Mozilla has made a change in Firefox that will block all of the older versions of Java that contain a critical vulnerability that’s being actively exploited. The decision to add these vulnerable versions of Java to the browser’s blocklist is designed to protect users who may not be aware of the flaw and attacks.
The specific vulnerability in Java that Mozilla is trying to protect users against was patched by Oracle in February, but Java is one of the many browser components and extensions that users sometimes will fail to update for long periods of time. If users don’t have the automatic updates enabled for Java, it could be a long time before they remember to update the software and that’s a dangerous habit given how much attackers love to exploit Java.
“This vulnerability—present in the older versions of the JDK and JRE—is actively being exploited, and is a potential risk to users. To mitigate this risk, we have added affected versions of the Java plugin for Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and below) to Firefox’s blocklist. A blocklist entry for the Java plugin on OS X may be added at a future date. Mozilla strongly encourages anyone who requires the JDK and JRE to update to the current version as soon as possible on all platforms,” Mozilla’s Kev Needham said.
Mozilla’s decision to add a legitimate piece of software, albeit a highly vulnerable and oft-exploited one, to its blocklist is an unusual and bold step. Java is a ubiquitous application that’s used on millions of Web pages and other apps across the Internet and while most people in the security community are aware of the dangers that it can pose, many typical users are not. As a result, Mozilla officials took the remarkable step of blacklisting all but the most recent version of Java.
“Affected versions of the Java plugin will be disabled unless a user makes an explicit choice to keep it enabled at the time they are notified of the block being applied,” Needham said.
Java has been the target of a slew of attacks in recent weeks as criminals have targeted a known unpatched vulnerability in the software, and researchers have said that there also are ongoing attacks against some older Java flaws, including CVE-2012-0507. That vulnerability now is the target of an exploit that was added to the infamous Blackhole exploit kit.
“Malicious Java applet stored within a Java archive (.JAR) that attempts to exploit a vulnerability in the Java Runtime Environment (JRE) up to and including versions 7 update 2, versions 6 update 30 and versions 5 update 33,” Mila Parkour wrote in a post on the Contagio blog.