How to limit Java exposure in Firefox
Several Java vulnerabilities have been discovered in rapid succession in the past months. Every time Oracle put out a fix,new vulnerabilities were discovered in those recent versions almost immediately which in turn made any system those versions were freely installed on vulnerable to attacks.
Companies like Mozilla have started to blacklist old Java versions to protect users from those attacks, and while that worked considerable well, one could not really rely only on that to stay safe.
So what is it that you can do to protect your systems from Java-based attacks? The first answer that comes to mind for obvious reason is to uninstall Java. While that may work for some users who do not need Java at all, it may not work for others. If your online banking website requires Java, you can't just uninstall Java as you would not be able to use the banking site anymore.
There must be another solution and there is. Actually, there is more than one solution and I'm going to look at all of them in this guide to help you limit Java to websites you need to run it on.
1. Run NoScript
It supports temporary and permanent whitelisting of domains to allow scripts to run on select domains. The idea here would be to enable scripts on the sites you need to run Java on, and keep the default setup for all other sites so that it won't be executed on those sites when you open them in the browser.
While this requires some work on your part to configure all sites you need to run Java on, and sites that you need to run other plugins on, it is highly beneficial in the end as it protects the browser and computer from many attack forms that execute automatically when you connect to websites and services.
To enable a script on a site you can either click on it directly, which will enable it temporarily, or click on the NoScript icon in the browser's interface to enable it permanently or temporarily.
2. Click to Play
Update: In recent versions of Firefox, you may not need to go enable click to play anymore, as it is enabled for all plug-ins automatically except Flash or plug-ins that you have configured to run automatically. You may still want to check the add-ons manager of the browser and there plug-ins to make sure that everything is set to "ask to activate".
If you do not run NoScript, you still have a couple of options to deal with Java and other plugins that you need but are potentially dangerous to run. Mozilla some time ago introduced click to play, a feature that blocks the execution of scripts until you click on the element in the browser window.
It is disabled by default and the only option to enable it is in the advanced browser configuration. What's interesting in this regard is that it is actually activated automatically if you run a version of Java that is vulnerable or outdated. Mozilla plans to expand this in the near future.
To activate click to play do the following:
- Type about:config into the browser's address bar.
- Confirm that you will be careful if you do that for the first time.
- Type in plugins.click_to_play to the search field and press enter.
- Double-click on the parameter to set it to true.
Once done you will notice that plugin contents are not loaded automatically anymore. Instead, you will get an "activate Java" or other plugin name on the page that you need to click on to activate. The core benefit here is the same as provided by the NoScript extension: no plugin runs on a site unless you actively allow it to do so.
There are a couple of things you can do to improve your experience. For sites you trust, your bank's website for instance, you may want to enable plugins all the time so that you do not have to enable them actively whenever you visit it.
A click on the small icon next to the site's address provides you with a menu to do so.
When you click on the icon, you are presented with options to activate one plugin, or all of them. What you can do as well is select the always activate plugins for this site option to whitelist it so that plugins run on it automatically.Advertisement
Re: plugins.click_to_play…Already set to True in Firefox Nightly 64bit!
Or just disable Java in your plug-ins. I can’t even remember the last time that I accessed a web page where I had to enable Java.
I have uninstalled Java on my systems, and only install it when I need to test something. Others may use applications or web services that require Java which does not make this an option, unless you will enable and disable the plugin manually every time you need it.
Prefbar (http://prefbar.tuxfamily.org/), one of my favourite Firefox add-ons, has a built-in button to enable and disable Java. I don’t include it in my customised Prefbar but it’s there for anyone who may need to enable/disable Java on a regular basis.