Blocklisting Older Versions of Java

Kev Needham

103

The February 2012 update to the Java Development Kit (JDK) and Java Runtime Environment (JRE) included a patch to correct a critical vulnerability that can permit the loading of arbitrary code on an end-user’s computer.

This vulnerability—present in the older versions of the JDK and JRE—is actively being exploited, and is a potential risk to users. To mitigate this risk, we have added affected versions of the Java plugin for Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and below) to Firefox’s blocklist. A blocklist entry for the Java plugin on OS X may be added at a future date.

Mozilla strongly encourages anyone who requires the JDK and JRE to update to the current version as soon as possible on all platforms.

Affected versions of the Java plugin will be disabled unless a user makes an explicit choice to keep it enabled at the time they are notified of the block being applied.

Updated versions of the JRE for Windows and Linux operating systems are available through java.com.

Update (12/04/04): Apple has released updated versions of the JRE for OS X Snow Leopard (10.6) and OS X Lion (10.7) through Software Update and support.apple.com/downloads/

103 responses

  1. Dan wrote on :

    Sweet, my mom was complaining to me that Thunderbird was saying scary things about Java to her. Now I can give her a name to blame! ;)

    But yeah she did get hit with a Java exploit earlier this year while using Firefox, maybe it was the same one (she was running 6u20).

    1. herebye wrote on :

      omg a java-exploit, lol. there is just one reason to change jdk and plugins, change to Oracle.
      now oracle is not know as this big master of security issue than sun was, so judge yourself.

      real security-issue to deal with are:
      ———————————————–
      1. using a system with automatic security-managment.
      provides a user-sessions with admin-similar-privilegs.
      2. all apps, installable just with admin-privileges.
      3. FireFox as one of these, specially with downloaded Wildcard-Addons.
      4. do install software with easy to handle download-installer.
      5. do install & play interconnetion-games on your working-maschine.
      6.
      .
      problem on each complex device .. laptop,nettop,ebook,ephone,apple handheld.

      but easy to solve, with some security-setup and consumer liability and knowladge.
      help would more education and more product transparency.
      ty (just a proposal)

  2. James wrote on :

    On Ubuntu 10.04, Firefox 11, the OpenJDK brower plugin icedtea-6-jre-cacao version 6b20-1.9.13-0ubuntu1-10.04.1 has just been blocklisted. However, by my understanding this is not the vulnerable version of Java from Oracle and should not be blocklisted. There is no update in icedtea for patching Oracle Java so disabling icedtea would be permanent. I think Mozilla need to fix their blocklist definition as quickly as possible before other Linux users are affected (not all of whom will notice the mistake).

    1. Jorge Villalobos wrote on ::

      James: note that this is a softblock, so you have the option to not disable the plugin. Having said that, can you please navigate to about:plugins and let us know the information you see related to the Iced Tea plugin? There’s no need to include the MIME type table.

      Thanks.

      1. James wrote on :

        Yes, I have dodged the block for now. (Having too much fun with ICSI Netalyzr to give up on Java just yet.)

        Here is the info from about:plugins you requested:

        IcedTea NPR Web Browser Plugin (using IcedTea6 1.9.13 (6b20-1.9.13-0ubuntu1~10.04.1))
        File: IcedTeaPlugin.so
        Version:
        The IcedTea NPR Web Browser Plugin (using IcedTea6 1.9.13 (6b20-1.9.13-0ubuntu1~10.04.1)) executes Java applets.

        I think I gave all that version info already. Is there anything else you might need to know? Here’s the MD5 sum of that file for comparison:

        721e7b5ee0cb32b7fc4b90574ace7bea */usr/lib/jvm/java-6-openjdk/jre/lib/amd64/IcedTeaPlugin.so

    2. Gaz wrote on :

      https://bugzilla.mozilla.org/show_bug.cgi?id=739955#c65 confirms that the blocklist is incorrect for Iced Tea

      1. James wrote on :

        Thanks, well spotted.

        It’s nice to know I was was right about it being an inappropriate block with undesired consequences for all mainstream Linux users, but the question remains can Mozilla fix the block list before it affects too many people?

  3. Daveytay wrote on :

    I have a very similar problem.

