Java 6 WebStart and Applet problem on Mac OS X

ALERT! DISCLAIMER: This page is currently in DRAFT and does not describe an actual current recommendation from the HSC.

A security problem was found in Java, which has led Apple to block Java WebStart and the Java browser plug-in (for Java applets) for the affected Java versions on Mac OS X. HIPE 10 runs on Java 6, and if you're using a version of Java 6 for which WebStart was blocked, then you will not be able to start the HSA User Interface, or any other WebStart application, from HIPE.

What's the security problem? Java WebStart applications and applets run inside a sandbox, which is a security feature. It means that these applications cannot access your local filesystem and they cannot access servers other than the one from which they were downloaded, unless the user allows this explicitly. The problem that has been found in certain versions of Java, is essentially a hole in this sandbox, so that these applications can potentially access the filesystem and send data anywhere on the internet. This bug is being exploited already. Apple has blocked the affect software on OS X 10.6 ("Snow Leopard") and later, so the security threat has been remedied on those systems. If you're using OS X 10.5, you are running a risk due to this issue.

Do I need to do anything? This depends on the version of Mac OS X that you're running. The table below explains the situation, for all versions of OS X that are supported for HIPE 10, as well as 10.8 ("Mountain Lion"), which is not formally supported for HIPE 10.

OS X Version Latest Java 6 update Latest Java 7 update How you're affectedSorted ascending
10.5 ("Leopard") Update 37 (affected) Not supported The blocking mechanism was introduced in OS X 10.6, so the software is not blocked on this platform and you will not encounter problems working with HIPE or the HSA User Interface. But you are exposed to a serious security problem, and we recommend that you upgrade the OS.
10.6 ("Snow Leopard") Update 39 (problem fixed) Not supported The user will have to make sure to update to the latest version of Java 6 using the App Store to solve the problem (access it via the Apple icon in the menu bar and choosing "Software Update".
10.7 ("Lion") and 10.8 ("Mountain Lion") Update 37 (affected, WebStart and applets blocked) Update 13 (problem fixed) The user will have to make sure to update to the latest version of Java 7 by visiting Installing or updating Java 7 will not affect HIPE, which runs on Java 6. WebStart applications can be started from the browser using Java 7. For WebStart applications to start from HIPE correctly, the user has to remove the block manually (explanation below).

Manually removing the block applied by Apple

This step is only required in some cases, for some versions of OS X. See the table above.

Apple blocked WebStart and Java applets in certain versions of Java. It is possible to remove this block, but: It is very important to realize the security threat that removing the block poses. If you use Java 6 in your browser, you will be open to the security problem explained above, and we advise strongly against removing the block in this case. Therefore our recommendation is to start by installing Java 7 for use in the browser.

Install Java 7 in the browser: Go to and click the button "Free Java Download". You can check the Java version that your browser uses by visiting "Java 7 update 13" is reported as "1.7_13".

After this step, Java 6 should only be used to run HIPE and to start WebStart applications from HIPE. Because we trust that the applications started by HIPE do not contain malware, we can then remove the block on Java WebStart and Java browser plug-in for this version. We will not use the Java browser plug-in, but both are considered under the nomer "Java plug-in", so we can only enable or disable both.

Remove the block on Java 1.6 update 37:

sudo /usr/libexec/PlistBuddy -c "Set :JavaWebComponentVersionMinimum 1.6.0_37-b06-434" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

Unfortunately, just as Apple has initially silently applied this block, they can come back and re-apply it, even though it's been manually removed. This has been reported to happen after reboots. If it happens, one can simply execute the above command again. You can also execute the command below, which updates the "last modified" date in the relevant file, which has been said to stop Apple from updating the file on your behalf:

sudo /usr/libexec/PlistBuddy -c "Set :LastModification Fri,\ 08\ Feb\ 2014\ 00:54:09\ GMT" XProtect.meta.plist

-- PaulBalm - 11 Feb 2013

Edit | Attach | Watch | Print version | History: r5 < r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r3 - 2013-02-12 - PaulBalm
This site is powered by the TWiki collaboration platform Powered by Perl