Home > Java, Mac administration, Mac OS X, Scripting, XProtect > Changes to XProtect’s Java browser plug-in version management

Changes to XProtect’s Java browser plug-in version management

In last night’s XProtect update, Apple added two new version checks. The first new check looks for Apple’s com.apple.java.JavaAppletPlugin Java browser plug-in identifier. This Apple Java browser plug-in is running on Mac OS X 10.6.x or was installed on 10.7.x or later by Java for OS X 2012-005 or earlier. Installing Java for OS X 2012-006 and later on 10.7.x and 10.8.x automatically removes the Apple Java browser plug-in.

The second new check looks for Apple’s com.apple.java.JavaPlugin2_NPAPI Java browser plug-in identifier. In this case, the Apple Java plug-in was re-enabled using the procedure in the following Apple KBase article: http://support.apple.com/kb/HT5559

This update also removes the Oracle Java browser plug-in version check from 10.6.x’s XProtect. Both new Apple Java version checks and the Oracle Java browser plug-in version check are in the 10.7.x and 10.8.x XProtect. See below the jump for the details.

As of 5-11-2013, /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist on 10.6.8 looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>JavaWebComponentVersionMinimum</key>
	<string>1.6.0_45-b06-451</string>
	<key>LastModification</key>
	<string>Fri, 10 May 2013 19:07:37 GMT</string>
	<key>PlugInBlacklist</key>
	<dict>
		<key>10</key>
		<dict>
			<key>com.apple.java.JavaAppletPlugin</key>
			<dict>
				<key>MinimumPlugInBundleVersion</key>
				<string>13.9.5</string>
				<key>PlugInUpdateAvailable</key>
				<true/>
			</dict>
			<key>com.apple.java.JavaPlugin2_NPAPI</key>
			<dict>
				<key>MinimumPlugInBundleVersion</key>
				<string>13.9.5</string>
				<key>PlugInUpdateAvailable</key>
				<true/>
			</dict>
			<key>com.macromedia.Flash Player.plugin</key>
			<dict>
				<key>MinimumPlugInBundleVersion</key>
				<string>11.6.602.171</string>
			</dict>
		</dict>
	</dict>
	<key>Version</key>
	<integer>64</integer>
</dict>
</plist>

As of 5-11-2013, /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist on 10.7.5 and 10.8.3 looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>JavaWebComponentVersionMinimum</key>
	<string>1.6.0_45-b06-451</string>
	<key>LastModification</key>
	<string>Fri, 10 May 2013 19:07:37 GMT</string>
	<key>PlugInBlacklist</key>
	<dict>
		<key>10</key>
		<dict>
			<key>com.apple.java.JavaAppletPlugin</key>
			<dict>
				<key>MinimumPlugInBundleVersion</key>
				<string>14.7.0</string>
				<key>PlugInUpdateAvailable</key>
				<true/>
			</dict>
			<key>com.apple.java.JavaPlugin2_NPAPI</key>
			<dict>
				<key>MinimumPlugInBundleVersion</key>
				<string>14.7.0</string>
				<key>PlugInUpdateAvailable</key>
				<true/>
			</dict>
			<key>com.macromedia.Flash Player.plugin</key>
			<dict>
				<key>MinimumPlugInBundleVersion</key>
				<string>11.6.602.171</string>
			</dict>
			<key>com.oracle.java.JavaAppletPlugin</key>
			<dict>
				<key>MinimumPlugInBundleVersion</key>
				<string>1.7.21.12</string>
				<key>PlugInUpdateAvailable</key>
				<true/>
			</dict>
		</dict>
	</dict>
	<key>Version</key>
	<integer>2038</integer>
</dict>
</plist>

To help manage the new settings, I’ve updated my xprotect_re-enable_java_6_and_7.sh script:

