Managing Java browser plug-in settings for Apple’s XProtect malware protection

In response to a number of recent Java exploits, both Apple and Mozilla have begun blocking vulnerable versions of Java from running in their respective browsers via their malware protection mechanisms. While this is the right move from a security perspective, it can leave enterprises without the ability to access mission-critical systems that use Java applets running in a browser.

The fix should be to update those affected machines with the latest version of Java. However, this assumes that a) the latest available version of Java is not itself blocked and b) the mission-critical system is able to use the latest version of Java.

From my own perspective, what Apple is doing from a malware protection standpoint is the right thing. I just don’t want my users to lose the ability to access our systems that use a Java applet, especially when the latest available version of Java is blocked and I don’t have a way to otherwise satisfy Apple’s XProtect malware protection without disabling XProtect.

My fix was this: manage XProtect’s ability to disable the Java browser plug-in by modifying the Java browser plug-in settings in the affected Mac’s /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist file. See below the jump for the details.

To handle this, I’ve written a LaunchDaemon and script combination. The LaunchDaemon runs the script at startup and also watches the Mac’s /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist file for changes. When XProtect.meta.plist is modified, the LaunchDaemon triggers the script to run again.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>com.company.xprotect_re-enable_java_6_and_7</string>
	<key>ProgramArguments</key>
	<array>
		<string>sh</string>
		<string>/Library/Scripts/xprotect_re-enable_java_6_and_7.sh</string>
	</array>
	<key>QueueDirectories</key>
	<array/>
	<key>RunAtLoad</key>
	<true/>
	<key>WatchPaths</key>
	<array>
		<string>/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist</string>
	</array>
</dict>
</plist>

The script will check the current Java 6 and Java 7 browser plug-in versions and compare them against the minimum version allowed by Apple’s XProtect malware protection. If the minimum Java version allowed by XProtect does not allow the current version of the Java browser plug-in on the Mac, the script will alter the Mac’s /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist file to set the minimum version allowed to match the current version of the Mac’s Java browser plug-in. This change allows the Mac’s current Java browser plug-in to run in Safari without being blocked. As the Java browser plug-in is updated, XProtect.meta.plist will be updated to match the new version of the plug-in.

#!/bin/sh

# This script will check the current Java 6 and Java 7 browser plug-in
# versions and compare them against the minimum version allowed by
# Apple's XProtect malware protection. If the minimum Java version 
# allowed by XProtect does not allow the current version of the Java
# browser plug-in on the Mac, the script will alter the Mac's 
# /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist 
# file to set the minimum version allowed to match the current version
# of the Mac's Java browser plug-in. This allows the Mac's current Java
# browser plug-in to run in Safari without being blocked.


osvers=$(sw_vers -productVersion | awk -F. '{print $2}')

javaVendor=`/usr/bin/defaults read "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Info" CFBundleIdentifier`

CURRENT_JAVA_6_BUILD=`/usr/libexec/PlistBuddy -c "print :JavaVM:JVMVersion" "/Library/Java/Home/bundle/Info.plist"`
XPROTECT_JAVA_6_BUILD=`/usr/libexec/PlistBuddy -c "print :JavaWebComponentVersionMinimum" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist`

CURRENT_JAVA_7_BUILD=`/usr/libexec/PlistBuddy -c "print :CFBundleVersion" "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Info.plist"`
XPROTECT_JAVA_7_BUILD=`/usr/libexec/PlistBuddy -c "print :PlugInBlacklist:10:com.oracle.java.JavaAppletPlugin:MinimumPlugInBundleVersion" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist`



#
# Check to see if Xprotect is blocking Apple's Java 6 browser plug-in and re-enable the plug-in if needed.
# Changes in this section are from Cengage Learning's re-enable_java_6 script: https://github.com/cengage
#

if [[ -e /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist ]]; then
	
	if [ ${CURRENT_JAVA_6_BUILD} != ${XPROTECT_JAVA_6_BUILD} ]; then

	 	  /usr/bin/logger "Current Java 6 build (${CURRENT_JAVA_6_BUILD}) does not match the minimum build required by Xprotect (${XPROTECT_JAVA_6_BUILD}). Setting current version as the minimum build."
	 	  /usr/bin/defaults write /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta JavaWebComponentVersionMinimum -string "$CURRENT_JAVA_6_BUILD"
	 	  /usr/bin/plutil -convert xml1 /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
	 	  /bin/chmod a+r /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
	else
	 	  /usr/bin/logger "Current JVM build is ${CURRENT_JAVA_6_BUILD} and Xprotect minimum build is ${XPROTECT_JAVA_6_BUILD}, nothing to do here."
	fi


#
# Script checks to see if the Mac is running Mac OS X 10.7.x or higher. If it is, the 
# script checks to see if the Oracle Java browser plug-in is installed. If the Oracle 
# Java browser plug-in is installed and Xprotect is blocking the currently installed 
# version of Oracle's Java 7 browser plug-in, the script will re-enable the Java 7 
# browser plug-in.
# 
   
    if [[ ${osvers} -ge 7 ]]; then
      if [ "$javaVendor" = "com.oracle.java.JavaAppletPlugin" ]; then 
	 	if [ ${CURRENT_JAVA_7_BUILD} != ${XPROTECT_JAVA_7_BUILD} ]; then

	 	  /usr/bin/logger "Current Java 7 build (${CURRENT_JAVA_7_BUILD}) does not match the minimum build required by Xprotect (${XPROTECT_JAVA_7_BUILD}). Setting current version as the minimum build."
	 	  /usr/libexec/PlistBuddy -c "Set :PlugInBlacklist:10:com.oracle.java.JavaAppletPlugin:MinimumPlugInBundleVersion $CURRENT_JAVA_7_BUILD" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
	 	  /usr/bin/plutil -convert xml1 /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
	 	  /bin/chmod a+r /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
	    else
	 	  /usr/bin/logger "Current Oracle Java version is ${CURRENT_JAVA_7_BUILD} and Xprotect minimum version is ${XPROTECT_JAVA_7_BUILD}, nothing to do here."
		fi	
	  fi
    fi
fi
exit 0

The script has been tested on 10.6.8, 10.7.5 and 10.8.2, so it should cover all current OSs that use Apple’s XProtect malware protection.

The script and launchdaemon are available here on my GitHub repo: https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/xprotect_re-enable_java_6_and_7