    If you use Aurora 13.0a2 (2012-04-02) and JRE 8, you still get blocked.
    jre-8-ea-bin-b32-windows-i586-29_mar_2012.exe
    http://jdk8.java.net/download.html

    Java(TM) Platform SE 8

    File: C:\Program Files\Java\jre8\bin\plugin2\npjp2.dll
    Version: 11.0.0.32
    Next Generation Java Plug-in 11.0.0 for Mozilla browsers

    Java Deployment Toolkit 8.0.0.32

    File: C:\WINDOWS\system32\npdeployJava1.dll
    Version: 11.0.0.32
    NPRuntime Script Plug-in Library for Java(TM) Deploy

    1. Jorge Villalobos wrote on ::

      Thank you for letting us know! I found a bug in our version detection and fixed it now. It should take some hours before the block is lifted.

      1. Villa Winter wrote on :

        Very bad work! If you don’t know anything about Icedtea and Ubuntu :KEEP YOUR HANDS OFF!
        Still not working as before YOU blacklistet Icedtea-plugin. This is not a Kindergarden and I decide if I install a new java-version or not.

        1. ceejayoz wrote on ::

          If anyone’s acting like a kindergartner, it’s you throwing your tantrum. Grow up.

      2. Daveytay wrote on :

        Thanks for the quick work :)

  4. cl wrote on :

    what is java plugins and way is this this a problem to my computer

    1. James wrote on :

      Java is a plugin, a bit like Flash, but unlike Flash it is very rarely used on the web these days. If you have it enabled and visit a hacked website then your computer could pick up spyware or some other nasty. If you do not know that you need Java, then you almost certainly don’t and you should disable it.

  5. YouAreApsycho wrote on :

    You are a liar, you do not strongly encourage people, you actively FORCE people, like some kind of lunatic DICTATOR, to do something, when YOU TELL THEM TO, or their stuff stops working.
    Even if you select to keep it enabled, as it was working fine 10 minutes ago, it still DOESN’T WORK, because you authoritarian control freak goons have remotely partially blocked it permanently from working.
    You should be ashamed of yourselves and go and see a psychiatrist pushing your mentally disturbed crap onto everyone else.

    1. Dave wrote on :

      WTF?!? Oracle has said <1.6.0_31 and < 1.7.0_03 have security issues are you should update. Firefox has taken that advice and disabled those JRE versions and is telling you to update. If you keep your JRE up to date you will have no issues.

      From a security perspective they are doing the right thing, trying to stop the spread of malware. Also Mozilla doesn't want the bad press if people using Firefox get filled up with JRE malware.

      1. Ron wrote on :

        and if you are doing nothing wrong, you won’t mind if we search your car, or your locker, or your house.

        what you seem to be missing is that it is MY COMPUTER not yours, not theirs, MINE. its my responsibility what i want to use, and what i am willing to risk, and when i want to take the time to upgrade. NO ONE ELSE’S.

        you are not my net nanny.

      2. Beej wrote on :

        It’s not up to Mozilla to remotely disable anything in peoples browsers. Particularily not in third party plugins not of their own. Advice is something else.

      3. Kim Ludvigsen wrote on :

        “Firefox has taken that advice and disabled those JRE versions and is telling you to update. ”

        Do you have the string for that text? Or can you give me the English text so I can search for it. If you are right we have an error in the Danish translation where you are not told to upgrade Java.

        I was rather bevildered, and I am sure a lot of ordinary users will be just as bewildered. And in Denmark this is a serious problem as everybody uses Java to connect to their online banks. People are quitting Firefox for this.

  6. metz wrote on :

    I run Firefox in a terminal window occasionally. Yesterday, Firefox printed out a Java stack trace mentioning the InetAddress class and a call to its getAllByName() method. I was not using Java at the time. Possible breach?

    I am using Oneiric.

  7. Hiroshi wrote on :

    I’m quite upset because it forced the block on me and did not give me the option not to have the block. It simply told me it had already been blocked and I need to reboot the browser with the options restart now or later (I selected later, but the moment I had to close and reopen it, it’d been blocked).

    I’ve googled the issue for over an hour and still have been unsuccessful at unblocking it even if I add dom.ipc.plugins.enabled.npjp2.dll and set it as false (Though by now it’s a bit late), and dom.ipc.plugins.enabled is also already set to false. The advise about upgrading the JRE really doesn’t help some people who require the use of specific versions for development or to continue using old tools that utilise the old revisions.

    This is most unhelpful! T_T – Can’t you give users a clear “Yes disable now” & “No never disable in the future” option? How do I re-enable it T_T?

    1. Jorge Villalobos wrote on ::

      That dialog should have had a checkbox that allowed you to keep the plugin enabled.. You should not change the IPC preferences. They have nothing to do with the blocklist and could end up causing performance problems for you in the future. You should be able to re-enable the plugin in the Add-ons Manager, or reinstall the version that you need to use. You can also try deleting blocklist.xml from the profile folder, and then uncheck the checkbox when the block dialog appears again.

      1. AZ wrote on :

        Jorge,

        What Hiroshi stated is the same behavior I experienced.

        Furthermore, yesterday (April 3, 2012), I received the dialog you suggested. At which point I un-checked the checkbox. Unfortunately, today (April 4, 2012), I received the dialog as mentioned by Hiroshi. Therefore, I don’t have the ability to keep the JRE from being blocked.

        1. Jorge Villalobos wrote on ::

          Yes, we just discovered a problem with the block and we’re working on fixing it now.

          1. Bruce wrote on :

            Sweet.. the ability to ‘re-enable’ the block doesn’t work now. I also tried setting extensions.blocklist.enable = false in prefs.js.. that does not work either. I HAVE WORK TO DO! shall we all add up the cost here?

            NOTE: By default, I have NoScript running against everything, so my vulnerability window is very small!! So why the stupid move on the blocklist?

          2. Bruce wrote on :

            Also tried renaming blocklist.xml.. does not work either.
            Searched through blocklist.xml for the CLSID or any DLL referencing Java – nothing
            So this block is using a different mechanism.

          3. Jorge Villalobos wrote on ::

            We have updated the block, so it should work now. There are detailed instructions in the new post.

          4. Bruce wrote on :

            I tried instructions – they don’t seem to work. Comment added to post ref’ing work around.

        2. Bruce wrote on :

          You are missing a step. You also need to delete pluginreg.dat. I renamed that.. and they all came back…

          1. Jorge Villalobos wrote on ::

            That’s odd. I know there’s a related bug for Mac OS, but this shouldn’t happen on Windows. But thanks for the note.

      2. Cathryn wrote on :

        Jorge Villalobos wrote:”You should be able to re-enable the plugin in the Add-ons Manager, or reinstall the version that you need to use. You can also try deleting blocklist.xml from the profile folder, and then uncheck the checkbox when the block dialog appears again.”

        Well that’s nice. Unfortunately that is not an option for me on FF9.0.1. There IS NO ability to re-enable in the Add-ons manager after the block has been put in place.

        It’s bad enough that this kind of overreaction on mozillas part happens. But for Starmother’s sake people, at least get your tech support info correct on how to undo the block.

  8. djh wrote on :

    Sorry, this is disturbing. Where did you imagine you had the right to control what I do in the privacy of my home? I never even wanted this version of Java, I accidentally forgot to disable auto virus update and I am left with this mess.

    It is sad that you clearly do not understand information technology fundamentals.

    And privacy rights.

    Next will you and the google police start photographing people using
    cell phones in their cars, and have the phone company, another
    outstanding privacy advocate, shut off their service?

    1. Blenno wrote on :

      Anti-virus updates have nothing to do with this.

  9. Kohei Yoshino wrote on :

    We have posted the Japanese translation:
    http://mozilla.jp/blog/entry/8013/

  10. DocumentRoot wrote on ::

    It would be more secure option if just installed plugins was not enabled automatically by default

  11. Jobz wrote on :

    YOU ARE FORCING!!!!!!!!!!!!!!!!!!!!!! I HATE YOU FOR DISABLING THE “JAVA (TM) PLATFORM”!
    MY INTERNET WAS SLOW! HOW COULD I UPDATE?!?!?! DARN IT!!!

    I CANT DOWNLOAD MUSICS… EVEN IM PATIENTLY WAITING BECOZ OF MY SLOW INTERNET! UPDATING JAVA IS A BIG FILE!!! HOURS AND HOURS I WILL WAIT…. >.<

    1. Jobz wrote on :

      PLEASE…. DON’T BLOCK THE “JAVA (TM) PLATFORM”…………. SHEEZZZ…

  12. Ron wrote on :

    where do you decide on your own to disable my plug-in without asking?? warn me all you want but who in hell gave you permission to unilaterally decide for me what should be disabled on MY computer?? freakin nazis!

  13. Eloy wrote on :

    I can’t activate Java, I’ve installed the lastest version from java.com:

    FF 11.0 “Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0″

    I have:
    Java Deployment Toolkit 7.0.10.8
    Archivo: npdeployJava1.dll
    Versión: 10.1.0.8

    Java(TM) Platform SE 7 U1 10.1.0.8 (disabled)
    I can’t enable it.

    When enter some site FF said I need plugin, when trying to install plugin “Java Runtime Enviroment 1.6 u29″ (and can’t, because of failiure). Then try manual and redirects to http://java.com/es/download/index.jsp, said “Version 6 Update 31″ but install it does not change anything.

    1. Jorge Villalobos wrote on ::

      Java 7 U1 is also vulnerable. You should upgrade to U3 in order to avoid the block. If you already have Java 7 installed, then I don’t think installing Java 6 (any version) will help.

      1. Ron wrote on :

        you should leave it up to the user to decide when and what they want to upgrade. then maybe take some time off from trying force others to do what you thing is best and see a doctor about your control issues!

  14. Daniel wrote on :

    I have an older Cisco router with a GUI that can only use Java 6u21. (Cisco won’t support the router any more without many $$$. I have no idea why Cisco can’t/won’t write portable software.)

    Is there any chance of enabling older JavaVMs for “safe” addresses?

  15. John Rainey wrote on :

    Updating to Java 31 has a bug. When you try to instal it says error 1713, cannot delete old version. If you delete from the pc and try to load it says cannot find the msi even though it is there. So streaming is now disabled on Firefox. GREAT!

  16. Walter wrote on :

    Firefox with the java-plug in was/is the only possibility to work with logmein.com
    For the rest alle installation of any kind of software is blocked by compagny rules.

    So many thank now I can’t use logmein any more to reach an outside machine.

    As body shopper I assist many customers at the same time and with logmein I can do that cost/time efficient

  17. Andrew wrote on :

    May this blocklisting cause problems browsing any sites such as Twitter or Facebook?

    1. Jorge Villalobos wrote on ::

      The Facebook photo uploader used Java at some point, but I think it was changed to use something else. Blocking Java shouldn’t be a problem for the majority of popular sites. And, of course, you just need to update Java in order to continue using the plugin.

      1. Ron wrote on :

        you just need to stop trying to control people, and upgrade your psychiatrist!

      2. Tim wrote on :

        The real problem is many applications require a certain version of java, and no other version will work. While java promised to have any new version work with applications written for older versions, that never happened, and by blocking certain versions of java you’ve blocked many, many applications (you see, many people were using Firefox in the workplace, and those java applets do not work on the new version of java). So, “update your java” is not a valid course of action for many.

      3. Blenno wrote on :

        I believe it uses Flash now.

  18. Quevaal wrote on :

    I certainly understand the rationale behind blocking older java versions. However, this could be done more user friendly. Instead of merely notifying users that java is disabled, they should be guided to java.com so that they could install new java right away. (I think Chrome does this) I work in a bank, and we have lots of older customers with Firefox who don’t know where to start when they have to upgrade java, so this is causing us lots of trouble when we have to guide them on the phone.

  19. Tom Wong wrote on :

    Because of my other application requirement, I need to stick to old version of Java runtime at my own risk. But today when I try to use Add-on Manager -> Plugin, I only see the entry that Java platform was disabled, but there was NO Enable button in that entry for me to enable it at my own risk. I am using Firefox 11.0. Thx.

  20. Michele wrote on :

    Just received on my Mac the new version of Java via “Software update…”

  21. kreeves wrote on :

    Is there a way to unblock Java for certain domains? We have some internal applications running Java and they don’t play well with the newest versions of Java.

    Thanks!

  22. Daniel wrote on :

    How can one bypass the softblock (for legacy reasons)?

    1. Tim wrote on :

      http://support.mozilla.org/en-US/kb/Firefox%20makes%20unrequested%20connections#w_extension-blocklist-updating

  23. Marc S wrote on :

    I do agree with the decision of Mozilla to block older Java version.
    But we need to run Oracle forms with a specific Java version.

    Is there a way to circumvent that blocking (in about:config for example) ?

    1. Tim wrote on :

      check my reply to the previous person that asked that (can’t duplicate messages on this board)

      1. Jon wrote on :

        Did that already. Didn’t work. Blanked the URL, didn’t work. Set the time to check to months… didn’t work.

        about:config settings are useless.

        I use Faronics Deepfreeze, so I can reset the devices I am working on with a reboot and try again.

  24. Nick wrote on ::

    Our CMS at work is Java-based. I understand the need for security, but this forced block is preventing us from getting work done and costing us money.

  25. Nick wrote on ::

    P.S. we can’t just update our JRE because our systems are policy-managed and end users don’t have administrative rights. IT can and will fix this, but Firefox’s unilateral enforcement is doing an end-run around our policy by breaking functionality.

  26. Bill Day wrote on ::

    As of Wed Apr 4 15:14:19 UTC 2012 the http://www.mozilla.org/en-US/plugincheck/ is saying “Java Applet Plug-in” is vulnerable, and Firefox:Addons:Plugins says it is version 14.2.0 as installed by Apple’s update “Java for OS X 2012-001″ dated 4-4-2012.

    Firefox still saw it as 14.1.0 until I did a “touch” to change “Jun 16 2011″ date of: //System/Library/Java/Support/CoreDeploy.bundle/Contents/JavaAppletPlugin.plugin and after that it correctly saw the version: Contents/version.plist: 14.2.0
    So firefox seems it might not actually look at version of plugin until file date changes?

    In any case, http://www.mozilla.org/en-US/plugincheck/ is still saying vulnerable for 14.2.0 even after apple update which, on mac os x 10.7 provides:

    java version “1.6.0_31″
    Java(TM) SE Runtime Environment (build 1.6.0_31-b04-413-11M3623)
    Java HotSpot(TM) 64-Bit Server VM (build 20.6-b01-413, mixed mode)
    wl-10-180-159-212:JavaAppletPlugin.plugin ttsadmin$

    1. Jorge Villalobos wrote on ::

      Yes, there is a bug on Mac OS where out of date info appears in about:plugins. What I did to refresh the data was close Firefox and delete pluginreg.dat from the profile folder.

      We haven’t placed any blocks for Mac OS yet, but we will discuss doing this today, now that the update is available.

      1. Ron wrote on :

        you should discuss this whole control issue with your doctor first

      2. AZ wrote on :

        Jorge,

        I’d suggest you guys test with versions of Mac OS older than 10.6 (as stated in the bug 739955). Users of Mac OS 10.5 and older cannot install a version of Java >= 1.6.0.

  27. Kim wrote on :

    I enjoy using Firefox at home and at work. I had to turn off extension blocklist at work because I have no control over when the desktop group will put out an update for Java and I needed to continue to work. So now I have no protection from what else might be blocklisted since I could not make a choice on allowing one add-on only (disappointed). The other problem is at home. When I updated to java 6.31 I started getting some error messages, I think it was about encryption, so I rolled back to java 6.29. I don’t think java 6.31 is stable.

  28. AZ wrote on :

    Although I understand that older versions of the JRE are potential security problems for users, blacklisting older versions of Java will do nothing but harm Firefox’s marketshare. Here are three cases/examples that I can quickly identify to prove my point:
    1) Corporations that have a desktop image will be required to update the image to use a newer version of Java just to keep Firefox usable for any sites that require Java (like banking).
    2) Some websites require an older version of Java in order to function correctly. Although this is an indication of websites that needs updated, many businesses don’t have the resources to do so.
    3) It is considered best practice for software developers to maintain old versions of browsers and associated/needed plugins to ensure backward compatibility. As such, Firefox will no longer be a viable browser in this type of compatibility testing.

    Three last points:
    1) I must strongly object to the “haste” at which this process took place. You provided no prior notification to your users that this would take place. As a result, many users assume it is a problem with the website they are visiting.
    2) Macintosh has a significantly harder upgrade path for Java. Users of Mac OS X 10.5 cannot obtain a version of Java that is “marked” as higher than 1.5.x. Their version of Java comes from Apple.
    3) Sun’s JRE automatically provides an update feature…as does Adobe Flash. Users that ignore this (or purposely choose to disable this feature) are doing so for a reason. What’s next? Will you blacklist all but the latest version of Flash and Silverlight?

    Snap decisions like this are reasons why Firefox is losing corporate marketshare and website developer use. Why should a website developer choose to “support” Firefox if choices like this can render a site unusable so quickly? This “bug” item was reported on March 28, 2012. On April 2, 2012, you blocked countless users from accessing websites that they were using regularly.

    1. Christian Holler (:decoder) wrote on :

      AZ: The decision for blocking the vulnerable versions of Java were not done lightly. The reason for the blocking is *active* exploitation in the wild. This is no theoretic threat, the exploit is part of several well known exploit kits and in fact included in many hacked websites by now. A quick reaction was required to prevent lots of machines from being compromised fully automatically. I would agree with you if this was a theoretical thing, but it is not.

      Chris

      1. Jon wrote on :

        Fine. Give me the tools to optionally disregard this not-lightly taken decision.

  29. John Barker wrote on :

    This is one of the WORST decisions FireFox could EVER have made. In our Educational environment, there are many programs we use that, unfortunately, will NOT work properly with a newer version of Java; ergo, we are keeping using the older edition, knowing there may be security holes.

    WE TAKE THAT RISK.

    Now, however, you’ve given us no choice but to go back to Internet Explorer because you’ve blocked Java, the only version that will work for us. There appears to be no work around. There appears to be no “let us decide, we’ll take the fall”.

    I cannot believe this crap. FireFox used to be such a good browser. The more it gets changed, the more my users will abandon it.

    1. jobz wrote on :

      i agree…

    2. Tom Wong wrote on :

      Totally agree.

    3. Blenno wrote on :

      True, Firefox is not a browser for risk takers that what old versions of IE are for.

  30. ooga wrote on :

    Seems to have been a “shoot first, ask questions later” approach here (see the Iced Tea thing for eg — they didn’t even have a clue as to what the version strings looked like or meant, but blocked it anyway). So yeah, block Java, and hence a hell lot of apps, for a ton of users, many of whom may not have admin rights to update software. Then try and clean up afterwards. Very smart.

    In the end, it’s just powertripping by the devs … nothing new, move on kids.

  31. Lenise wrote on :

    People get a grip. You have an option to renable the outdated Java for whatever reason if you chose. Blame your incompetent IT departments for not updating apps in time, they had years since Java version 16 is beyond ancient. Java is one of the most exploited vectors, and bad guys right now as we speak are screwing people over, not that it matters to you at all, your inconvenience is more important apparently.

    What is this? Lemmings? You want all of Firefox users to jump off the cliff with you? Pleeeaasseee

    1. Jon wrote on :

      I am the IT department you want me to blame.

      I imaged 1200 devices with 80GB images. There are numerous JAVA apps included. Some are new, Some are old. All are needed for classwork and upcoming final exams. These went through weeks of testing. They will be re-imaged next semester. If you can guarantee that upgrading JAVA will not cause a single problem I’ll be happy to push it. I’m guessing I know more about my systems and situation than you.

      If you can’t then perhaps you should quit calling people “lemmings” simply because you don’t understand what they are dealing with.

      Furthermore, if we want to explore the “Lemming” metaphor: as it is now, I am falling over a cliff because I WAS NOT ALLOWED to do anything but follow the the herd.

      1. Lenise wrote on :

        Everything you said is exactly what I am talking about, it is not even funny b/c you don’t see how clueless and arrogant you are, the “its so hard, you don’t even know so don’t even..attitude”. You give IT people a bad name.

        I work at one of the largest biotech contractors in California, and while as lab technicians we don’t have the usual antagonistic b/c our IT department actually is competent and treats us as adults explaining what they are doing.

        As such, they already deployed the Java update 31 weeks ago and what is a crisis for poorly run IT department like yours, is business like usual at mine.

  32. Jorge Villalobos wrote on ::

    To everyone who is having problems with the block: we have posted an update. It includes steps for reloading the blocklist and re-enabling disabled versions. Please let us know if that still doesn’t work for you.

    1. Staples wrote on :

      But is there a way to disable the check….

      I have 1800 installs of firefox and users calling helpdesk becuase they do not have rights to update Java (it requires admin access). Java is in the process of being tested and distributed, until then users are calling helpdesk because verbage user is presented with is harsh.

      Can we disable the check until we have Java ready?
      Vulnerabilty or no vulnerability… if we can’t work with a version of java that breaks our applications.

      Nice one mozilla. Screw enterprises again.

  33. Jillian wrote on :

    Well, you blocklisted my java and it wont work. Tried to download the newest version of Java and I get an error code 1606 could not access network location. I tried to download both online and offline versions and it wont’ let me. I’m assuming because Mozilla has blocklisted java!!!!! The older version was working just fine 2 days ago. Fix this problem!!!!!!

    1. Jorge Villalobos wrote on ::

      The blocklist only disables the plugin. It doesn’t prevent you from downloading or installing any version of Java.

      1. Staples wrote on :

        No but Java Sucks to install and update.

        to get rid of 1606 error. you can try:
        1. Remove anything that says Java in add remove programs (jdk or se– any version.
        2. use MSIZap.exe to clean up old java fubared installs. Java craps out from time to time with their crappy installs.

      2. Ron wrote on :

        you screwed the pooch on the version detect, how do we know you didn’t screw this up as well?

        by the way, have you seen your shrink yet??

        1. Anders wrote on :

          Please cease the personal insults.
          Yes there was a screw-up here which affected you, me and a bunch of other people, and by now the Mozilla guys know that.

          No need act a dick over and over again, on each post they make as it won’t help anyone.

    2. Staples wrote on :

      Dude, tell other companies… like the ones that make Java Apps to update their applications, we take percausions with keeping 1.6.16 since it is unavoidable.

      Mozilla is just the punk on the block telling everyone that they need to clean up their shit.

  34. Luke wrote on :

    HELP!!!!! HOW DO I ENABLE THE JAVA PLUGIN THAT HAS BEEN BLOCKED? I CANNOT UPDATE THE NEW ONE, SO HOW DO I UNBLOCK THE OLD??????

  35. jobz wrote on :

    thx for re-enabling the java platform… but still… there’s an error when we install the new version… PLEASE… “THINK BEFORE YOU CLICK!” maybe you should check all the errors before you decided to produce an update. this is for the good of the mozilla users.

    some companies using INTERNET may take risks because of this. they will blame you…

  36. Bernard wrote on :

    Any change of user software configuration is only acceptable if the user has the option of timing the transition, and if it is possible to seamlessly upgrade to the latest patched version.

    At least enough time has to be provided so that users can consult their administrators.

    The java plugin apparently does not update itself.

    It is very irritating that in this column no attempt is made to even point out an easier transition. You guys don’t even pretend to know what options exist. Very shoddy, naiive and unprofessional.

    What an insult to say that all this does not matter because of perceived low market penetration of the plugin. You are shutting down business critical corporate desktop applications based on Java Web Start. Any person who says that any portion of the user/customer community does not matter, should a) not be allowed to have any contact with the public, b) not be allowed to make any changes to this software.

  37. TimO wrote on ::

    Windows 7, Firefox 11. I have reinstalled Java 7.3, I can see plugin dlls in a new jre7 directory. deployJava1.dll and npdeployJava1. I can see Java Deployment Toolkit, 6.2.200 in the Add on Manager\Plugins and in also in about:plugsins but not Java. This Java panel in Add on Manager\Plugins was tagged with the note about the blocklist, before it disappeared after my hacking around. I cannot push an enable button that is not present. I suspect I somehow corrupted my profile by moving the plugins around in previous experiments. How do I get the Firefox to see my new, safe Java Plugin?

  38. Anders wrote on :

    While you’re updating the plugin detection logic, could you also please distinguish between Sun’s / Oracle’s Java implementation and others?
    Particularly we have IBM’s java on some machines and from what we’ve heard from that company, they use a completely different code branch for their JVM (except for the classes which they share with the rest of the vendor community). This block fired on IBM’s java as well and from what I’ve read, the issue Oracle identified was for *their* implementation, not any other vendor’s.

  39. Tony wrote on :

    FF just blocked Java SE 6 U31 (6.0.310.5) today in XPSP3.
    Seems that the Java update option may have pulled a new-er version and tripped the block.
    But 31 should be fine.
    How does the version detection work?

    Thx

  40. AJ wrote on :

    FF hard-blocked “Classic Java Plug-in 1.6.0_U31 for Netscape and Mozilla” (6.0.310.5) in Win7.

    about:plugins shows:

    Java(TM) Platform SE 6 U31

    File: npjp2.dll
    Version: 6.0.310.5
    Next Generation Java Plug-in 1.6.0_31 for Mozilla browsers

    note that all entries under this plug-in are listed as Enabled (yet test at java.com fails).

    Why is 1.6.0_U31 hard-blocked? I thought that version was supposed to be OK. Thank you.

  41. Gary Beckmann wrote on :

    On Centos 5.8 (2.6.18-308.11.1.el5) using java version jre-1.7.0_05-fcs

    > java -version
    java version “1.7.0_05″
    Java(TM) SE Runtime Environment (build 1.7.0_05-b06)
    Java HotSpot(TM) Client VM (build 23.1-b03, mixed mode, sharing)

    This is the loaded using jre-7u5-linux-i586.rpm which I just downloaded from the java.com site. Yet Java continues to be blocked. Am confused as to why this works on Windows but not Linux.

    Can someone tell me which version I should be using on Linux as the “latest” version is still blocked.

    1. Jorge Villalobos wrote on ::

      Can you give us the information you get from about:plugins? The mime-type table isn’t necessary.

      1. bakkies wrote on :

        java version “1.7.0_05″
        Java(TM) SE Runtime Environment (build 1.7.0_05-b06)
        Java HotSpot(TM) 64-Bit Server VM (build 23.1-b03, mixed mode)

        Adobe Reader 9.4

        File: nppdf.so
        Version:
        The Adobe Reader plugin is used to enable viewing of PDF and FDF files from within the browser.

        MIME Type Description Suffixes
        application/pdf Portable Document Format pdf
        application/vnd.fdf Acrobat Forms Data Format fdf
        application/vnd.adobe.xfdf XML Version of Acrobat Forms Data Format xfdf
        application/vnd.adobe.xdp+xml Acrobat XML Data Package xdp
        application/vnd.adobe.xfd+xml Adobe FormFlow99 Data File xfd

        my java is blocked to an I NEED it to run remote consoles!

  42. Gary Beckmann wrote on :

    You will note that Java doesn’t even show up in the list. That confuses me

    Shockwave Flash
    File: libflashplayer.so
    Version:
    Shockwave Flash 10.3 r183

    Adobe Reader 9.4
    File: nppdf.so
    Version:
    The Adobe Reader plugin is used to enable viewing of PDF and FDF files from within the browser.

    Citrix Receiver for Linux
    File: npica.so
    Version:
    ICA Plugin (Linux) Version 11.100.158406 (/usr/lib/ICAClient/wfica)

  43. Sukhbir S Yadav wrote on :

    The latest Oracle jre available (as on 15-Aug) is 1.7.0_5 from http://www.java.com which is same as Version 7 Update 5.
    Funny thing is https://addons.mozilla.org/en-US/firefox/blocked/p125 gives following info:
    Who is affected?
    All Firefox users who have installed the Java plugin, JRE versions below 1.6.0_33 or between 1.7.0 and 1.7.0_5.
    So Mozilla has blocked the latest jre 7u5. This is probably the reason why my jre plugin for 7u5 is not working. So I cannot use jre 7u4 nor 7u5. Now where should I go from here?
    Please, at least tell me, which lines of /firefox/blocklist.xml should I comment-out so that I am able to use 7u5?
    I use Ubuntu 12.04 and the latest Firefox.

    1. Nicolas Briche wrote on :

      You can go to Addons Management / Plugins and re-enable it.

      However, you have to do it again everytime the plugin gets blacklisted, if you didn’t uncheck the right box when Firefox asks you to.

      So if you have, say, 250 Firefox installation and a crappy but pretty critical Java-based webapp, like I do, and most of your users are computer-illiterate, you have to go around and manually correct 250 Firefox installations every time Mozilla blacklists a Java plugin. Which is every time Java updates, basically.

      Yeah, I’m not happy about that.

      What I want to know myself, is how can I inhibit the blacklists so I can choose which plugins to blacklist, and which ones to whitelist? Or how to enable/disable plugins from command-line so I can script it?

      Because spending half a day correcting Java/Firefox interactions every few days is NOT what I’m paid for.

  44. fred wrote on ::

    Yeah well just about over this FF Thing… sick of dropouts, issues after upgrade, blacklisted add-ons have used it many many years ago and never went back to it i gues i now know why…

  45. Annoyed wrote on :

    The *latest* version of Oracle Java, jre-7u9-windows-x64.exe, is blocked in Firefox 17.0.1 but shouldn’t be.

    According to https://www.mozilla.org/en-US/plugincheck/
    Missing Java? For your safety, Firefox has disabled your outdated version of Java. Please upgrade to the latest version.

    If you go to about:plugins it is now helpfully labelled “Enabled Plugins” so you can’t even get any information for blocked plugins. Niiiice.

  46. John wrote on :

    Question. If I update a JAVA plugin in Firefox does it get also processed in Microsoft IE?

    1. Jorge Villalobos wrote on ::

      When you update Java, it updates the plugins for all browsers.

  47. Kenneth C Young wrote on :

    I am reading about the securities concerning the Java script and where it is advised to upgrade however I am suspicious of even doing an upgrade. Do we need this plugin to begin with and if not I think I will stay clear of Java altogether’

    Kenneth

  48. jianmei Tang wrote on :

    请问这个Java 是最新版本的吗?