#!/bin/sh
# This script will check the current Java 6 and Java 7 browser plug-in
# versions and compare them against the minimum version allowed by
# Apple's XProtect malware protection. If the minimum Java version
# allowed by XProtect does not allow the current version of the Java
# browser plug-in on the Mac, the script will alter the Mac's
# /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
# file to set the minimum version allowed to match the current version
# of the Mac's Java browser plug-in. This allows the Mac's current Java
# browser plug-in to run in Safari without being blocked.
osvers=$(sw_vers -productVersion | awk -F. '{print $2}')
javaVendor=`/usr/bin/defaults read "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Info" CFBundleIdentifier`
CURRENT_JAVA_6_BUILD=`/usr/libexec/PlistBuddy -c "print :JavaVM:JVMVersion" "/Library/Java/Home/bundle/Info.plist"`
XPROTECT_JAVA_6_BUILD=`/usr/libexec/PlistBuddy -c "print :JavaWebComponentVersionMinimum" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist`
CURRENT_JAVA_6_JavaAppletPlugin=`/usr/libexec/PlistBuddy -c "print :CFBundleVersion" "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Info.plist"`
XPROTECT_JAVA_6_JavaAppletPlugin=`/usr/libexec/PlistBuddy -c "print :PlugInBlacklist:10:com.apple.java.JavaAppletPlugin:MinimumPlugInBundleVersion" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist`
CURRENT_JAVA_6_JavaPlugin2_NPAPI=`/usr/libexec/PlistBuddy -c "print :CFBundleVersion" "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Info.plist"`
XPROTECT_JAVA_6_JavaPlugin2_NPAPI=`/usr/libexec/PlistBuddy -c "print :PlugInBlacklist:10:com.apple.java.JavaPlugin2_NPAPI:MinimumPlugInBundleVersion" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist`
CURRENT_JAVA_7_BUILD=`/usr/libexec/PlistBuddy -c "print :CFBundleVersion" "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Info.plist"`
XPROTECT_JAVA_7_BUILD=`/usr/libexec/PlistBuddy -c "print :PlugInBlacklist:10:com.oracle.java.JavaAppletPlugin:MinimumPlugInBundleVersion" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist`
#
# Check to see if Xprotect is blocking Apple's Java 6 browser plug-in and re-enable the plug-in if needed.
# Some changes in this section are from Pepijn Bruienne's re-enable_java_6 script: https://github.com/bruienne
#
if [[ -e /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist ]]; then
if [[ ${CURRENT_JAVA_6_BUILD} != ${XPROTECT_JAVA_6_BUILD} ]]; then
/usr/bin/logger "Current Java 6 build (${CURRENT_JAVA_6_BUILD}) does not match the minimum build required by Xprotect (${XPROTECT_JAVA_6_BUILD}). Setting current version as the minimum build."
/usr/bin/defaults write /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta JavaWebComponentVersionMinimum -string "$CURRENT_JAVA_6_BUILD"
/usr/bin/plutil -convert xml1 /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
/bin/chmod a+r /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
else
/usr/bin/logger "Current Java 6 version is ${CURRENT_JAVA_6_BUILD} and Xprotect minimum build is ${XPROTECT_JAVA_6_BUILD}, nothing to do here."
fi
# If the Java vendor is reported as "com.apple.java.JavaAppletPlugin",
# the Apple Java browser plug-in is running on Mac OS X 10.6.x or was
# installed on 10.7.x or later by Java for OS X 2012-005 or earlier.
# Installing Java for OS X 2012-006 and later automatically removes
# the Apple Java browser plug-in.
if [[ "$javaVendor" = "com.apple.java.JavaAppletPlugin" ]]; then
if [[ ${CURRENT_JAVA_6_JavaAppletPlugin} != ${XPROTECT_JAVA_6_JavaAppletPlugin} ]]; then
/usr/bin/logger "Current Java 6 browser plug-in (${CURRENT_JAVA_6_JavaAppletPlugin}) does not match the minimum build required by Xprotect (${XPROTECT_JAVA_6_JavaAppletPlugin}). Setting current version as the minimum build."
/usr/libexec/PlistBuddy -c "Set :PlugInBlacklist:10:com.apple.java.JavaAppletPlugin:MinimumPlugInBundleVersion $CURRENT_JAVA_6_JavaAppletPlugin" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
/usr/bin/plutil -convert xml1 /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
