Mozilla Adds Old Java Versions To Global Blocklist - gHacks Tech News

Mozilla Adds Old Java Versions To Global Blocklist

Running old plugins in your web browser is bad, as it opens the door for all sorts of mayhem. This includes exploits that target known vulnerabilities in those versions, or stability and compatibility issues that you may experience as a result of that. While users are to blame for that, it is also something that browser vendors have not really taken care of. While there have been some attempts, like Google's inclusion of Adobe Flash in the browser core to update it automatically, or Mozilla's Plug-In Checker, it is not enough to keep all users secure.

Especially the fact that all browsers enable plugins that they detect on the system by default has been criticized in the past. While that may be the convenient thing to do compatibility-wise, it is foolish when it comes to security.

Mozilla yesterday announced that the company has added older versions of the Java plugin to the global blocklist. The blocklist lists plugins and extensions that are either harmful in nature, a stability disaster, or a security liability. In the case of Java, it is the latter.

The February 2012 update to the Java Development Kit (JDK) and Java Runtime Environment (JRE) included a patch to correct a critical vulnerability that can permit the loading of arbitrary code on an end-user’s computer.

This vulnerability—present in the older versions of the JDK and JRE—is actively being exploited, and is a potential risk to users. To mitigate this risk, we have added affected versions of the Java plugin for Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and below) to Firefox’s blocklist.

Firefox users are asked to update Java on their system to resolve the issue. Chance is, the majority won't even notice that Java has been disabled in the browser. Interestingly enough, affected Java versions for OS X have not been added to the blocklist, as Apple has failed to produce an updated secure version yet.

What does it mean for you?

You can check about:addons and there plugins to see if a Java plugin is enabled in your web browser. If it is, head over to the Java verification page on the official site to check if that is the latest version available.

no java

If you do not have the latest version installed, update immediately to protect your computer from exploits and other consequences. If you are not sure if you need Java, update anyway. You may afterwards disable the plugin in the manager to see if it is really needed, or not.

If you are using a different browser, you can still use the verification page and the download page to update Java for that browser as well. Keep in mind that Java gets installed globally on the system, so that you only need to do this once on every system Java is installed on. (via FFextensions Guru)

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. Bill said on April 3, 2012 at 2:49 pm
    Reply

    I know that outdated version of flash or java and programs in general leave my computer vulnerable to any number of blue meanies! I added Secunia PSI sometime ago and find it doing a great job of keeping my ‘puter up to date. I have enabled “Auto Update”, but there are some programs that still require manual updates/solution installs, such as Chrome. This program reminds me of these problems too. Regardless, it is a great tool to keep my computer up to date. I have also installed it on my sister’s computer. She is one of those users that never updates ANYTHING. Secunia PSI has saved my many, many trips to her house to fix her computer! Check it out:

    https://secunia.com/vulnerability_scanning/personal/

    It is worth a look!!!
    Bill

    1. Midnight said on April 3, 2012 at 4:49 pm
      Reply

      I use Secunia on a regular basis and it’s extremely useful!
      Have to keep everything up to date! :)

  2. Bill said on April 3, 2012 at 2:56 pm
    Reply

    Another tool I find necessary with JAVA is JAVA RA. This tool with check for java updates, but more importantly it removes older versions of java. I don’t understand why this is not incorporated with a java update, but for some reason it isn’t. I have seen computers with 4 or 5 old versions of java on it. Not only does this leave your computer vulnerable but it also waste disk space. Here is a link to java ra. It is certainly worth looking at. I’ve been using it for years.

    http://singularlabs.com/software/javara/

    1. Martin Brinkmann said on April 3, 2012 at 3:59 pm
      Reply

      I agree, it is a great tool.

    2. ilev said on April 3, 2012 at 7:47 pm
      Reply

      You don’t need javara anymore as new java install delete old java versions.

  3. Midnight said on April 3, 2012 at 4:47 pm
    Reply

    Went to the Java Verification page and it said:
    Congratulations! You have the latest recommended version of Java! (1.7.0_03).

    Not you, but “I” have the latest recommended version!
    Not sure if you have it, but if you don’t…you should update! :)

    1. Martin Brinkmann said on April 3, 2012 at 5:14 pm
      Reply

      Well I do not have Java installed anymore, as I recently switched feed readers ;)

    2. ilev said on April 3, 2012 at 7:46 pm
      Reply

      The latest Java is 6.31. Version 7 is beta.

  4. qovoyikf said on April 4, 2012 at 9:02 pm
    Reply

    This is bad news for me. I have some older networking equipment that requires a specific legacy version of the Java Runtime to display the configuration interface properly. Now I can’t use Firefox when I need to make changes.

  5. Crodol said on April 4, 2012 at 11:17 pm
    Reply

    Is there an override?
    I am really upset that Firefox is just disabling the add-on. I had to log in quickly to a site that requires Java and I couldn’t.. updating would have been too slow and anyways there is only 1 page that I use Java for.

    If there is no way to enable the plugin again then I have to move to Internet Explorer. Such a bunch of idiots at Mozilla!!!!

    1. Martin Brinkmann said on April 4, 2012 at 11:29 pm
      Reply

      If you can update, I’d suggest you do so, as it is just to risky with exploits floating around.

      1. clas said on October 13, 2012 at 3:02 pm
        Reply

        Martin, love the letter, great insights. updates on java…hmmm
        i tend to hang back a bit. i use several sites, brokerages with
        streaming quotes and the like that tend to be behind the
        cutting edge of java. and before i do an update i do a macrium
        image. then if any problems i can go back to good in a few
        minutes. i am sure you will agree that some updates do
        cause problems and if they do the commenters will be out
        in droves with their pitchforks and brimstone letting everyone
        know.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.