Changes to XProtect’s Java browser plug-in version management

Home > Java, Mac administration, Mac OS X, Scripting, XProtect > Changes to XProtect’s Java browser plug-in version management

Changes to XProtect’s Java browser plug-in version management

May 11, 2013 rtrouton Leave a comment Go to comments

In last night’s XProtect update, Apple added two new version checks. The first new check looks for Apple’s com.apple.java.JavaAppletPlugin Java browser plug-in identifier. This Apple Java browser plug-in is running on Mac OS X 10.6.x or was installed on 10.7.x or later by Java for OS X 2012-005 or earlier. Installing Java for OS X 2012-006 and later on 10.7.x and 10.8.x automatically removes the Apple Java browser plug-in.

The second new check looks for Apple’s com.apple.java.JavaPlugin2_NPAPI Java browser plug-in identifier. In this case, the Apple Java plug-in was re-enabled using the procedure in the following Apple KBase article: http://support.apple.com/kb/HT5559

This update also removes the Oracle Java browser plug-in version check from 10.6.x’s XProtect. Both new Apple Java version checks and the Oracle Java browser plug-in version check are in the 10.7.x and 10.8.x XProtect. See below the jump for the details.

As of 5-11-2013, /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist on 10.6.8 looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>JavaWebComponentVersionMinimum</key>
	<string>1.6.0_45-b06-451</string>
	<key>LastModification</key>
	<string>Fri, 10 May 2013 19:07:37 GMT</string>
	<key>PlugInBlacklist</key>
	<dict>
		<key>10</key>
		<dict>
			<key>com.apple.java.JavaAppletPlugin</key>
			<dict>
				<key>MinimumPlugInBundleVersion</key>
				<string>13.9.5</string>
				<key>PlugInUpdateAvailable</key>
				<true/>
			</dict>
			<key>com.apple.java.JavaPlugin2_NPAPI</key>
			<dict>
				<key>MinimumPlugInBundleVersion</key>
				<string>13.9.5</string>
				<key>PlugInUpdateAvailable</key>
				<true/>
			</dict>
			<key>com.macromedia.Flash Player.plugin</key>
			<dict>
				<key>MinimumPlugInBundleVersion</key>
				<string>11.6.602.171</string>
			</dict>
		</dict>
	</dict>
	<key>Version</key>
	<integer>64</integer>
</dict>
</plist>

As of 5-11-2013, /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist on 10.7.5 and 10.8.3 looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>JavaWebComponentVersionMinimum</key>
	<string>1.6.0_45-b06-451</string>
	<key>LastModification</key>
	<string>Fri, 10 May 2013 19:07:37 GMT</string>
	<key>PlugInBlacklist</key>
	<dict>
		<key>10</key>
		<dict>
			<key>com.apple.java.JavaAppletPlugin</key>
			<dict>
				<key>MinimumPlugInBundleVersion</key>
				<string>14.7.0</string>
				<key>PlugInUpdateAvailable</key>
				<true/>
			</dict>
			<key>com.apple.java.JavaPlugin2_NPAPI</key>
			<dict>
				<key>MinimumPlugInBundleVersion</key>
				<string>14.7.0</string>
				<key>PlugInUpdateAvailable</key>
				<true/>
			</dict>
			<key>com.macromedia.Flash Player.plugin</key>
			<dict>
				<key>MinimumPlugInBundleVersion</key>
				<string>11.6.602.171</string>
			</dict>
			<key>com.oracle.java.JavaAppletPlugin</key>
			<dict>
				<key>MinimumPlugInBundleVersion</key>
				<string>1.7.21.12</string>
				<key>PlugInUpdateAvailable</key>
				<true/>
			</dict>
		</dict>
	</dict>
	<key>Version</key>
	<integer>2038</integer>
</dict>
</plist>

To help manage the new settings, I’ve updated my xprotect_re-enable_java_6_and_7.sh script:

	#!/bin/sh

	# This script will check the current Java 6 and Java 7 browser plug-in
	# versions and compare them against the minimum version allowed by
	# Apple's XProtect malware protection. If the minimum Java version
	# allowed by XProtect does not allow the current version of the Java
	# browser plug-in on the Mac, the script will alter the Mac's
	# /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
	# file to set the minimum version allowed to match the current version
	# of the Mac's Java browser plug-in. This allows the Mac's current Java
	# browser plug-in to run in Safari without being blocked.


	osvers=$(sw_vers -productVersion \| awk -F. '{print $2}')

	javaVendor=`/usr/bin/defaults read "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Info" CFBundleIdentifier`

	CURRENT_JAVA_6_BUILD=`/usr/libexec/PlistBuddy -c "print :JavaVM:JVMVersion" "/Library/Java/Home/bundle/Info.plist"`
	XPROTECT_JAVA_6_BUILD=`/usr/libexec/PlistBuddy -c "print :JavaWebComponentVersionMinimum" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist`

	CURRENT_JAVA_6_JavaAppletPlugin=`/usr/libexec/PlistBuddy -c "print :CFBundleVersion" "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Info.plist"`
	XPROTECT_JAVA_6_JavaAppletPlugin=`/usr/libexec/PlistBuddy -c "print :PlugInBlacklist:10:com.apple.java.JavaAppletPlugin:MinimumPlugInBundleVersion" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist`

	CURRENT_JAVA_6_JavaPlugin2_NPAPI=`/usr/libexec/PlistBuddy -c "print :CFBundleVersion" "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Info.plist"`
	XPROTECT_JAVA_6_JavaPlugin2_NPAPI=`/usr/libexec/PlistBuddy -c "print :PlugInBlacklist:10:com.apple.java.JavaPlugin2_NPAPI:MinimumPlugInBundleVersion" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist`

	CURRENT_JAVA_7_BUILD=`/usr/libexec/PlistBuddy -c "print :CFBundleVersion" "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Info.plist"`
	XPROTECT_JAVA_7_BUILD=`/usr/libexec/PlistBuddy -c "print :PlugInBlacklist:10:com.oracle.java.JavaAppletPlugin:MinimumPlugInBundleVersion" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist`



	#
	# Check to see if Xprotect is blocking Apple's Java 6 browser plug-in and re-enable the plug-in if needed.
	# Some changes in this section are from Pepijn Bruienne's re-enable_java_6 script: https://github.com/bruienne
	#

	if [[ -e /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist ]]; then

	if [[ ${CURRENT_JAVA_6_BUILD} != ${XPROTECT_JAVA_6_BUILD} ]]; then

	/usr/bin/logger "Current Java 6 build (${CURRENT_JAVA_6_BUILD}) does not match the minimum build required by Xprotect (${XPROTECT_JAVA_6_BUILD}). Setting current version as the minimum build."
	/usr/bin/defaults write /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta JavaWebComponentVersionMinimum -string "$CURRENT_JAVA_6_BUILD"
	/usr/bin/plutil -convert xml1 /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
	/bin/chmod a+r /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
	else
	/usr/bin/logger "Current Java 6 version is ${CURRENT_JAVA_6_BUILD} and Xprotect minimum build is ${XPROTECT_JAVA_6_BUILD}, nothing to do here."
	fi

	# If the Java vendor is reported as "com.apple.java.JavaAppletPlugin",
	# the Apple Java browser plug-in is running on Mac OS X 10.6.x or was
	# installed on 10.7.x or later by Java for OS X 2012-005 or earlier.
	# Installing Java for OS X 2012-006 and later automatically removes
	# the Apple Java browser plug-in.


	if [[ "$javaVendor" = "com.apple.java.JavaAppletPlugin" ]]; then
	if [[ ${CURRENT_JAVA_6_JavaAppletPlugin} != ${XPROTECT_JAVA_6_JavaAppletPlugin} ]]; then

	/usr/bin/logger "Current Java 6 browser plug-in (${CURRENT_JAVA_6_JavaAppletPlugin}) does not match the minimum build required by Xprotect (${XPROTECT_JAVA_6_JavaAppletPlugin}). Setting current version as the minimum build."
	/usr/libexec/PlistBuddy -c "Set :PlugInBlacklist:10:com.apple.java.JavaAppletPlugin:MinimumPlugInBundleVersion $CURRENT_JAVA_6_JavaAppletPlugin" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
	/usr/bin/plutil -convert xml1 /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
	/bin/chmod a+r /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
	else
	/usr/bin/logger "Current Apple Java browser plug-in version is ${CURRENT_JAVA_6_JavaAppletPlugin} and Xprotect minimum version is ${XPROTECT_JAVA_6_JavaAppletPlugin}, nothing to do here."
	fi

	fi

	# If the Java vendor is reported as "com.apple.java.JavaPlugin2_NPAPI",
	# the Apple Java plug-in was re-enabled using the procedure in the
	# following Apple KBase article: http://support.apple.com/kb/HT5559

	if [[ "$javaVendor" = "com.apple.java.JavaPlugin2_NPAPI" ]]; then
	if [[ ${CURRENT_JAVA_6_JavaPlugin2_NPAPI} != ${XPROTECT_JAVA_6_JavaPlugin2_NPAPI} ]]; then

	/usr/bin/logger "Current Java 6 browser plug-in (${CURRENT_JAVA_6_JavaPlugin2_NPAPI}) does not match the minimum build required by Xprotect (${XPROTECT_JAVA_6_JavaPlugin2_NPAPI}). Setting current version as the minimum build."
	/usr/libexec/PlistBuddy -c "Set :PlugInBlacklist:10:com.apple.java.JavaPlugin2_NPAPI:MinimumPlugInBundleVersion $CURRENT_JAVA_6_JavaPlugin2_NPAPI" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
	/usr/bin/plutil -convert xml1 /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
	/bin/chmod a+r /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
	else
	/usr/bin/logger "Current Apple Java browser plug-in version is ${CURRENT_JAVA_6_JavaPlugin2_NPAPI} and Xprotect minimum version is ${XPROTECT_JAVA_6_JavaPlugin2_NPAPI}, nothing to do here."
	fi

	fi


	#
	# Script checks to see if the Mac is running Mac OS X 10.7.x or higher. If it is, the
	# script checks to see if the Oracle Java browser plug-in is installed. If the Oracle
	# Java browser plug-in is installed and Xprotect is blocking the currently installed
	# version of Oracle's Java 7 browser plug-in, the script will re-enable the Java 7
	# browser plug-in.
	#

	if [[ ${osvers} -ge 7 ]]; then
	if [[ "$javaVendor" = "com.oracle.java.JavaAppletPlugin" ]]; then
	if [[ ${CURRENT_JAVA_7_BUILD} != ${XPROTECT_JAVA_7_BUILD} ]]; then

	/usr/bin/logger "Current Java 7 build (${CURRENT_JAVA_7_BUILD}) does not match the minimum build required by Xprotect (${XPROTECT_JAVA_7_BUILD}). Setting current version as the minimum build."
	/usr/libexec/PlistBuddy -c "Set :PlugInBlacklist:10:com.oracle.java.JavaAppletPlugin:MinimumPlugInBundleVersion $CURRENT_JAVA_7_BUILD" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
	/usr/bin/plutil -convert xml1 /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
	/bin/chmod a+r /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
	else
	/usr/bin/logger "Current Oracle Java version is ${CURRENT_JAVA_7_BUILD} and Xprotect minimum version is ${XPROTECT_JAVA_7_BUILD}, nothing to do here."
	fi
	fi
	fi
	fi
	exit 0

view raw XProtect re-enable Java 6 and 7 hosted with ❤ by GitHub

The script has been tested on 10.6.8, 10.7.5 and 10.8.3, so it should cover all current OSs that use Apple’s XProtect malware protection.

The script and launchdaemon are available here on my GitHub repo: https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/xprotect_re-enable_java_6_and_7

Categories: Java, Mac administration, Mac OS X, Scripting, XProtect

Comments (3) Leave a comment

Jayson

May 13, 2013 at 2:47 pm

Reply

For those of us who currently use the old version of the script and apply the updates regularly as provided by Apple and Oracle, what potential impact may we see with this change to XProtect?
- rtrouton
  
  May 13, 2013 at 3:25 pm
  
  Reply
  
  The main issue will be for Apple’s Java 6 browser plug-in. Using the old version of the script, you may have the “JavaWebComponentVersionMinimum” setting managed, but the new “com.apple.java.JavaAppletPlugin” and “com.apple.java.JavaPlugin2_NPAPI” settings would not be.
  
  As long as your version of Java is up to date, this doesn’t matter. It only matters when you haven’t updated to a new version and XProtect starts blocking versions that are older than that. In that case, not managing the new “com.apple.java.JavaAppletPlugin” and “com.apple.java.JavaPlugin2_NPAPI” settings may result in the Java browser plug-in being blocked.
ramuntcho

December 4, 2014 at 10:51 am

Reply

Is it still useful with Yosemite and Java 8 ?

No trackbacks yet.

M	T	W	T	F	S	S
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

	Annika on Disabling the Xerox ColorQube…
	Thomas B. on 20 years of Der Flounder
	peter on 20 years of Der Flounder
	Scott Beach on 20 years of Der Flounder
	Mr Bombadil on Using Script2Pkg to create pay…

Der Flounder

Changes to XProtect’s Java browser plug-in version management

Leave a Reply Cancel reply

Recent Comments

Categories

Archives

Blog Stats

Der Flounder

Changes to XProtect’s Java browser plug-in version management

Share this:

Like this:

Related

Leave a Reply Cancel reply

Recent Comments

Categories

Archives

Blog Stats