Home > Bash scripting, Java, Mac administration, Mac OS X, XProtect > Managing Java browser plug-in settings for Apple’s XProtect malware protection

Managing Java browser plug-in settings for Apple’s XProtect malware protection

In response to a number of recent Java exploits, both Apple and Mozilla have begun blocking vulnerable versions of Java from running in their respective browsers via their malware protection mechanisms. While this is the right move from a security perspective, it can leave enterprises without the ability to access mission-critical systems that use Java applets running in a browser.

The fix should be to update those affected machines with the latest version of Java. However, this assumes that a) the latest available version of Java is not itself blocked and b) the mission-critical system is able to use the latest version of Java.

From my own perspective, what Apple is doing from a malware protection standpoint is the right thing. I just don’t want my users to lose the ability to access our systems that use a Java applet, especially when the latest available version of Java is blocked and I don’t have a way to otherwise satisfy Apple’s XProtect malware protection without disabling XProtect.

My fix was this: manage XProtect’s ability to disable the Java browser plug-in by modifying the Java browser plug-in settings in the affected Mac’s /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist file. See below the jump for the details.

To handle this, I’ve written a LaunchDaemon and script combination. The LaunchDaemon runs the script at startup and also watches the Mac’s /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist file for changes. When XProtect.meta.plist is modified, the LaunchDaemon triggers the script to run again every fifteen minutes after startup.

Update – 3-2-2012: I noticed that the watchpath in the LaunchDaemon was triggering the script to run constantly on my own laptop. To fix this, I’ve updated the LaunchDaemon to run the script at startup and also run the script every fifteen minutes.


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>com.company.xprotect_re-enable_java_6_and_7</string>
	<key>ProgramArguments</key>
	<array>
		<string>sh</string>
		<string>/Library/Scripts/xprotect_re-enable_java_6_and_7.sh</string>
	</array>
	<key>QueueDirectories</key>
	<array/>
	<key>RunAtLoad</key>
	<true/>
	<key>StartInterval</key>
	<integer>900</integer>
	<key>WatchPaths</key>
	<array/>
</dict>
</plist>

The script will check the current Java 6 and Java 7 browser plug-in versions and compare them against the minimum version allowed by Apple’s XProtect malware protection. If the minimum Java version allowed by XProtect does not allow the current version of the Java browser plug-in on the Mac, the script will alter the Mac’s /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist file to set the minimum version allowed to match the current version of the Mac’s Java browser plug-in. This change allows the Mac’s current Java browser plug-in to run in Safari without being blocked. As the Java browser plug-in is updated, XProtect.meta.plist will be updated to match the new version of the plug-in.


#!/bin/sh

# This script will check the current Java 6 and Java 7 browser plug-in
# versions and compare them against the minimum version allowed by
# Apple's XProtect malware protection. If the minimum Java version
# allowed by XProtect does not allow the current version of the Java
# browser plug-in on the Mac, the script will alter the Mac's
# /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
# file to set the minimum version allowed to match the current version
# of the Mac's Java browser plug-in. This allows the Mac's current Java
# browser plug-in to run in Safari without being blocked.

osvers=$(sw_vers -productVersion | awk -F. '{print $2}')

javaVendor=`/usr/bin/defaults read "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Info" CFBundleIdentifier`

CURRENT_JAVA_6_BUILD=`/usr/libexec/PlistBuddy -c "print :JavaVM:JVMVersion" "/Library/Java/Home/bundle/Info.plist"`
XPROTECT_JAVA_6_BUILD=`/usr/libexec/PlistBuddy -c "print :JavaWebComponentVersionMinimum" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist`

CURRENT_JAVA_7_BUILD=`/usr/libexec/PlistBuddy -c "print :CFBundleVersion" "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Info.plist"`
XPROTECT_JAVA_7_BUILD=`/usr/libexec/PlistBuddy -c "print :PlugInBlacklist:10:com.oracle.java.JavaAppletPlugin:MinimumPlugInBundleVersion" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist`

#
# Check to see if Xprotect is blocking Apple's Java 6 browser plug-in and re-enable the plug-in if needed.
# Changes in this section are from Pepijn Bruienne's re-enable_java_6 script: https://github.com/bruienne
#

if [[ -e /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist ]]; then

	if [ ${CURRENT_JAVA_6_BUILD} != ${XPROTECT_JAVA_6_BUILD} ]; then

	 	  /usr/bin/logger "Current Java 6 build (${CURRENT_JAVA_6_BUILD}) does not match the minimum build required by Xprotect (${XPROTECT_JAVA_6_BUILD}). Setting current version as the minimum build."
	 	  /usr/bin/defaults write /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta JavaWebComponentVersionMinimum -string "$CURRENT_JAVA_6_BUILD"
	 	  /usr/bin/plutil -convert xml1 /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
	 	  /bin/chmod a+r /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
	else
	 	  /usr/bin/logger "Current JVM build is ${CURRENT_JAVA_6_BUILD} and Xprotect minimum build is ${XPROTECT_JAVA_6_BUILD}, nothing to do here."
	fi

