Info on Mozzila that blocks Firefox from loading Java Plug Ins


Peter Foldes

Thanks to Jen for the info below

Mozilla moves to block Firefox from loading unpatched Java plugins:
April 3, 2012

....The vulnerabilities, revealed by Oracle on February 14, allow an
attacker to bypass the Java "sandbox" and execute code on the system
being attacked. Malicious websites using the vulnerability have already
been found by researchers at Microsoft's Malware Protection Center. And
according to security blogger Brian Krebs, tools that automate
configuration of sites to take advantage of the vulnerability are
already being distributed as "exploit packs" for BlackHole, a tool used
to create malicious websites that can infect PCs with botnets and other

But the patch posted by Oracle to close the vulnerability remains widely
uninstalled. Marcus Carey, a security researcher at Rapid7, said that he
estimates 60 to 80 percent of computers running Java are still
vulnerable to the attack. "Looking long term, upwards of 60 percent of
Java installations are never up to the current patch level," he said in
an e-mail to Ars.

Blocklisting Older Versions of Java (Firefox):
Apr 2 2012
The February 2012 update to the Java Development Kit (JDK) and Java
Runtime Environment (JRE) included a patch to correct a critical
vulnerability that can permit the loading of arbitrary code on an
end-user's computer.
This vulnerability-present in the older versions of the JDK and JRE-is
actively being exploited, and is a potential risk to users. To mitigate
this risk, we have added affected versions of the Java plugin for
Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and
below) to Firefox's blocklist. A blocklist entry for the Java plugin on
OS X may be added at a future date.
Mozilla strongly encourages anyone who requires the JDK and JRE to
update to the current version as soon as possible on all platforms.
Affected versions of the Java plugin will be disabled unless a user
makes an explicit choice to keep it enabled at the time they are
notified of the block being applied.
Java for OS X is provided by Apple, but an update to a non-vulnerable
version of the JDK or JRE was not available at the time of this posting.

Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
This posting is provided "AS IS" with no warranties, and confers no rights.


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question