Archive

Archive for the ‘Java’ Category

End of the road for Apple’s Java 6 updates

January 23, 2014 3 comments

It’s been a long time coming, but Java 6 on OS X has hit the end of the road for updates. Mike Swingler has posted a message to the Apple java-dev list that confirms that no further Java SE 6 updates are available for any platform, including OS X. Java for OS X 2013-005 and Java for Mac OS X v10.6 Update 17 are the latest versions available and install Java SE 6 build 1.6.0_65.

As part of this post, I’d like to say thanks to the Java folks at Apple for going above and beyond. Apple’s last Java 6 update was released in Oct 15, 2013, which was a full eight months after Oracle discontinued updates for other platforms. This allowed some vulnerabilities in Java 6 to be addressed that otherwise wouldn’t have been.

For those who need them, download links for Java for OS X 2013-005 and Java for Mac OS X v10.6 Update 17 are available below:

Java for OS X 2013-005

Java for Mac OS X v10.6 Update 17

Managing Oracle’s Java Exception Site List

January 16, 2014 6 comments

Oracle’s Java 7 Update 51 has introduced new security requirements for browser plugins for applets and web start applications. However, not all applets are able to run using the new requirements. To help with this, Oracle has included a way to whitelist specific sites using Java 7’s new Exception Site List. This allows the applets and web start applications hosted on the specified sites to continue to work, even if they don’t meet the new security requirements in Java 7.

On Mac OS X 10.7 and higher, the Exception Site List is a plaintext file named exception.sites, which is stored in /Users/username/Library/Application Support/Oracle/Java/Deployment/security.

To help Mac admins manage the Exception Site List, I’ve written a script which is designed to add websites to Oracle’s Java 7’s Exception Site List without overwriting existing entries. For more details, see below the jump.

Read more…

Java 7 Update 51 blocks older Network Connect Java applets

January 15, 2014 3 comments

Older versions of Java applets used by Juniper’s SSL VPN may be blocked from working properly by security changes in Java 7 Update 51. When the applet is blocked, an error message like this will appear:

SecurityException: Missing required Permissions manifest attribute in main jar: https://server.name.here/dana-cached/sc/JuniperSetupClientApplet.jar

VPN_error

The root cause is that Java 7 Update 51 now requires the existence of the referenced permissions attribute, along with a requirement to code sign all Java applets. The applets used by older versions of Juniper’s SSL VPN do not include the permissions attribute.

The fix is to update the SSL VPN with Secure Access (SA) version 7.1R17, 7.3R9, 7.4R7, 8.0R1 and later versions. The applets included with these versions have the needed permissions attribute. Until the VPN server is upgraded, Juniper’s recommended workaround is use Java 7 Update 51′s Exception Site List feature. To help with this, I have a post showing how to add sites to the Exception Site List in the Java Control Panel settings.

Categories: Java, Mac administration

Oracle Java 7 Update 51 blocks unsigned Java applets by default

January 15, 2014 23 comments

Oracle released Java 7 Update 51 on January 14th. As part of the installation, the Java security level is set by default to High. With this security setting, self-signed and unsigned applets are blocked from running. This can be verified by going to http://javatester.org/version.html, as this site uses an unsigned Java applet.

Screen Shot 2014-01-14 at 2.46.33 PM

Screen Shot 2014-01-14 at 2.46.48 PM

Fortunately, it appears that there are a couple of ways to fix this. See below the jump for details.

Read more…

Categories: Java, Mac administration

Connections to Juniper Network Connect VPN failing in Safari 6.1 and Safari 7

October 23, 2013 49 comments

Along with Mavericks‘ release today, Apple released Safari 7 (included with Mavericks) and Safari 6.1 for Mountain Lion. Both versions of the Safari browser are having issues connecting to my work’s VPN. When connecting to the VPN, it will try to install the Network Connect client software then fail with the following error:

An error occurred while extracting one of the Network Connect components

Juniper_VPN_Safari_7_10_9

Mac OS X 10.6.8 and 10.7.5 do not have Safari 6.1 available as an update of this time, so connecting to the VPN using Safari on those OSs should be unaffected.

I’ve verified that connecting to the VPN with Firefox 24 works for both 10.8.x and 10.9.x.

