More Headaches for Oracle: Apple Pulls the Plug on Java 7

For the second time in two weeks, Apple (News - Alert) has blocked Oracle’s Java code from all Macs operating on OS X 10.6 (Snow Leopard) or higher. The computer giant blocked the code through an XProtect update.

Java was unbundled from Mac OS X updates with the release of Lion.

Mozilla (News - Alert) has also blocked automatic loading of plug-ins on Firefox.

“One of the most common exploitation vectors against users is drive by exploitation of vulnerable plugins,” explained Michael Coates, director of Security Assurance for Mozilla. “In this kind of attack, a user with outdated or vulnerable plugins installed in their browser can be infected with malware simply by browsing to any site that contains a plugin exploit kit.”

Even the U.S. Department of Homeland Security has lampooned the code, suggesting everyone is better off blocking Java despite the new security patch.

On January 13, Oracle (News - Alert) issued a new version of Java 7 that was designed to fix a zero-day vulnerability that hackers were exploiting. Oracle insists that the new Java 7 runs well on servers, on mobile devices and in desktop apps, but the firm admits problems with security in Web browsers.

Galen Gruman of InfoWorld has called for developers to “kill Java dead, dead, dead.” He argues that hackers not only use holes in Java to harm individual users but also to spy on or sabotage computers in banks, government agencies, hospitals and utilities.

Gruman also points out that Java has other problems in addition to security. Although Java lets developers skip the custom code for varying versions of Windows and OS X, apps become linked to a specific Java version.

For example, IT staff can’t upgrade their enterprises to the latest version of Internet Explorer (IE) as they are running a specialty app that only works with the Java installed in earlier IE versions.

During a recent conference call, Oracle’s head of security for Java, Milton Smith, stated, “The plan for Java security is really simple: it's to get Java fixed up, number one, and then, number two, to communicate our efforts widely.” If Oracle doesn’t handle this security scandal well, Java may very well end up “dead, dead, dead.”