current release of LWJGL (and thus Slick/LibGDX) does not work with Mac and Java 7. Fortunately this will be fixed soon.

The whole thing is a huge mess… :cranky:

ReBirth · January 11, 2013, 8:23am

I use OpenJDK for applet player.

TifantaWorld · January 11, 2013, 9:39am

As for the Chrome thing, the ball is in Google’s court to make a 64-bit version of their browser.

theagentd · January 11, 2013, 9:45pm

What’s this about LWJGL not working with Java 1.7? My workspace says otherwise…

Regenuluz · January 12, 2013, 3:57pm

It annoys me to no end that Apple just disables stuff without any explanation. But they fail at it, because applets still run fine in Firefox. -.-

LWJGL does not work on OS X with Java 7, at least not their 2.8.5 version.

Sickan · January 13, 2013, 2:22pm

If you absolutely must use LWJGL on Mac 10.7+ and use Java 7, you can checkout some of the links here. From what I’ve seen a lot of things seem to work.

Alan_W · January 13, 2013, 3:01pm

I got a ‘blackhole’ toolkit attack after visiting java-samples dot com. Blocked, but I’d stay clear. Looks ad related.
Have up’d all my security settings, but have whitelisted java-gaming and java4k sites for the moment.

gene9 · January 13, 2013, 9:58pm

I’m a huge fan of the Java development ecosystem, but the Java applet web browser plugin seems like an idea passed it’s time.

What does anyone actually use the Java web plugin for?

princec · January 13, 2013, 10:17pm

java4k and Minecraft

Apparently a lot of European business websites like banks use it.

Cas

kappa · January 13, 2013, 11:53pm

Oracle have released a fix the above exploits, announcement here.

They’ve also switched the default Java Security Settings Level to High, basically meaning all Java applets will now be click to start (no more drive by Java attacks).

Just painful watching the Java Applet plugin situation slowly moving from bad to obsolete over the years.

princec · January 14, 2013, 12:05am

All unsigned applets, that is. I think only Very High causes it to trigger for all applets.

Cas

kappa · January 14, 2013, 12:08am

On the Very High setting unsigned applets won’t run. On High, you will be prompted before any unsigned Java app runs in the browser. If the JRE is below the security baseline, you will be given an option to update. There is already a prompt for signed/self-signed applets, so basically all applets now have a prompt (a double prompt in Chrome).

princec · January 14, 2013, 12:11am

Given the security woes around Java in the browser you wonder why they didn’t set it to Very High in the first place.

Cas

gouessej · January 14, 2013, 12:16am

Sorry to contradict you but there is a JOGL 2.0 backend for LibGDX that works fine on latest Macs, just have a look at my Github account.

gene9 · January 14, 2013, 3:51am

You can just download Minecraft and other Java games. I don’t see a good reason for a bank to use a Java applet. I guess the Chrome model of always blocking until the user explicitly allows is appropriate.

Alan_W · January 14, 2013, 6:20am

I’ve updated my Mac. It now defaults to High settings, where it gives a security prompt if the applet requests a non-current version of the JRE. Question is does compiling for 1.7 make it go away, or do we need to wait for a JDK update? It might be a bit pointless anyway, if it means the latest point release, as applets would require constant recompilation.
Edit: Nope - the warning always comes up.

Updating my PC is going to be a pain as I have the standalone JFX 2 installed. Apparently I need to deinstall it first, then upgrade the JRE. I hope this isn’t going to make a mess. Don’t have time to do that for a bit, so will have to leave the PC java blocked for most sites for the time being.

Regenuluz · January 14, 2013, 10:32am

The banks in Denmark all use Java applets(As well as all official stuff like tax, etc. etc. etc.) for 2-factor authentication, called Nem ID(Which is more or less a piece of crap xD), though I don’t see why they need to use Java for it. I’m fairly sure it could all be written in pure html though(The login form, that is xD).

princec · January 14, 2013, 11:43am

Turns out to be pretty difficult to get browsers to all behave in the same ways and securely. The Java plugin actually minimises your risks and targets, from the banks perspective. However it then also occasionally snafus incredibly badly with this sort of driveby attack.

Cas