elaich said:
Because a Java vulnerability could install malware without user permission.
JavaScript, not Java
A detailed explaination, by the chap who discovered the vulnerability
can be found here. He reports that they have discovered other
vulnerabilites that haven't been leaked.
http://www.greyhatsecurity.org/firefox.htm
"There are three core vulnerabilities being used in my example. A friend of mine (Michael Krax,
http://www.mikx.de) helped me with
the research.
To understand why the example works, one must understand the basics of how Firefox works. Everything you see in firefox is
essentially a webpage being rendered by a compiler. This is what the gui is made of, and this is why firefox is so easy to
customize. However, it also allows for some security bugs. If one could get one of the chrome pages to request a javascript:[script]
url, that individual would be given complete access to the system because chrome urls are given full rights in firefox. My example
works by tricking the addon install function into displaying an icon with a javascript url. ..."