Mozilla Adds Old Java Versions To Global Blocklist
Running old plugins in your web browser is bad, as it opens the door for all sorts of mayhem. This includes exploits that target known vulnerabilities in those versions, or stability and compatibility issues that you may experience as a result of that. While users are to blame for that, it is also something that browser vendors have not really taken care of. While there have been some attempts, like Google's inclusion of Adobe Flash in the browser core to update it automatically, or Mozilla's Plug-In Checker, it is not enough to keep all users secure.
Especially the fact that all browsers enable plugins that they detect on the system by default has been criticized in the past. While that may be the convenient thing to do compatibility-wise, it is foolish when it comes to security.
Mozilla yesterday announced that the company has added older versions of the Java plugin to the global blocklist. The blocklist lists plugins and extensions that are either harmful in nature, a stability disaster, or a security liability. In the case of Java, it is the latter.
The February 2012 update to the Java Development Kit (JDK) and Java Runtime Environment (JRE) included a patch to correct a critical vulnerability that can permit the loading of arbitrary code on an end-user’s computer.
This vulnerability—present in the older versions of the JDK and JRE—is actively being exploited, and is a potential risk to users. To mitigate this risk, we have added affected versions of the Java plugin for Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and below) to Firefox’s blocklist.
Firefox users are asked to update Java on their system to resolve the issue. Chance is, the majority won't even notice that Java has been disabled in the browser. Interestingly enough, affected Java versions for OS X have not been added to the blocklist, as Apple has failed to produce an updated secure version yet.
What does it mean for you?
You can check about:addons and there plugins to see if a Java plugin is enabled in your web browser. If it is, head over to the Java verification page on the official site to check if that is the latest version available.
If you do not have the latest version installed, update immediately to protect your computer from exploits and other consequences. If you are not sure if you need Java, update anyway. You may afterwards disable the plugin in the manager to see if it is really needed, or not.
If you are using a different browser, you can still use the verification page and the download page to update Java for that browser as well. Keep in mind that Java gets installed globally on the system, so that you only need to do this once on every system Java is installed on. (via FFextensions Guru)
Advertisement
Is there an override?
I am really upset that Firefox is just disabling the add-on. I had to log in quickly to a site that requires Java and I couldn’t.. updating would have been too slow and anyways there is only 1 page that I use Java for.
If there is no way to enable the plugin again then I have to move to Internet Explorer. Such a bunch of idiots at Mozilla!!!!
If you can update, I’d suggest you do so, as it is just to risky with exploits floating around.
Martin, love the letter, great insights. updates on java…hmmm
i tend to hang back a bit. i use several sites, brokerages with
streaming quotes and the like that tend to be behind the
cutting edge of java. and before i do an update i do a macrium
image. then if any problems i can go back to good in a few
minutes. i am sure you will agree that some updates do
cause problems and if they do the commenters will be out
in droves with their pitchforks and brimstone letting everyone
know.
This is bad news for me. I have some older networking equipment that requires a specific legacy version of the Java Runtime to display the configuration interface properly. Now I can’t use Firefox when I need to make changes.
Went to the Java Verification page and it said:
Congratulations! You have the latest recommended version of Java! (1.7.0_03).
Not you, but “I” have the latest recommended version!
Not sure if you have it, but if you don’t…you should update! :)
The latest Java is 6.31. Version 7 is beta.
Well I do not have Java installed anymore, as I recently switched feed readers ;)
Another tool I find necessary with JAVA is JAVA RA. This tool with check for java updates, but more importantly it removes older versions of java. I don’t understand why this is not incorporated with a java update, but for some reason it isn’t. I have seen computers with 4 or 5 old versions of java on it. Not only does this leave your computer vulnerable but it also waste disk space. Here is a link to java ra. It is certainly worth looking at. I’ve been using it for years.
http://singularlabs.com/software/javara/
You don’t need javara anymore as new java install delete old java versions.
I agree, it is a great tool.
I know that outdated version of flash or java and programs in general leave my computer vulnerable to any number of blue meanies! I added Secunia PSI sometime ago and find it doing a great job of keeping my ‘puter up to date. I have enabled “Auto Update”, but there are some programs that still require manual updates/solution installs, such as Chrome. This program reminds me of these problems too. Regardless, it is a great tool to keep my computer up to date. I have also installed it on my sister’s computer. She is one of those users that never updates ANYTHING. Secunia PSI has saved my many, many trips to her house to fix her computer! Check it out:
https://secunia.com/vulnerability_scanning/personal/
It is worth a look!!!
Bill
I use Secunia on a regular basis and it’s extremely useful!
Have to keep everything up to date! :)