#
# Script checks to see if the Mac is running Mac OS X 10.7.x or higher. If it is, the
# script checks to see if the Oracle Java browser plug-in is installed. If the Oracle
# Java browser plug-in is installed and Xprotect is blocking the currently installed
# version of Oracle's Java 7 browser plug-in, the script will re-enable the Java 7
# browser plug-in.
#

    if [[ ${osvers} -ge 7 ]]; then
      if [ "$javaVendor" = "com.oracle.java.JavaAppletPlugin" ]; then
	 	if [ ${CURRENT_JAVA_7_BUILD} != ${XPROTECT_JAVA_7_BUILD} ]; then

	 	  /usr/bin/logger "Current Java 7 build (${CURRENT_JAVA_7_BUILD}) does not match the minimum build required by Xprotect (${XPROTECT_JAVA_7_BUILD}). Setting current version as the minimum build."
	 	  /usr/libexec/PlistBuddy -c "Set :PlugInBlacklist:10:com.oracle.java.JavaAppletPlugin:MinimumPlugInBundleVersion $CURRENT_JAVA_7_BUILD" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
	 	  /usr/bin/plutil -convert xml1 /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
	 	  /bin/chmod a+r /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
	    else
	 	  /usr/bin/logger "Current Oracle Java version is ${CURRENT_JAVA_7_BUILD} and Xprotect minimum version is ${XPROTECT_JAVA_7_BUILD}, nothing to do here."
		fi
	  fi
    fi
fi
exit 0

The script has been tested on 10.6.8, 10.7.5 and 10.8.2, so it should cover all current OSs that use Apple’s XProtect malware protection.

The script and launchdaemon are available here on my GitHub repo: https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/xprotect_re-enable_java_6_and_7

  1. February 24, 2013 at 7:30 pm

    When you say “As the Java browser plug-in is updated, XProtect.meta.plist will be updated to match the new version of the plug-in.” do you mean that both Apple and Oracle’s Java installers do modify the XProtect.meta.plist ?

    I see your approach as very similar to disabling xprotect altogether. If your Java is too old you overwrite Apple’s decision.

    • February 24, 2013 at 7:48 pm

      Apple’s and Oracle’s Java installers do not modify XProtect.meta.plist. When run, the script described above will read the version of the installed Java plug-in and plug that into the appropriate keys in XProtect.meta.plist.

      You’re right, I am overriding Apple’s decision with regards to Java with this script. However, I’m overriding it specifically for Java. The other malware settings are unaffected, including those for the Adobe Flash plug-in.

      More importantly, XProtect is still active using this approach and is still able to download fresh malware definitions from Apple. If XProtect is disabled, all the malware protection is disabled.

  2. Josh
    February 25, 2013 at 5:02 pm

    Thanks for sharing this; this is a pretty surgical approach to the problem (in that Xprotect is only modified with regards to Java). I’ve taken the approach of simply disabling the auto-update daemon and managing the manifest manually right now, but this could effectively take that off of my hands. Good work.

  3. Jeff Madson
    March 1, 2013 at 3:48 pm

    Rich,

    This is exactly what I have been looking for but could you give me a little more detail on how to use these scripts and where they should be installed at and ran? Thanks!

  4. March 1, 2013 at 3:56 pm

    Jeff,

    If you go to the GitHub link above, I’ve got information in the README on where the scripts can go, and what permissions can be set on them. Once the script and launchdaemon are in place, restarting the Mac will start the process of the launchdaemon running the script.

    • Jeff Madson
      March 1, 2013 at 4:11 pm

      Rich,

      Thanks for the quick response! Okay I see where they go but how do I get them there? Should I cut and paste the code into Apple Script Editor and then save them as a script?

      • March 1, 2013 at 4:20 pm

        Jeff,

        This script is a shell script, which is different from the AppleScript language that the Apple Script Editor uses. For a good background on shell scripting, see here for a good YouTube tutorial:

  5. Christian
    March 4, 2013 at 8:45 pm

    Thanks for sharing this, it will be very useful for us in our schools !
    Did you think do do the same for Flash plugin, because the problem is quite the same ?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 160 other followers

%d bloggers like this: