dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
11

chachazz
Premium Member
join:2003-12-14

chachazz to siljaline

Premium Member

to siljaline

Re: Warning: 0-Day vulnerability in Java 7

Mozilla Security - Protecting Users Against Java Security Vulnerability
Vulnerability Update – Aug 29, 2012:
quote:
We’ve been closely monitoring the recent Java security vulnerability and evaluating different options to best protect our users. Our goal is to provide protection to Firefox users against this actively exploited vulnerability in Java while also leaving the user in control so they can choose to allow Java on important sites that they trust.
We are still working out the implementation details, but our solution will accomplish two primary objectives:

By default, vulnerable versions of Java will be disabled for our Firefox users. Users will be provided the option to enable Java through a clear and visible message that will be displayed anytime the user views a page using Java.

We’ll provide additional updates when items are finalized. In the interim, we still advise users to disable the Java plugin as described below.

Lastly, starting this week in Aurora and Beta we’ll begin adding the components of click-to-play, a Firefox security control that helps protect users against outdated and vulnerable plugins. We anticipate this new security feature to be fully operational by Firefox 18.

Original Post Aug 28, 2012

Steps to disable the Java plugin can be found here:
»support.mozilla.org/kb/H ··· +applets

rcdailey
Dragoonfly
Premium Member
join:2005-03-29
Rialto, CA

rcdailey

Premium Member

If you see a plugin for the Java "Toolkit," you may as well disable that also.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to chachazz

Premium Member

to chachazz
So, is Mozilla now allowing use of version 6? I had TO STOP using Java on Fx because of them not allowing version 6.

Fx is not Chrome. Mozilla has no business telling me what I can and cannot use on my browser. They are much worse now than Microsoft. HYPOCRITES also since they caved to Melih but now try and say how much they protect their users. BS.

DocDrew
How can I help?
Premium Member
join:2009-01-28
SoCal
Ubee E31U2V1
Technicolor TC4400
Linksys EA6900

4 edits

DocDrew

Premium Member

said by Mele20:

I have Java 6 update 7 (still says "Sun" on the about tab).

said by Mele20:

So, is Mozilla now allowing use of version 6? I had TO STOP using Java on Fx because of them not allowing version 6.

Java version 6 can be used above update 30:
»blog.mozilla.org/addons/ ··· ng-java/
said by Mozilla blog April 2012 :
This vulnerability present in the older versions of the JDK and JRE is actively being exploited, and is a potential risk to users. To mitigate this risk, we have added affected versions of the Java plugin for Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and below) to Firefox's blocklist. A blocklist entry for the Java plugin on OS X may be added at a future date.

Mozilla strongly encourages anyone who requires the JDK and JRE to update to the current version as soon as possible on all platforms.

Affected versions of the Java plugin will be disabled unless a user makes an explicit choice to keep it enabled at the time they are notified of the block being applied.

The Java website also has a different, much older, notice. The Java interface used by versions earlier then Java 6 update 10 aren't compatible with Firefox 3.6 and later (and probably Opera 10.2 and later for the same reason):
»java.com/en/download/faq ··· ugin.xml
said by Java website, posted around December 2009 :
Starting in Firefox 3.6, Mozilla foundation will drop support on OJI (Open Java Virtual Machine Integration) and will only support the standard NPAPI and NPRuntime interfaces. The Java Plug-in which is in Java version 6 update 10 or newer versions supports the NPAPI and NPRuntime interfaces. Therefore, starting with Firefox 3.6, Java-based applets will NOT work unless you are running Java version 6 Update 10 or newer.
So Mozilla has always allowed Java 6 to run on Firefox version 3.6 or newer as long as it's been above Java 6 update 10 (I was running Java 6 up until last week). In February 2012 Java blocking was started to a minimum Java 6 update 31. Good reason to update your Java 6 update 7 (released in 2008), since it shouldn't have worked since Firefox 3.6.

