It looks like Apple has again blocked Oracle’s Java 7 browser plug-in.
Earlier in the month, Apple had taken the exceptional step of using its anti-malware tools in OS X to disable existing installations of the Java 7 browser plug-in after a serious security vulnerability was discovered.
Things were back to normal after Orcale released Java 7 Update 11 to address the vulnerability on January 14th. But security experts reported that Update 11 still had security flaws and they wouldn’t advise users its safe to enable Java again. As pointed out by MacRumors, here’s the note by U.S. Homeland Security requesting users to keep the Java browser plug-in enabled only if is absolutely necessary:
Oracle Security Alert CVE-2013-0422 states that Java 7 Update 11 addresses this (CVE-2013-0422) and an equally severe, but distinct vulnerability (CVE-2012-3174). Immunity has indicated that only the reflection vulnerability has been fixed and that the JMX MBean vulnerability remains. Java 7u11 sets the default Java security settings to “High” so that users will be prompted before running unsigned or self-signed Java applets.
Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future.
Like last time, Apple has disabled the Java plugin by updating the blacklist information to require machines to be running an as-yet unreleased 1.7.0_11-b22 version of Java 7. Since the publicly available version of Java 7 is 1.7.0_11-b21 currently, all systems running Java 7 will fail the check, thus disabling the plug-in.
We’ll let you know if there are any further updates.