XProtect updated – now blocking Java browser plug-in versions prior to June 2013 Java updates
Apple put out two advisories on August 29th about Java:
Java updates available for OS X on August 28, 2013
OS X: Java Web plug-in blocked 28 August 2013
The latter advisory is especially noteworthy to Mac admins, as that means that Apple’s XProtect was updated to block older versions of Java. That said, XProtect was not updated after the latest round of updates in June 2013, so those versions were not previously set in /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist as the minimum allowed versions. See below the jump for more details.
With the August 29th update, the following versions of the Java browser plug-in are now set as the minimum allowed versions:
For 10.6.x:
com.apple.java.JavaAppletPlugin – 13.9.7
com.apple.java.JavaPlugin2_NPAPI – 13.9.7
Click on the image below for comparisons of /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist from before and after the August 29 XProtect update.
For 10.7.x – 10.8.x
com.apple.java.JavaAppletPlugin – 14.8.0
com.apple.java.JavaPlugin2_NPAPI – 14.8.0
com.oracle.java.JavaAppletPlugin – 1.7.25.15
Click on the image below for comparisons of /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist from before and after the August 29 XProtect update.
These version numbers correspond to the following Java updates:
Java For Mac OSX 10.6 Update 16 – 13.9.7
Java for OS X 2013-004 – 14.8.0
Java 7 Update 25 – 1.7.25.15
If you’ve installed the Java updates above, you should be good. If you haven’t, install the latest Java updates and your Java browser plug-in should no longer be blocked by XProtect.
Leave a Reply
Recent Comments
 | Lenny on Providing OS X Upgrades via Ca… |
 | James Hastings-Trew on macOS Sierra’s /Volumes… |
 | Arjun Kalidas on Microsoft Lync keychain passwo… |
 | dpodgors@amfam.com on iCloud Desktop and Documents i… |
 | German on Microsoft Lync keychain passwo… |
Hello,
It’s strange because in our macs in classrooms in 10.8, using your xprotect_re-enable_java_6_and_7.sh, we have java blocked (we use update 21). When we examine the XProtect.meta.plist, it’s version 2039 but in the field for MinimumPlugInBundeVersion, there is 1.7.21 and not 1.7.25. Or java 7 update 21 is installed, so i don’t understand why it’s blocked. An idea ?
And second question, does your script will function now, after the upgrade to 25, or no more ?
Thanks in advance
It sounds like the script is working fine, as it’s updated XProtect to set Update 21 as the minimum allowed version. Safari 5.x and 6.x have their own Java blocking mechanisms built in, so you may need to add some additional scripts for Safari. I have some posts on those as well:
https://derflounder.wordpress.com/2013/03/16/automatically-enable-the-java-web-plug-ins-setting-in-safari-6-0-3-and-later/
https://derflounder.wordpress.com/2013/04/19/managing-safaris-java-whitelist/
Hello,
Thanks for the answer and sorry for the delay. We used also in our macs your additional scripts for Safari. But i think that the problem is different, because the java applets are blocked also in Firefox, not only in Safari. And in the XProtect.meta.plist, it’s version 2039 but in the field for MinimumPlugInBundeVersion, there is 1.7.21. So everything should be fine, your script seems to work, because we have Java 7 update 21 installed. But java applets are blocked.
:-(( Christian
Christian,
Not sure what to tell you then. One thing that’s important to know is that Firefox doesn’t refer to XProtect for browser plug-in information. Instead, Mozilla has built a separate blocking mechanism into Firefox to govern whether plug-ins can run or not. For more information on this, please see the links below:
https://blog.mozilla.org/security/2013/01/11/protecting-users-against-java-vulnerability/
https://blog.mozilla.org/security/2012/10/11/click-to-play-plugins-blocklist-style/