dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
6847
share rss forum feed


chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS

1 recommendation

All versions of the Java plugin are blocked

Mozilla Add-ons Blog — Protecting Users Against Java Vulnerability
quote:
As explained on this post in the Mozilla Security Blog, all versions of the Java plugin are vulnerable to a security bug that could compromise users’ systems. Because of this, all versions of the Java plugin will be blocked in Firefox 17 and above.
This is a click-to-play block, meaning that the plugin will be disabled by default, but you will be prompted if you visit a site that has a Java applet, giving you the option to enable it for that session, or always enable it for that site.
We recommend that you visit our plugin check page frequently, in case an update for the Java plugin becomes available soon.


La Luna
RIP Lisa
Premium
join:2001-07-12
Warwick, NY
kudos:3

1 recommendation

Indeed it is. Had it disabled already, but glad to see Mozilla is being pro-active on this.

andyross
Premium,MVM
join:2003-05-04
Schaumburg, IL
reply to chachazz
Apple has also disabled it.


Cartel
Premium
join:2006-09-13
Chilliwack, BC
kudos:2
Reviews:
·TekSavvy DSL
·Shaw
·TELUS
reply to chachazz
Click for full size
Well thats a flip-flop!


La Luna
RIP Lisa
Premium
join:2001-07-12
Warwick, NY
kudos:3
Someone forgot to update that plugin update page!!!


MarkRH
Premium
join:2005-02-08
Oklahoma City, OK
I would get that Missing Java out of date message anytime I disabled the Java Plugin. Seems to assume that if it's disabled that they must have done it and not the user.


dandelion
Premium,MVM
join:2003-04-29
Germantown, TN
kudos:5
reply to chachazz
Thank you for the links and the explanation.


EmoHobo

join:2010-07-16
reply to MarkRH
I don't even have Java installed anymore and I get the message.


kickass69

join:2002-06-03
Lake Hopatcong, NJ
reply to dandelion
Is Firefox phoning home to Mozilla all the time like Chrome does with Google? From that explanation that's not definitely answered. I mean how else are they able to control the Click to Play feature and determine what's 'bad' for us to run.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to chachazz
Mozilla is two faced. Fx 10.0.12 ESR is STILL OFFICIALLY SUPPORTED so how come they didn't disable it on this version also? They say this:

"How to use Java if it's been blocked

In order to protect you, Firefox has stopped the Java plugin from running automatically because it has a security issue. However, you can still use Java on trusted sites if necessary. We'll show you how."

»support.mozilla.org/en-US/kb/how···r-a-site

They say nothing about which versions of Fx it has been disabled on.

Why are they disabling it if you are using the latest version? Instead, they should be checking for how you set the slider. If the slider is at "high" (medium is default) or at "highest" Java accomplishes the same thing Mozilla is doing. There is NO NEED for Mozilla's grandstanding if the user is using the latest version of Java with the security slider set to high or highest.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Reimer

join:2006-08-14
Toronto, ON
reply to kickass69
Of course it does and for various reasons.

Firefox updates
Extension updates
Plugin block list
Safebrowsing block lists
etc

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

1 recommendation

Who allows update checking? First thing I disable in any browser. Who allows automatic Extension updates? Second thing I disable in all browsers. Safebrowsing block lists I have NEVER used and NEVER will because I will not allow tracking of my use of my browser. Screw that!

The Plugin blocklist...I was really pissed at Mozilla when they first decided to be my mommy and my daddy but I was using an extremely old version of Java so I just used Java on IE ...screw Mozilla! But now, I have a new computer, latest Java version and I have set the security slider at "high" so I am fully protected and I don't need Mozilla meddling. Their "protection" is EXACTLY THE SAME as what is now built into Java itself. So, Mozilla is revealing loud and clear their hypocrisy and REAL REASON for blocking. It is so they can spy on their users...just as they try to do in the other ways that I have never allowed. Unfortunately, I need Java. I guess since SeaMonkey appears to care more about users privacy than does Mozilla I'll have to disable Java on Fx once I upgrade to the latest ESR version (Mozilla didn't block Java on the current 10.0.12 ESR version) and use Java on SM, Opera and IE. SCREW Mozilla for meddling and spying.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


MarkAW
Barry White
Premium
join:2001-08-27
Canada
kudos:16
said by Mele20:

Who allows update checking? First thing I disable in any browser. Who allows automatic Extension updates? Second thing I disable in all browsers. Safebrowsing block lists I have NEVER used and NEVER will because I will not allow tracking of my use of my browser. Screw that!

The Plugin blocklist...I was really pissed at Mozilla when they first decided to be my mommy and my daddy but I was using an extremely old version of Java so I just used Java on IE ...screw Mozilla! But now, I have a new computer, latest Java version and I have set the security slider at "high" so I am fully protected and I don't need Mozilla meddling. Their "protection" is EXACTLY THE SAME as what is now built into Java itself. So, Mozilla is revealing loud and clear their hypocrisy and REAL REASON for blocking. It is so they can spy on their users...just as they try to do in the other ways that I have never allowed. Unfortunately, I need Java. I guess since SeaMonkey appears to care more about users privacy than does Mozilla I'll have to disable Java on Fx once I upgrade to the latest ESR version (Mozilla didn't block Java on the current 10.0.12 ESR version) and use Java on SM, Opera and IE. SCREW Mozilla for meddling and spying.

So i guess you should be saying the same thing about IE,Opera because they are doing the same thing as Firefox when it come to Java?
--
We never really grow up, we only learn how to act in public.
Do not argue with an idiot. He will drag you down to his level and beat you with experience. (Hmm)
I have enemies? Good. That means I've stood up for something, sometime in my life.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
What same thing are they doing? SeaMonkey, Opera and IE 10 are not keeping me from using Java. Oracle is giving me more security with that slider that is in the latest Java version that I see no one mention anywhere in the forums here. But I don't see any browser maker except Mozilla, and then for Fx only not for SM, blocking use of Java.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


goalieskates
Premium
join:2004-09-12
land of big
reply to chachazz
said by chachazz:

Mozilla Add-ons Blog — Protecting Users Against Java Vulnerability

quote:
As explained on this post in the Mozilla Security Blog, all versions of the Java plugin are vulnerable to a security bug that could compromise users’ systems. Because of this, all versions of the Java plugin will be blocked in Firefox 17 and above.

And this is why I haven't updated to Firefox 17, and it's doubtful if I ever will after this.

Mozilla may warn me - that would be a service. But this is still my computer, not theirs. I'm the one taking the "risk" if there is one. I'm the one who knows if apps I run / pages I visit need it or not.

Some government pages require Java, and I need those pages. Mozilla can kiss my grits.


plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3

1 edit
reply to chachazz
Click for full size
Java not blocked here
Click for full size
After restart, now shows this
Maybe I'm not understanding something, or I did things a bit different, but from what I can tell, Java plugins are not being "blocked by default" on my system.

I was running Waterfox, and had Java already installed.

So, I went ahead (after saving my profile) and uninstalled Waterfox. I also made sure to remove my profile directory, and any other directories for Waterfox that were left behind.

I then installed Firefox 18.0. Since I did not have a profile left behind from Waterfox, it was a "clean" and "fresh" install of Firefox 18.0, using a brand new profile.

However, when I load the Add-On screen (which, btw, is in a different place then it is in Waterfox), I was a bit shocked to find that Java is NOT disabled. The screen shot above is what my Plugins view looks like.

Looks like Java is still enabled to me!

Thoughts?

EDIT

When I was done with this post, I closed Firefox, and was going to start the process to put Waterfox back on. Before I did, I wanted to test something else, so I re-opened Firefox. I then went and looked at the Plugins again, but this time, I saw something new. If you look at the 2nd picture, the Java Plug in is still enabled, but now I see the little warning above it, and the background kind of has this red/pink slashes though it (to help draw attention to it for the end user).

Still not "Disabled" yet, but the warning is good. Still not sure why by default the two java plug-ins were not "disabled" as it appears they should have been.

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail


chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS

1 edit
reply to chachazz
Less drama Mele, more reading:
quote:
To protect Firefox users we have enabled Click To Play for recent versions of Java on all platforms (Java 7u9, 7u10, 6u37, 6u38). Firefox users with older versions of Java are already protected by existing plugin blocking or Click To Play defenses.

The Click To Play feature ensures that the Java plugin will not load unless a user specifically clicks to enable the plugin.
Mozilla is not violating your inalienable right to entertain exploits


MarkRH
Premium
join:2005-02-08
Oklahoma City, OK

3 edits
reply to plencnerb
I installed the latest Java version last night, and now the Java(TM) Platform Plugin doesn't even appear in the Plugins list. Only the Deployment Toolkit does and it's disabled. At the moment I can't enabled it if I wanted, unless there's some setting within FF or the Java Control Panel I've yet to see.

Update: Just installed Java 7u11 and only the Deployment Toolkit is listed (disabled). The Platform Plug-in isn't even there.

After reading: »kb.mozillazine.org/Java it seems that I'm missing the registry key for it which is why FF is not seeing it.


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse
reply to kickass69
said by kickass69:

Is Firefox phoning home to Mozilla all the time like Chrome does with Google? From that explanation that's not definitely answered. I mean how else are they able to control the Click to Play feature and determine what's 'bad' for us to run.

Yesterday, I visited a site that uses java, with firefox 18.

Nothing was blocked - java worked as normal.

That is probably because when I install firefox, I uncheck the "install maintenance service" option.

I think the answer is that, by default, firefox phones home. But you can prevent that by unchecking the "maintenance service" when installing.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 12.2; firefox 18.0


La Luna
RIP Lisa
Premium
join:2001-07-12
Warwick, NY
kudos:3
reply to MarkRH
said by MarkRH:

I installed the latest Java version last night, and now the Java(TM) Platform Plugin doesn't even appear in the Plugins list. Only the Deployment Toolkit does and it's disabled. At the moment I can't enabled it if I wanted, unless there's some setting within FF or the Java Control Panel I've yet to see.

Update: Just installed Java 7u11 and only the Deployment Toolkit is listed (disabled). The Platform Plug-in isn't even there.

Same thing here. I had to also install this for Firefox. Now I see it in plugins. I think the other download is for IE:

»java.com/en/download/index.jsp
--
The Alien in the White House

20,196 DEADLY TERROR ATTACKS SINCE 9/11


plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3
reply to MarkRH
Click for full size
said by MarkRH:

Update: Just installed Java 7u11

Interesting, as I did not know that 7u11 was out. When I run the plugin check, it says I'm up to date with Java on the 7U10 version.

No matter, I've seen delays in that before. So, I'll upgrade to 7u11 and see if that makes any difference for me with my Firefox test.

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail


chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS
Download 7u11:
»www.oracle.com/technetwork/java/···dex.html

This release contains fixes for security vulnerabilities. For more information, see Oracle Security Alert for CVE-2013-0422.

Release notes:»www.oracle.com/technetwork/java/···856.html


MarkRH
Premium
join:2005-02-08
Oklahoma City, OK
reply to La Luna
said by La Luna:

said by MarkRH:

I installed the latest Java version last night, and now the Java(TM) Platform Plugin doesn't even appear in the Plugins list. Only the Deployment Toolkit does and it's disabled. At the moment I can't enabled it if I wanted, unless there's some setting within FF or the Java Control Panel I've yet to see.

Update: Just installed Java 7u11 and only the Deployment Toolkit is listed (disabled). The Platform Plug-in isn't even there.

Same thing here. I had to also install this for Firefox. Now I see it in plugins. I think the other download is for IE:

»java.com/en/download/index.jsp

Unlike Flash, there's not separate install programs for Java. As it turns out, the Java 7u11 Installer failed to create the necessary Registry Key for FF to even see the plugin. I followed the instructions here: »kb.mozillazine.org/Java by installing Java7u9, exporting out the Registry Key, installing Java7u11, modifying the version numbers in the .reg file I made and then importing it.

Oh, I changed the version numbers from 1.7.0_9 to 1.7.0_11 and the JavaPlugin,version=10.9.2 to JavaPlugin,version=10.11.2 everywhere in the file. Now FF sees the Platform plug-in so that I can enable/disable it when needed.


plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3
reply to chachazz
Click for full size
Well, I went ahead and remove Java 7u10 (32 bit and 64 bit) and Firefox.

Cleaned up the directories left behind, and then installed the following software in the order shown below

• Java 7 Update 11 32 bit
• Java 7 Update 11 64 bit
• Firefox 18.0

Not sure if this matters, but someone else did mention something about the maintenance service. When I did my install of Firefox, I did not install that.

I get the same results when I go to the plugins view. Both items for Java are showing up, and neither one is disabled.

However, I don't see that little warning that I noted before. I may have to close Firefox again and re-open it to see if that shows up.

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail


La Luna
RIP Lisa
Premium
join:2001-07-12
Warwick, NY
kudos:3

1 recommendation

I don't think Mozilla is disabling this new version of Java on Fx, if that's what you mean you aren't seeing. I manually disabled it anyway, as I don't trust it and don't really have a need for it at this time.


plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3
said by La Luna:

I don't think Mozilla is disabling this new version of Java on Fx, if that's what you mean you aren't seeing. I manually disabled it anyway, as I don't trust it and don't really have a need for it at this time.

That is how I read what they were doing.

See the quote from the first page below (note, bold mine)

quote:
As explained on this post in the Mozilla Security Blog, all versions of the Java plugin are vulnerable to a security bug that could compromise users’ systems. Because of this, all versions of the Java plugin will be blocked in Firefox 17 and above.
This is a click-to-play block, meaning that the plugin will be disabled by default, but you will be prompted if you visit a site that has a Java applet, giving you the option to enable it for that session, or always enable it for that site.
We recommend that you visit our plugin check page frequently, in case an update for the Java plugin becomes available soon.

I took that to read if you installed Firefox 17 or 18, and either already had Java installed, or installed Java after the fact, when you went to the plugins area of the add-ons manager, it would show as disabled, and the button next to it would allow you to enable it.

If you decided to leave it disabled, and you visited a site that required java, you would get some kind of notice (the click-to-play thing), and you could choose some options (enable for that session, enable always for that site).

Is that how it is suppose to work, or am I mis-understanding?

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail


kickass69

join:2002-06-03
Lake Hopatcong, NJ

1 edit
Click for full size
Indeed, Java 7 Update 11 isn't being blocked by Click to Play as everything we know of currently is patched...until the next exploit comes along.


chachazz
Premium
join:2003-12-14
kudos:9
It's also available on the Java consumer site Java.com:

»www.java.com/en/download/manual.jsp


kickass69

join:2002-06-03
Lake Hopatcong, NJ
Oh I know, I end up going here instead of in normal circumstances waiting for a week to show up on java.com.


plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3
reply to kickass69
said by kickass69:

Indeed, Java 7 Update 11 isn't being blocked by Click to Play as everything we know of currently is patched...until the next exploit comes along.

So if I understand the logic then, if I was to remove Firefox 18, and Java 7 Update 11, and then clear all the folders and files left behind so nothing is left.

Then, install Firefox 18, and Java 7 Update 7, Firefox should "block" that version, as its older and has vulnerabilities? And by "block" when I went to the Add-On manager, both Java plugins for 7u7 would show up as "Disabled" by default, yes?

If that is true, then why did it not work that way with Java 7 Update 10? I thought 7u10 had issues too?

As most probably know by now, I'm someone who will play with different installs of software to test and figure things out. I may just go ahead and do that today and post my results.

However, based on my testing with FF 18.0, and Java 7u10, I don't think its going to work that way....but, that is why we test! .

Also makes me wonder if the install order matters. For example, would one get different results if you install Firefox 18, and then Java, compared to having Java already installed, and then installing Firefox? Should it matter? I would not think so, as whatever is coded in Firefox should be able to figure it out either way. Again, this is why we test!

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail