dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
17
share rss forum feed


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
reply to DrDrew

Re: Warning: 0-Day vulnerability in Java 7

Click for full size
I would hate to see someone run a plug-in check on Mozilla and then download Java if it had not been installed


chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS

Mozilla Security - Protecting Users Against Java Security Vulnerability
Vulnerability Update – Aug 29, 2012:

quote:
We’ve been closely monitoring the recent Java security vulnerability and evaluating different options to best protect our users. Our goal is to provide protection to Firefox users against this actively exploited vulnerability in Java while also leaving the user in control so they can choose to allow Java on important sites that they trust.
We are still working out the implementation details, but our solution will accomplish two primary objectives:

By default, vulnerable versions of Java will be disabled for our Firefox users. Users will be provided the option to enable Java through a clear and visible message that will be displayed anytime the user views a page using Java.

We’ll provide additional updates when items are finalized. In the interim, we still advise users to disable the Java plugin as described below.

Lastly, starting this week in Aurora and Beta we’ll begin adding the components of click-to-play, a Firefox security control that helps protect users against outdated and vulnerable plugins. We anticipate this new security feature to be fully operational by Firefox 18.

Original Post Aug 28, 2012

Steps to disable the Java plugin can be found here:
»support.mozilla.org/kb/How+to+tu···+applets
--
Gladiator Security Forum: www.gladiator-antivirus.com/


rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA

If you see a plugin for the Java "Toolkit," you may as well disable that also.


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to chachazz

So, is Mozilla now allowing use of version 6? I had TO STOP using Java on Fx because of them not allowing version 6.

Fx is not Chrome. Mozilla has no business telling me what I can and cannot use on my browser. They are much worse now than Microsoft. HYPOCRITES also since they caved to Melih but now try and say how much they protect their users. BS.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



DrDrew
That others may surf
Premium
join:2009-01-28
SoCal
kudos:16

4 edits

said by Mele20:

I have Java 6 update 7 (still says "Sun" on the about tab).

said by Mele20:

So, is Mozilla now allowing use of version 6? I had TO STOP using Java on Fx because of them not allowing version 6.

Java version 6 can be used above update 30:
»blog.mozilla.org/addons/2012/04/···ng-java/
said by Mozilla blog April 2012 :
This vulnerability present in the older versions of the JDK and JRE is actively being exploited, and is a potential risk to users. To mitigate this risk, we have added affected versions of the Java plugin for Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and below) to Firefox's blocklist. A blocklist entry for the Java plugin on OS X may be added at a future date.

Mozilla strongly encourages anyone who requires the JDK and JRE to update to the current version as soon as possible on all platforms.

Affected versions of the Java plugin will be disabled unless a user makes an explicit choice to keep it enabled at the time they are notified of the block being applied.

The Java website also has a different, much older, notice. The Java interface used by versions earlier then Java 6 update 10 aren't compatible with Firefox 3.6 and later (and probably Opera 10.2 and later for the same reason):
»java.com/en/download/faq/firefox···ugin.xml
said by Java website, posted around December 2009 :
Starting in Firefox 3.6, Mozilla foundation will drop support on OJI (Open Java Virtual Machine Integration) and will only support the standard NPAPI and NPRuntime interfaces. The Java Plug-in which is in Java version 6 update 10 or newer versions supports the NPAPI and NPRuntime interfaces. Therefore, starting with Firefox 3.6, Java-based applets will NOT work unless you are running Java version 6 Update 10 or newer.
So Mozilla has always allowed Java 6 to run on Firefox version 3.6 or newer as long as it's been above Java 6 update 10 (I was running Java 6 up until last week). In February 2012 Java blocking was started to a minimum Java 6 update 31. Good reason to update your Java 6 update 7 (released in 2008), since it shouldn't have worked since Firefox 3.6.
--
If it's important, back it up... twice. Even 99.999% availability isn't enough sometimes.


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
reply to chachazz

ACK


EdmundGerber

join:2010-01-04
kudos:1

1 recommendation

reply to Mele20

said by Mele20:

So, is Mozilla now allowing use of version 6? I had TO STOP using Java on Fx because of them not allowing version 6.

Fx is not Chrome. Mozilla has no business telling me what I can and cannot use on my browser. They are much worse now than Microsoft. HYPOCRITES also since they caved to Melih but now try and say how much they protect their users. BS.

Mozilla so far seems to be the only browser maker talking about this, and actually coming up with workarounds. And for that they are terrible?

Yes - Mozilla is terrible. Please stop using their products immediately.*

*Because we're tired of your constant derailment of every frigging thread!


therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL

1 recommendation

(oops. looks like I should have really replied to Mele.)

Since when couldn't you use 6 in Mozilla?
I can, I have & have had it.

There have been times when Mozilla has blocked either extensions/plugins outright, or for particular version that have known vulnerabilities.

So yes, they may very well block Java 1.7u01 to 1.7u06, forcing you to go to 1.7u07.

Actually they do something just like that.

- <pluginItem blockID="p119">
  <match name="name" exp="Java\(TM\) Plug-in 1\.(6\.0_(\d|[0-2]\d?|3[0-2])|7\.0(_0?([1-4]))?)([^\d\._]|$)" /> 
  <match name="filename" exp="libnpjp2\.so" /> 
  <versionRange severity="1" /> 
  </pluginItem>
- <pluginItem blockID="p125">
  <match name="name" exp="Java\(TM\) Platform SE ((6( U(\d|([0-2]\d)|3[0-2]))?)|(7(\sU[0-4])?))(\s[^\d\._U]|$)" /> 
  <match name="filename" exp="npjp2\.dll" /> 
  <versionRange severity="1" /> 
  </pluginItem>
 

If I had a problem with that, & the stupidity to do so, I could work around it.


therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL

1 recommendation

reply to chachazz

quote:
Lastly, starting this week in Aurora and Beta we’ll begin adding the components of click-to-play, a Firefox security control that helps protect users against outdated and vulnerable plugins. We anticipate this new security feature to be fully operational by Firefox 18.

Note that currently, Java blockage looks to be broken in NoScript, in Aurora/Beta, so do not count on that.
You can enable (the Mozilla preference) plugins.click_to_play in about:config.

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

said by therube:

Note that currently, Java blockage looks to be broken in NoScript, in Aurora/Beta, so do not count on that.
You can enable (the Mozilla preference) plugins.click_to_play in about:config.

therube, do you think that the problem with noscript's not blocking "java" is only when using "noscript" with "aurora", which, i assume, is a beta version of "firefox"? or, is "noscript" not blocking "java" at all, regardless of which version of "firefox" one is using? or, you don't know?


therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL

1 edit

Aurora, so Firefox 17.
I haven't actually looked at FF 16.
I did look at FF 15.0, & it is working as expected with that.

Edit:

I had an older (July 12) version of 16, & it is working there.
Mozilla/5.0 (Windows NT 5.1; rv:16.0) Gecko/16.0 Firefox/16.0

Though don't know if that is still the case with a more recent build?

Edit2:

And working here also:
Mozilla/5.0 (Windows NT 5.1; rv:16.0) Gecko/20120827 Firefox/16.0



therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL
reply to therube

> currently, Java blockage looks to be broken in NoScript, in Aurora/Beta

Fixed in the latest development build.

v 2.5.4rc1 (now up to rc2)
=========================================================================
x Fixed placeholder sizes messed up by changes in Gecko 17
x Work-around for broken content policy call for Java plugin on Gecko 17 and above