dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5890
share rss forum feed


plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:2
reply to MarkRH

Re: All versions of the Java plugin are blocked

Click for full size
said by MarkRH:

Update: Just installed Java 7u11

Interesting, as I did not know that 7u11 was out. When I run the plugin check, it says I'm up to date with Java on the 7U10 version.

No matter, I've seen delays in that before. So, I'll upgrade to 7u11 and see if that makes any difference for me with my Firefox test.

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail


chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS

Download 7u11:
»www.oracle.com/technetwork/java/···dex.html

This release contains fixes for security vulnerabilities. For more information, see Oracle Security Alert for CVE-2013-0422.

Release notes:»www.oracle.com/technetwork/java/···856.html



MarkRH
Premium
join:2005-02-08
Oklahoma City, OK
reply to La Luna

said by La Luna:

said by MarkRH:

I installed the latest Java version last night, and now the Java(TM) Platform Plugin doesn't even appear in the Plugins list. Only the Deployment Toolkit does and it's disabled. At the moment I can't enabled it if I wanted, unless there's some setting within FF or the Java Control Panel I've yet to see.

Update: Just installed Java 7u11 and only the Deployment Toolkit is listed (disabled). The Platform Plug-in isn't even there.

Same thing here. I had to also install this for Firefox. Now I see it in plugins. I think the other download is for IE:

»java.com/en/download/index.jsp

Unlike Flash, there's not separate install programs for Java. As it turns out, the Java 7u11 Installer failed to create the necessary Registry Key for FF to even see the plugin. I followed the instructions here: »kb.mozillazine.org/Java by installing Java7u9, exporting out the Registry Key, installing Java7u11, modifying the version numbers in the .reg file I made and then importing it.

Oh, I changed the version numbers from 1.7.0_9 to 1.7.0_11 and the JavaPlugin,version=10.9.2 to JavaPlugin,version=10.11.2 everywhere in the file. Now FF sees the Platform plug-in so that I can enable/disable it when needed.


plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:2
reply to chachazz

Click for full size
Well, I went ahead and remove Java 7u10 (32 bit and 64 bit) and Firefox.

Cleaned up the directories left behind, and then installed the following software in the order shown below

• Java 7 Update 11 32 bit
• Java 7 Update 11 64 bit
• Firefox 18.0

Not sure if this matters, but someone else did mention something about the maintenance service. When I did my install of Firefox, I did not install that.

I get the same results when I go to the plugins view. Both items for Java are showing up, and neither one is disabled.

However, I don't see that little warning that I noted before. I may have to close Firefox again and re-open it to see if that shows up.

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail


La Luna
Survived Ashraful
Premium
join:2001-07-12
Warwick, NY
kudos:3

1 recommendation

I don't think Mozilla is disabling this new version of Java on Fx, if that's what you mean you aren't seeing. I manually disabled it anyway, as I don't trust it and don't really have a need for it at this time.



plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:2

said by La Luna:

I don't think Mozilla is disabling this new version of Java on Fx, if that's what you mean you aren't seeing. I manually disabled it anyway, as I don't trust it and don't really have a need for it at this time.

That is how I read what they were doing.

See the quote from the first page below (note, bold mine)

quote:
As explained on this post in the Mozilla Security Blog, all versions of the Java plugin are vulnerable to a security bug that could compromise users’ systems. Because of this, all versions of the Java plugin will be blocked in Firefox 17 and above.
This is a click-to-play block, meaning that the plugin will be disabled by default, but you will be prompted if you visit a site that has a Java applet, giving you the option to enable it for that session, or always enable it for that site.
We recommend that you visit our plugin check page frequently, in case an update for the Java plugin becomes available soon.

I took that to read if you installed Firefox 17 or 18, and either already had Java installed, or installed Java after the fact, when you went to the plugins area of the add-ons manager, it would show as disabled, and the button next to it would allow you to enable it.

If you decided to leave it disabled, and you visited a site that required java, you would get some kind of notice (the click-to-play thing), and you could choose some options (enable for that session, enable always for that site).

Is that how it is suppose to work, or am I mis-understanding?

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail


kickass69

join:2002-06-03
Lake Hopatcong, NJ

1 edit

Click for full size
Indeed, Java 7 Update 11 isn't being blocked by Click to Play as everything we know of currently is patched...until the next exploit comes along.


chachazz
Premium
join:2003-12-14
kudos:9

It's also available on the Java consumer site Java.com:

»www.java.com/en/download/manual.jsp



kickass69

join:2002-06-03
Lake Hopatcong, NJ

Oh I know, I end up going here instead of in normal circumstances waiting for a week to show up on java.com.



plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:2
reply to kickass69

said by kickass69:

Indeed, Java 7 Update 11 isn't being blocked by Click to Play as everything we know of currently is patched...until the next exploit comes along.

So if I understand the logic then, if I was to remove Firefox 18, and Java 7 Update 11, and then clear all the folders and files left behind so nothing is left.

Then, install Firefox 18, and Java 7 Update 7, Firefox should "block" that version, as its older and has vulnerabilities? And by "block" when I went to the Add-On manager, both Java plugins for 7u7 would show up as "Disabled" by default, yes?

If that is true, then why did it not work that way with Java 7 Update 10? I thought 7u10 had issues too?

As most probably know by now, I'm someone who will play with different installs of software to test and figure things out. I may just go ahead and do that today and post my results.

However, based on my testing with FF 18.0, and Java 7u10, I don't think its going to work that way....but, that is why we test! .

Also makes me wonder if the install order matters. For example, would one get different results if you install Firefox 18, and then Java, compared to having Java already installed, and then installing Firefox? Should it matter? I would not think so, as whatever is coded in Firefox should be able to figure it out either way. Again, this is why we test!

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail


angussf
Premium
join:2002-01-11
Tucson, AZ
kudos:4
reply to kickass69

said by kickass69:

Indeed, Java 7 Update 11 isn't being blocked by Click to Play as everything we know of currently is patched...until the next exploit comes along.

Except:
Oracle updates Java, security expert says it still has bugs... | Stuff.co.nz
»www.stuff.co.nz/technology/digit···s-expert
Last updated 12:18 14/01/2013
...

Java security expert Adam Gowdiak, who has discovered several bugs in the software over the past year, said that the update from Oracle leaves unfixed several critical security flaws.

"We don't dare to tell users that it's safe to enable Java again," said Gowdiak, a researcher with Poland's Security Explorations.

An Oracle spokeswoman declined to comment on Gowdiak's analysis.
--
Angus S-F
GeoApps, Tucson, Arizona, USA
»geoapps.com/
»www.linkedin.com/in/angussf
»geoapps.blogspot.com/


plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:2
reply to chachazz

Click for full size
#1
Click for full size
#2
Well, I went ahead and tested, just like I said I would.

My testing steps are below

Step 1: Remove Firefox 18.0, Waterfox 16.0.1, Adobe Flash Player, and Java.

Step 2: Verify left over directories are removed (Program Files, Program Data, AppData for all users, and the file npdeployJava1.dll from any location on my hard drive.)

Step 3: Install Firefox 18.0
Custom install
Default Directory location
Uncheck box for "Install Maintenance Service"
Uncheck box for "In my start menu programs folder"
Keep default option for "Use Firefox as my default web browser"
Uncheck box for "Launch Firefox now"

Step 4: Launch Firefox by double-clicking on icon on the desktop
Select option "Don't import anything"

Step 5: Verify plugin options (Tools Menu, Add-Ons, Plugins)

Looking at #1 above, you can see that I have no Java items listed at all.

Step 6: Install Java 7 Update 7 x86, using the offline install file "jre-7u7-windows-i586.exe"

Step 7: Modify Java options (Control Panel, Programs, Java (32-Bit))
Turn off automatic updates (Java Control Panel, Update Tab, Uncheck box for "Check for Updates Automatically")
Click button "Do Not Check"
Remove Registry item "SunJavaUpdateSched" located at HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

Step 8: Launch Firefox by double-clicking on icon on the desktop

Step 9: Verify plugin options (Tools Menu, Add-ons, Plugins)

In looking at #2 above, both Java Plugins are listed (Java Deployment Toolkit 7.0.70.10 and Java(TM) Platform SE 7 U7 10.7.2.10). However, both are enabled by default.

