Update on Java Blocklist

33

We blocklisted the Java plugin yesterday, and there are 2 major updates that you should know about.

Firstly, Apple has released a security update that fixes the security vulnerability in Java. All Mac OS X users should run Software Update and update their Java software as soon as possible. It should be noted that we haven’t blocklisted Java on Mac OS X yet, but we might do so in the following days. If we do so, it will be softblocked, meaning that you still have the choice to keep the plugin enabled.

Secondly, we made a mistake that caused the Windows and Linux block to apply as a hardblock instead of a softblock. This gave affected users no alternative other than disabling the plugin. The problem has been corrected and now the block is back to working as a softblock. However, it can take as much as 24 hours for the blocklist to be reloaded, so here are the instructions that you should follow in order to reload it and enable the plugin.

There are 2 ways to do this, and either one should be sufficient to correct the problem.

A) Install the latest version of Java from java.com.

B) Delete the blocklist.

  1. Open about:support.
  2. Look for the Profile Directory entry and click on the button next to it in order to open it.
  3. Look for blocklist.xml.
  4. Close Firefox and delete the file. Update: according to the comments below, you might also need to delete pluginreg.dat on the same directory.
  5. Open about:addons.
  6. Enable the plugin again.

In a day or so (when the blocklist is reloaded) you’ll see a new warning about the plugin if you’re using a vulnerable version, which you should be able to ignore. Even if you accidentally disable it again, you can follow steps 4 and 5 and this should correct the problem permanently.

Once again, you only need to do one of the 2.

We apologize for the immense inconvenience this has caused. It was never our intention to leave everybody with no choice, although we still strongly urge everyone to update to safe versions of Java as soon as possible.

Tags: , ,

Categories: end users, general

33 responses

  1. Bruce

    Sorry, doesn’t work.

    verified path to profile
    stopped/closed Firefox – verified on taskmanager
    blocklist.xml – renamed to o_blocklist.xml
    started Firefox
    about:addons – doesn’t work, used about:plugins
    Java Platform SE.. does not show up in list to enable
    Looked at Tools->Addons->Plugins, Java Platform SE 6 shows disabled for ‘myown protection’ – no ability to enable.
    Looked at pluginreg.dat – Java Platform SE 6 does not show up.

  2. Bruce

    You are missing a step. You also need to delete/rename pluginreg.dat. I renamed it to o_pluginreg.dat.. and they all came back…

  3. Bruce

    Ok.. got a hack to fix it.. the problem is in one line in pluginreg.dat. To ‘hack’ it, you need to be out of Firefox. The line after “C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll”. It will look something like:

    1326757543279|1|21|

    Change the ’21′ at the end to a ’1′. I suspect that the 21 represents the hardblock. I later got a ’5′ in this slot, which I suspect is a ‘softblock’. I used wordpad to edit. This way you don’t loose the disables that you already have. Disclaimer: since this is ‘hacking’ the file, make a backup first, and if you do screw this particular file up, you can just delete.. causing all plugins to come back.

    NOTE: This also indicates to me that prefs.js: user_pref(“extensions.blocklist.enable”, false);
    does not work ‘correctly’, instead it controls the update of pluginreg.dat and blocklist.xml as opposed to whether they are used or not.

    1. Bruce

      Or that the hardblock completely ignores user_pref(“extensions.blocklist.enable”, false);

    2. Skip_au

      Thanks Bruce – in my case did remove blocklist.xml, rebooted – and then still no enable java RE button. I removed pluginreg.dat, restarted, enabled the java plugin. I noted then that deleting pluginreg.dat changed ALL my disabled plugins to enabled (THAT SHOULD HAVE BEEN STRESSED ABOVE). After reading your comment I put back the old pluginreg.dat file, and restarted. The plugin still kept java enabled and had the button to disable/enable button for java RE, so did not have to edit file like you did. Finally after many wasted hours trying to sort this mess out – it is all good.