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline to chachazz

Premium Member

to chachazz
ACK
EdmundGerber
join:2010-01-04

1 recommendation

EdmundGerber to Mele20

Member

to Mele20
said by Mele20:

So, is Mozilla now allowing use of version 6? I had TO STOP using Java on Fx because of them not allowing version 6.

Fx is not Chrome. Mozilla has no business telling me what I can and cannot use on my browser. They are much worse now than Microsoft. HYPOCRITES also since they caved to Melih but now try and say how much they protect their users. BS.

Mozilla so far seems to be the only browser maker talking about this, and actually coming up with workarounds. And for that they are terrible?

Yes - Mozilla is terrible. Please stop using their products immediately.*

*Because we're tired of your constant derailment of every frigging thread!

therube
join:2004-11-11
Randallstown, MD

1 recommendation

therube

Member

(oops. looks like I should have really replied to Mele.)

Since when couldn't you use 6 in Mozilla?
I can, I have & have had it.

There have been times when Mozilla has blocked either extensions/plugins outright, or for particular version that have known vulnerabilities.

So yes, they may very well block Java 1.7u01 to 1.7u06, forcing you to go to 1.7u07.

Actually they do something just like that.

- <pluginItem blockID="p119">
  <match name="name" exp="Java\(TM\) Plug-in 1\.(6\.0_(\d|[0-2]\d?|3[0-2])|7\.0(_0?([1-4]))?)([^\d\._]|$)" /> 
  <match name="filename" exp="libnpjp2\.so" /> 
  <versionRange severity="1" /> 
  </pluginItem>
- <pluginItem blockID="p125">
  <match name="name" exp="Java\(TM\) Platform SE ((6( U(\d|([0-2]\d)|3[0-2]))?)|(7(\sU[0-4])?))(\s[^\d\._U]|$)" /> 
  <match name="filename" exp="npjp2\.dll" /> 
  <versionRange severity="1" /> 
  </pluginItem>
 

If I had a problem with that, & the stupidity to do so, I could work around it.
therube

1 recommendation

therube to chachazz

Member

to chachazz
quote:
Lastly, starting this week in Aurora and Beta we’ll begin adding the components of click-to-play, a Firefox security control that helps protect users against outdated and vulnerable plugins. We anticipate this new security feature to be fully operational by Firefox 18.

Note that currently, Java blockage looks to be broken in NoScript, in Aurora/Beta, so do not count on that.
You can enable (the Mozilla preference) plugins.click_to_play in about:config.
redwolfe_98
Premium Member
join:2001-06-11

redwolfe_98

Premium Member

said by therube:

Note that currently, Java blockage looks to be broken in NoScript, in Aurora/Beta, so do not count on that.
You can enable (the Mozilla preference) plugins.click_to_play in about:config.

therube, do you think that the problem with noscript's not blocking "java" is only when using "noscript" with "aurora", which, i assume, is a beta version of "firefox"? or, is "noscript" not blocking "java" at all, regardless of which version of "firefox" one is using? or, you don't know?

therube
join:2004-11-11
Randallstown, MD

1 edit

therube

Member

Aurora, so Firefox 17.
I haven't actually looked at FF 16.
I did look at FF 15.0, & it is working as expected with that.

Edit:

I had an older (July 12) version of 16, & it is working there.
Mozilla/5.0 (Windows NT 5.1; rv:16.0) Gecko/16.0 Firefox/16.0

Though don't know if that is still the case with a more recent build?

Edit2:

And working here also:
Mozilla/5.0 (Windows NT 5.1; rv:16.0) Gecko/20120827 Firefox/16.0
therube

therube

Member

> currently, Java blockage looks to be broken in NoScript, in Aurora/Beta

Fixed in the latest development build.

v 2.5.4rc1 (now up to rc2)
=========================================================================
x Fixed placeholder sizes messed up by changes in Gecko 17
x Work-around for broken content policy call for Java plugin on Gecko 17 and above