It appears Apple has blocked Safari on 10.7 and 10.8 Macs from running Oracle’s Java 7 in the wake of a zero-day exploit for Java:
New Year Java Zero-Day Attacks Under Way
Update – January 13, 2013: Oracle has released Java 7 Update 11 to address the vulnerabilities in Java 7 Update 10. Once Java 7 Update 11 has been installed, Safari will no longer block the Java plug-in.
You can download the latest Java installer for OS X from here: http://www.java.com/en/download/mac_download.jsp?locale=en
To verify this on your own machine:
1. Open Safari on a 10.7.x or 10.8.x Mac
2. Go to http://www.java.com/en/download/testjava.jsp to test your Java browser plug-in.
Instead of a report that Java is working, you’ll receive a Blocked Plug-In message.
I’ve verified that 10.5.x and 10.6.x Macs do not appear to be affected by this, as they are not running Java 7.
Oracle has not yet released an updated Java 7 installer, so there’s nothing currently available to fix this issue. The latest Java installer for OS X was released in November 2012 and contains the vulnerability.
The best workaround at this time is to use Firefox. I tested with Firefox 18 and Firefox is not blocking the Java plug-in at this time.
Update – January 12, 2013: Mozilla has announced that they are also now blocking the Java plug-in unless the user specifically authorizes it to run by clicking on the warning message for the plug-in.
Chrome will not work as an alternate browser, as Oracle’s Java 7 browser plug-in only works with 64-bit applications. Firefox and Safari are both 64-bit, but Google Chrome is a 32-bit application.
If the Java application you need to run does not require Java 7, you can also re-enable the Apple Java 6 browser plug-in. You can do this using the procedure in this post.
Update: The blocking was done by Apple’s built-in malware protection. For those interested, the list of acceptable browser plug-in versions is stored at /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
As of 12:26 PM on Friday, January 11th, XProtect.meta.plist on my 10.7.5 workstation had the following contents
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>LastModification</key> <string>Thu, 10 Jan 2013 22:48:02 GMT</string> <key>PlugInBlacklist</key> <dict> <key>10</key> <dict> <key>com.macromedia.Flash Player.plugin</key> <dict> <key>MinimumPlugInBundleVersion</key> <string>11.3.300.271</string> </dict> <key>com.oracle.java.JavaAppletPlugin</key> <dict> <key>MinimumPlugInBundleVersion</key> <string>1.7.10.19</string> </dict> </dict> </dict> <key>Version</key> <integer>1037</integer> </dict> </plist>
The plugin version installed by the current Oracle Java 7 Update 10 installer is 1.7.10.18. The plug-in blacklist is specifying that 1.7.10.19 or higher is required, so 1.7.10.18 is being blocked automatically.