/bin/chmod a+r /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
else
/usr/bin/logger "Current Apple Java browser plug-in version is ${CURRENT_JAVA_6_JavaAppletPlugin} and Xprotect minimum version is ${XPROTECT_JAVA_6_JavaAppletPlugin}, nothing to do here."
fi
fi
# If the Java vendor is reported as "com.apple.java.JavaPlugin2_NPAPI",
# the Apple Java plug-in was re-enabled using the procedure in the
# following Apple KBase article: http://support.apple.com/kb/HT5559
if [[ "$javaVendor" = "com.apple.java.JavaPlugin2_NPAPI" ]]; then
if [[ ${CURRENT_JAVA_6_JavaPlugin2_NPAPI} != ${XPROTECT_JAVA_6_JavaPlugin2_NPAPI} ]]; then
/usr/bin/logger "Current Java 6 browser plug-in (${CURRENT_JAVA_6_JavaPlugin2_NPAPI}) does not match the minimum build required by Xprotect (${XPROTECT_JAVA_6_JavaPlugin2_NPAPI}). Setting current version as the minimum build."
/usr/libexec/PlistBuddy -c "Set :PlugInBlacklist:10:com.apple.java.JavaPlugin2_NPAPI:MinimumPlugInBundleVersion $CURRENT_JAVA_6_JavaPlugin2_NPAPI" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
/usr/bin/plutil -convert xml1 /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
/bin/chmod a+r /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
else
/usr/bin/logger "Current Apple Java browser plug-in version is ${CURRENT_JAVA_6_JavaPlugin2_NPAPI} and Xprotect minimum version is ${XPROTECT_JAVA_6_JavaPlugin2_NPAPI}, nothing to do here."
fi
fi
#
# Script checks to see if the Mac is running Mac OS X 10.7.x or higher. If it is, the
# script checks to see if the Oracle Java browser plug-in is installed. If the Oracle
# Java browser plug-in is installed and Xprotect is blocking the currently installed
# version of Oracle's Java 7 browser plug-in, the script will re-enable the Java 7
# browser plug-in.
#
if [[ ${osvers} -ge 7 ]]; then
if [[ "$javaVendor" = "com.oracle.java.JavaAppletPlugin" ]]; then
if [[ ${CURRENT_JAVA_7_BUILD} != ${XPROTECT_JAVA_7_BUILD} ]]; then
/usr/bin/logger "Current Java 7 build (${CURRENT_JAVA_7_BUILD}) does not match the minimum build required by Xprotect (${XPROTECT_JAVA_7_BUILD}). Setting current version as the minimum build."
/usr/libexec/PlistBuddy -c "Set :PlugInBlacklist:10:com.oracle.java.JavaAppletPlugin:MinimumPlugInBundleVersion $CURRENT_JAVA_7_BUILD" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
/usr/bin/plutil -convert xml1 /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
/bin/chmod a+r /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
else
/usr/bin/logger "Current Oracle Java version is ${CURRENT_JAVA_7_BUILD} and Xprotect minimum version is ${XPROTECT_JAVA_7_BUILD}, nothing to do here."
fi
fi
fi
fi
exit 0

The script has been tested on 10.6.8, 10.7.5 and 10.8.3, so it should cover all current OSs that use Apple’s XProtect malware protection.

The script and launchdaemon are available here on my GitHub repo: https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/xprotect_re-enable_java_6_and_7

  1. Jayson
    May 13, 2013 at 2:47 pm

    For those of us who currently use the old version of the script and apply the updates regularly as provided by Apple and Oracle, what potential impact may we see with this change to XProtect?

    • May 13, 2013 at 3:25 pm

      The main issue will be for Apple’s Java 6 browser plug-in. Using the old version of the script, you may have the “JavaWebComponentVersionMinimum” setting managed, but the new “com.apple.java.JavaAppletPlugin” and “com.apple.java.JavaPlugin2_NPAPI” settings would not be.

      As long as your version of Java is up to date, this doesn’t matter. It only matters when you haven’t updated to a new version and XProtect starts blocking versions that are older than that. In that case, not managing the new “com.apple.java.JavaAppletPlugin” and “com.apple.java.JavaPlugin2_NPAPI” settings may result in the Java browser plug-in being blocked.

  2. ramuntcho
    December 4, 2014 at 10:51 am

    Is it still useful with Yosemite and Java 8 ?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: