Java Issues for OS X 10.6+ affecting BCeSIS [UPDATED]

Yesterday Apple released a malware definition that set a specific version of java to be allowed to run on OS X 10.6+. Unfortunately this definition precludes us from using BCeSIS as it requires an older version of Java on OS X. This update happens in the background with no user intervention. It is not part of the Software Updates. The reason for this is that the older versions of Java have security vulnerabilities that are often exploited by malicious websites or websites that have been compromised. A good way to avoid those websites is not to use the web… or more realistically don’t go to sketchy websites, follow unknown links etc.

We can’t update the version of Java as BCeSIS sadly requires an older version on OS X to run.

Our initial solution to remove this definition that is blocking our version of Java is as follows:

  • If you aren’t confident in doing the below steps or have difficulty, please call the helpdesk (250-263-6442) and we can do it remotely if your computer is on and Remote Desktop Management is turned on
  • Quit Browsers (ie Quit and restart, don’t just close windows!)
  • Open the Terminal application / Search for Terminal and run the application
  • copy and paste all the bold text below in terminal at the prompt
    sudo defaults delete /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta JavaWebComponentVersionMinimum

    EDIT – I had missed a slash above but it is now correct.

  • Press Enter/Return on your keyboard
  • Enter your password for your computer
  • Assuming you’ve entered the command correctly and no errors come up, quit Terminal
  • Restart any Browsers
  • Test and see if you are able to get to the BCeSIS login screen or other Java related programs/services

A significant question with this fix is whether or not the definition will return on the next malware update or not. We are monitoring this and will adapt the fix if needed.

Feb 1 Edit – An Apple Engineer has said that the definition will likely return on the next update so to avoid doing this again you will need to turn off the automatic definitions update. This may leave your computer vulnerable in the future. This takes a few steps which I’ve listed below:

  1. Click on Apple > System Preferences
  2. Click on Security (or Security & Privacy) in the top row
  3. Unlock to make changes (bottom left) using your laptop password – you need to be an admin of the laptop which most staff are. Use your laptop password
  4. Click on Advanced button (bottom right)
  5. Uncheck “Automatically update safe downloads list”

If there were a large scale sweeping OS X attack of some kind reminiscent of the Blaster worm we will suggest that you turn the Automatic update back on even though that will likely mean we will have java problems in the future. Keeping the older version of Java active on the macs will also mean that your computer is vulnerable especially if you are going to websites that are unknown or following unknown links.

We are looking at some options for a separate browser application to run Java for BCeSIS and disable Java in other browsers. 

If these instructions does not work for you, try a restart on your computer and don’t hesitate to call the helpdesk at 250-263-6442.

Further to this there was another issue last year with Java that had the following solution – http://www.prn.bc.ca/ts/?p=1696

Thanks to the many technical staff from our and other SDs who worked to come up with this solution.