Juniper_VPN_Firefox_24_10_9

For now, it appears that using Firefox to connect to Juniper VPNs is going to be the workaround for this issue until we can get a fix from either Juniper or Apple. Google Chrome is a 32-bit browser, which prevents it from being able to work with Oracle’s 64-bit Java 7.

Based on what I’m seeing, it looks like Safari 6.1 and Safari 7 introduced a new sandbox for browser plug-ins, replacing the previous Java whitelist. At this time, it does not appear that Juniper’s software is able to work with this sandbox.

Screen Shot 2013-10-22 at 8.11.01 PM

Screen Shot 2013-10-22 at 8.10.55 PM

Java 7 Update 40 runs natively in VMware Fusion OS X VMs

September 10, 2013 Leave a comment

An issue that I’ve been dealing with for a while has been that Oracle’s Java 7 did not run natively in VMware Fusion. VMware had created a patch for OS X VMs, but it was only designed to be run in OS X VMs running 10.8.x.

As of today, that issue has now been resolved. With the release of Java 7 Update 40, Java 7 now runs natively in VMware Fusion OS X VMs running 10.7.5 and 10.8.4. Thanks to the OpenJDK team, Oracle and VMware for their work in getting this fixed.

Screen Shot 2013-09-10 at 4.16.47 PM

Screen Shot 2013-09-10 at 4.16.49 PM

Categories: Java, VMware

XProtect updated – now blocking Java browser plug-in versions prior to June 2013 Java updates

August 29, 2013 4 comments

Apple put out two advisories on August 29th about Java:

Java updates available for OS X on August 28, 2013

OS X: Java Web plug-in blocked 28 August 2013

The latter advisory is especially noteworthy to Mac admins, as that means that Apple’s XProtect was updated to block older versions of Java. That said, XProtect was not updated after the latest round of updates in June 2013, so those versions were not previously set in /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist as the minimum allowed versions. See below the jump for more details.

Read more…

Installing Apple’s updated Java for OS X 2013-004 and Java for Mac OS X 10.6 Update 16 over previous versions

June 24, 2013 Leave a comment

As part of dealing with the issues caused by the initial versions of Apple’s Java for OS X 2013-004 and Java for Mac OS X 10.6 Update 16, Apple has recommended installing the revised version of the updates overtop of the existing update in order to replace the problematic Java builds.

The fixed Java builds are the following:

Mac OS X 10.6.x: 1.6.0_51-b11-456-10M4509 (currently installed by Java for Mac OS X 10.6 Update 16)

Mac OS X 10.7.x – Mac OS X 10.8.x: 1.6.0_51-b11-457-11M4509 (currently installed by Java for OS X 2013-004)

If you’ve already installed Java for Mac OS X 10.6 Update 16, it appears that there’s no way to use the softwareupdate tool to install it again. For 10.6.x Macs that had previously installed Java for Mac OS X 10.6 Update 16 and got the problematic build, the installer will need to be downloaded from Apple and then installed on your 10.6.x Mac.

For 10.7.x and 10.8.x however, there’s a way to override the install check that softwareupdate uses which is specific to Apple’s Java updates. By setting the JAVA_INSTALL_ON_DEMAND environment variable for softwareupdate, you can force softwareupdate to install the latest Java update from Apple. This allows you to leverage softwareupdate to re-install the updated Java for OS X 2013-004 over an existing Java for OS X 2013-004 installation that included the problematic Java build.

Michael Kuron posted a script to the MacEnterprise list that I’ve modified. The modified script works pretty well in my environment and does the following:

1. Checks the current OS to see if the Mac is running Mac OS X 10.7.x or later. If not, the script will exit and display the following message:

Not supported on this version of Mac OS X

If the Mac is running 10.7.x or higher, the script runs the following actions:

2. Checks the Java version and displays the results

3. Sets the JAVA_INSTALL_ON_DEMAND environment variable

4. Uses the softwareupdate tool to check for and get the name of the latest Apple Java update for 10.7.x and 10.8.x

5. Installs the latest available Apple Java update for 10.7.x and 10.8.x

6. Checks the current Java version and displays the results

For those interested, the script is available on my GitHub repo:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/install_apple_java_on_demand

Casper Extension Attribute script to detect Java build 1.6.0_51-b11-456-10M4508

June 23, 2013 4 comments

To follow up on the re-release of Apple’s Java For Mac OSX 10.6 Update 16 and Java for OS X 2013-004 updates, which fixes a problem with the previous versions of the updates, there’s a need to identify which machines got the problematic version of Java. The problematic Java build is 1.6.0_51-b11-456-10M4508 and can be identified by running the following command:


/usr/libexec/java_home -v 1.6 -exec java -version

Update – June 24, 2013: On further examination, it looks like Apple used two different build numbers:

Mac OS X 10.6.x: 1.6.0_51-b11-456-10M4508
Mac OS X 10.7.x – 10.8.x: 1.6.0_51-b11-456-11M4508

To help Casper admins identify which Macs have 1.6.0_51-b11-456-10M4508 or  1.6.0_51-b11-456-11M4508 installed, I’ve posted the following Casper extension attribute to my GitHub repo:

This script uses the java -version command to check the Java build version. If Java builds 1.6.0_51-b11-456-10M4508 or 1.6.0_51-b11-456-11M4508 are detected, the script reports Installed. If neither 1.6.0_51-b11-456-10M4508 or 1.6.0_51-b11-456-11M4508 are installed on the Mac, the script reports Not Found.

For those interested, the script is available on my GitHub repo:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/Casper_Extension_Attributes/check_for_java_build_M4508

MATLAB problems after Java for Mac OS X 10.6 Update 16 or Java for OS X 2013-004 are installed

June 21, 2013 11 comments

After the latest round of Apple’s Java updates, some Java-based applications began exhibiting problems. At my shop, MATLAB was one of the applications that was affected by this.

The root cause was discussed and identified in this StackOverflow thread and appears to affect Swing applications, including MATLAB.

Symptoms

After applying Apple’s Java For Mac OSX 10.6. Update 16 to a 10.6.x Mac, or Java for OS X 2013-004 to a 10.7.x – 10.8.x Mac, MATLAB 2012b and below stops functioning correctly. You can open the program but it does not register any mouse or keyboard interaction until the window is resized.

Status as of Friday, June 21

After speaking with Mathworks support, I tested and verified the following:

MATLAB R2011a runs in Mac OS X 10.6.8, 10.7.5 and 10.8.4 with the latest Apple Java updates installed.

MATLAB R2013a runs in Mac OS X 10.7.5 and 10.8.4 with the latest Apple Java updates installed. MATLAB R2013a does not support 10.6.8.

At the moment, here are the options that appear to be available:

For 10.6.x: MATLAB users should install and use MATLAB R2011a

For 10.7.x – 10.8.x: MATLAB users should upgrade to MATLAB R2013a if possible. If not possible to upgrade to 2013a for code compatibility reasons, MATLAB users should install and use MATLAB R2011a.

Other options may include trying to roll back Java to the previous version, but that can cause other issues. I don’t recommend trying that unless neither MATLAB R2013a or MATLAB R2011a are viable options.

Update – Friday, June 21 at 5:15 PM EDT

It looks like Apple has resolved this issue by posting new versions of the Java For Mac OSX 10.6. Update 16 and Java for OS X 2013-004 installers:

Java for OS X 2013-004http://support.apple.com/kb/DL1572
Java for Mac OS X 10.6 Update 16http://support.apple.com/kb/DL1573

I’ve tested the newly rev’d Java for Mac OS X 10.6 Update 16 update on 10.6.8 and MATLAB R2012b. The new update allowed MATLAB R2012b to run normally again. I still need to test 10.7.5 and 10.8.4, but this looks promising.

Screen Shot 2013-06-21 at 4.17.02 PM

Update – Friday, June 21 at 9:40 PM EDT

I’ve now tested the new revision of the Java for OS X 2013-004 update on Mac OS X 10.7.5 and 10.8.4, both times with MATLAB R2012b. The new update allowed MATLAB R2012b to run normally again on both OSs.

Screen Shot 2013-06-21 at 9.27.08 PM

Screen Shot 2013-06-21 at 9.35.06 PM

Follow

Get every new post delivered to your Inbox.

Join 126 other followers

%d bloggers like this: