Mozilla Adds Older Java Versions to Firefox Blocklist

Mozilla has made a change in Firefox that will block all of the older versions of Java that contain a critical vulnerability that’s being actively exploited. The decision to add these vulnerable versions of Java to the browser’s blocklist is designed to protect users who may not be aware of the flaw and attacks.

Firefox JavaMozilla has made a change in Firefox that will block all of the older versions of Java that contain a critical vulnerability that’s being actively exploited. The decision to add these vulnerable versions of Java to the browser’s blocklist is designed to protect users who may not be aware of the flaw and attacks.

The specific vulnerability in Java that Mozilla is trying to protect users against was patched by Oracle in February, but Java is one of the many browser components and extensions that users sometimes will fail to update for long periods of time. If users don’t have the automatic updates enabled for Java, it could be a long time before they remember to update the software and that’s a dangerous habit given how much attackers love to exploit Java.

“This vulnerability—present in the older versions of the JDK and JRE—is actively being exploited, and is a potential risk to users. To mitigate this risk, we have added affected versions of the Java plugin for Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and below) to Firefox’s blocklist. A blocklist entry for the Java plugin on OS X may be added at a future date. Mozilla strongly encourages anyone who requires the JDK and JRE to update to the current version as soon as possible on all platforms,” Mozilla’s Kev Needham said.

Mozilla’s decision to add a legitimate piece of software, albeit a highly vulnerable and oft-exploited one, to its blocklist is an unusual and bold step. Java is a ubiquitous application that’s used on millions of Web pages and other apps across the Internet and while most people in the security community are aware of the dangers that it can pose, many typical users are not. As a result, Mozilla officials took the remarkable step of blacklisting all but the most recent version of Java. 

“Affected versions of the Java plugin will be disabled unless a user makes an explicit choice to keep it enabled at the time they are notified of the block being applied,” Needham said.

Java has been the target of a slew of attacks in recent weeks as criminals have targeted a known unpatched vulnerability in the software, and researchers have said that there also are ongoing attacks against some older Java flaws, including CVE-2012-0507. That vulnerability now is the target of an exploit that was added to the infamous Blackhole exploit kit. 

“Malicious Java applet stored within a Java archive (.JAR) that attempts to exploit a vulnerability in the Java Runtime Environment (JRE) up to and including versions 7 update 2, versions 6 update 30 and versions 5 update 33,” Mila Parkour wrote in a post on the Contagio blog. 

Suggested articles

Discussion

  • testman on

    There is no good reason to stick with unpatched JVM. They are free, widelly available, documented ... 

    Would Admin care of letting unpatched OS ? If no, why do they care about letting a whole platform such as Java unpatched ?

    FYI, in any latest Java version there is a security baseline displayed (see release notes).

    If you are using latest Java 7, go to Java Control Panel, in the "Advanced Tab" and to the "Insecure JRE Version" and check "Do not use Insecure JRE version"

    This will apply the rule thing for any JVM usage on your machine.

  • Anonymous on

    Mozilla folks are thinking about windows only again!  Stop it.  This breaks Linux distros.  This is  hassle for Mac users who have java as part of their OS.  This is a nightmare for BSD folks.  Worst of all it means IT has to update java before firefox.  That means security holes in firefox can't get patched right away until they deem java worthy with the point release.  

    Don't dictate to your users Mozilla.  It's not cool.  There is a reason I've started to suggest alternatives to firefox to people I know.  

  • Anonymous on

    New JVMs break Cisco ASDM as well.

     

  • Anonymous on

    As much as I hate to see this I think it is a good idea.  I am FORCED to run an older Java at work.  If I install the current version I can't run the Java application that handles expense reports. 

    So the choice is 1) have a vulnerable work computer or 2) not be able to be paid back for travel expenses.   I travel a LOT for work.  So I have to take option 1.

    The block lets me use Firefox for web browsing and IE for expense reports using Java.

  • Anonymous on

    Well the problem is attitude.

    No matter what, you should never enforce by force. Period. 

    A warning message would be fine, but blocking is not.

    People will just see that XXX does not work in firefox and keep moving to Chrome.

    Mozillla, and any other product, is only as successfull as the WE, the users, want. You should appreciate that. The moment you think you are at the top and start forcing stuff you have your days counted.

    Either we see a change in Mozillas management or youll keep falling until there is no return.

    This is not the way to do it.

     

     

     

     

  • Kevin on

    This is great news. Cheers to FireFox for stepping up on this one.

  • Anonymous on

    Now to just get Apple to support more OS X versions than only the two recently issued ones and my Mac will be secure!
  • Anonymous on

    I'm glad to see someone is finally taking action to protect users against Java scripts.  Now can they do the same with Flash?

  • vlaflip on

    This is about java and not javascript (which is something completely different!) as suggested by an earlier post...

  • Anonymous on

    this--->'' I am FORCED to run an older Java at work.''

    Damn you Mozzila.

    P.S. anybody know good browser

     

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.