There is the little warning in red text, along with the red slashes for the Java(TM) Platform SE 7 U7 10.7.2.10 plugin to alert the end user that its not safe to have it enabled, but that's it.

Results:

Looks like with an older version of Java (Java 7 Update 7), and Firefox 18, things are still "Enabled by default".

So again, either I'm not understanding what is suppose to happen, or its not working the way Mozilla thinks it should be working on my system.

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail


kickass69

join:2002-06-03
Lake Hopatcong, NJ
reply to angussf

I got to wonder how many critical security flaws remain in Flash as well since Java is getting all the attention.



kickass69

join:2002-06-03
Lake Hopatcong, NJ
reply to plencnerb

When you go to a site that has Java, you should see a little red icon next to the globe in the URL bar...if you click that you'll be given the option to run Java on said site. That's what happened to me when I had Update 10.



plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:2

said by kickass69:

When you go to a site that has Java, you should see a little red icon next to the globe in the URL bar...if you click that you'll be given the option to run Java on said site. That's what happened to me when I had Update 10.

I can see that if Java is disabled. You get an indication that a given site uses Java, and then you get asked if you want to run Java or not.

However, if Java is not disabled (as you can see by my screen shots), why would it even ask? It would be the same as having Firefox disable it on install (which, to me its not doing), and then me going in and saying "No, I accept the risks, enable the Java plugin".

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail


angussf
Premium
join:2002-01-11
Tucson, AZ
kudos:4
reply to kickass69

said by kickass69:

I got to wonder how many critical security flaws remain in Flash as well since Java is getting all the attention.

AdBlock Plus with NoScript are your friends here. I have scripting (and Java) blocked everywhere and only enable it on an as-needed basis. With ads blocked I rarely need Flash or scripting.

Sure, it's a bit of a PITA, but it's safer. And since I don't run as Admin anyway, that makes me safer yet.
--
Angus S-F
GeoApps, Tucson, Arizona, USA
»geoapps.com/
»www.linkedin.com/in/angussf
»geoapps.blogspot.com/

andyross
Premium,MVM
join:2003-05-04
Schaumburg, IL
reply to chachazz

And it appears Oracle, again, only did a half-assed fix. There are exploits already for the bugs that are still there:
»arstechnica.com/security/2013/01···ability/



EmoHobo

join:2010-07-16
reply to Cartel

I don't have Java even installed but I still see this message, is this normal?



MarkAW
Barry White
Premium
join:2001-08-27
Canada
kudos:16

said by EmoHobo:

I don't have Java even installed but I still see this message, is this normal?

If you are talking about the "Missing Java warning" after you do a check for plugin update then yes it's normal.




chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS

quote:
Update – January 18, 2013
Mozilla is extending Click to Play for Java 7u11 due to reports of exploit code available for 7u11 and information that all elements of the original Java bug have not been fully addressed by Oracle in the 7u11 patch.
»blog.mozilla.org/security/2013/0···ability/


carpetshark3
Premium
join:2004-02-12
Idledale, CO
reply to MarkAW

I've seen that damn warning. I've disabled all Java plugins in FX, and finally checked Thunderbird. There were some in there and Mozilla itself must have put them there. I don't enable any plugins in mail since I prefer and want text only mail.

Now I'm annoyed because I can't DELETE the plugins I don't want and have disabled.



MarkRH
Premium
join:2005-02-08
Oklahoma City, OK

said by carpetshark3:

I've seen that damn warning. I've disabled all Java plugins in FX, and finally checked Thunderbird. There were some in there and Mozilla itself must have put them there. I don't enable any plugins in mail since I prefer and want text only mail.

Now I'm annoyed because I can't DELETE the plugins I don't want and have disabled.

Plugins are installed by 3rd party installers. So, you would need to uninstall that 3rd party software to remove them or go into that 3rd party software's options and disable the browser plugins from there. But, with them being disabled, the browser just ignores their presence and as far as the websites know, it's not installed.