      It’s a good idea if your here repairing this mess to use quickjava (java toggle button) http://bit.ly/HWL4KK until like me you are ready to do your JRE upgrade. (I have other software that has JRE dependencies and it WILL BREAK with JRE >= 1.6.24)

      1. Bruce

        All the plugins being enabled after removing pluginreg.dat is the reason I said “.. and they all came back” (unfortunately I can’t sound like Heather O’Rourke on Poltergeist when typing that). I use NoScript to control Java and Javascript.. to only the sites I trust. It looks like you put the pluginreg.dat back about when the were pushing out the update.

        PS: I don’t work for Mozilla.. I just got real P-O’d when my Java was shut off.. I needed it for what I was working on. When I get P-O’d, I tend to …um… lets say, ‘change hats’..

  4. Jillian

    B) Delete the blocklist.

    WHERE DO I FIND THIS?????

    Open about:support.
    Look for the Profile Directory entry and click on the button next to it in order to open it.
    Look for blocklist.xml.
    Close Firefox and delete the file. Update: according to the comments below, you might also need to delete pluginreg.dat on the same directory.
    Open about:addons.
    Enable the plugin again.

    1. Jorge Villalobos Author

      “Open about:support” means the same as “Open a new tab. Type about:support in the URL bar (where the web address would normally be). Press ENTER.”

      1. Jillian

        Followed the instructions above and it still doesnt work. I cannot download java in any form. When I do download Java it continues to say “Error code 1606 Cannot access network”. Java says to download newest version “offline” to by-pass error code but have tried that many times and it still gives me the same code. I’ve emailed Java but they say they will not respond unless many people with the same issue complain unless I want to pay $50 for them to fix my issue. I do not have an extra $50 to waste on a problem that was not mine in the first place. This is a Mozilla issue and Mozilla needs to contact Java and work this out. Really pissed off…..

        1. Bruce

          Need more specific info. What Operating System? Are you running with admin privilege when trying to install? There is also more to the error message that you are not entering – what is the full error message? How are you trying to get at Java and with what browser/version? Are you connected to the internet in a different way than you normally do? One thing I noticed is that Oracle needs Javascript enabled to download, but that is not the same as Java. The notes I see on the 1606 error indicate that it is a Microsoft internal error.

          http://support.microsoft.com/kb/886549

  5. Eloy

    I was just downloading Chrome when see this. Thanks.

  6. John Q Public

    It came as a sudden shock that Mozilla has such control over my private computer. Softblock, hardblock, what other secret backdoors do you have available?

  7. heh

    You probably caused one bank in Finland to have somewhat angry call as it uses java as its platform to verify users. i bet they have a full week of work in their hands when all the old people call why their banking is not working.

  8. dave

    so i can see in my pluginreg.dat the entry that is being referenced after the npjp2.dll, however on one of my clients machines, the number is actually 5. but he still does not have the option to enable. he is running FF 8 with java u29. some of my other clients that did not have the enable option yesterday DO have the enable option today; and this occurred without having to rename or delete any files. seems to have resolved on its own. so it seems as if the issues are sporadic. are the issues FF vrs related or java vrs related?

    also, which of the two files being deleted is actually going to RE-ENABLE all the add-ons?

    i like the option of just renaming the entry line after npjp2.dll to address the java plugin; but if the entry line already says 5, what would be the next steps? should we still rename to 1, close FF, and relaunch to see if this resolves the issue? if it does not, what would be next?

    1. Bruce

      As mentioned, an update was pushed out, changing the mandatory block to a soft-block… that is why some of your machines started working w/o changing. The line after npjp2.dll should be the second line after.. not immediately after.. or that is how it was on my machine. The line should kind of look like what I put up.. but in your case having a ’5′ in place of the last ’21′. Two files seem to be used on the blocks: blocklist.xml and puginreg.dat. All the touching of these files HAS to be done with Firefox not running. Did you try deleting blocklist.xml? If you have a ’5′, the plugin should be runable.. you might not have the enable button on the plug-in.. but is the plugin shown in Tools->Addons->Plugins dark or grayed out? There is a real wicked looking pattern match in blocklist.xml @ line 196 that seems to handle the block.. older version had it at line 197.

  9. Jack

    Why don’t you guys post a good fix to the JAVA block even if it means using other browsers until you have a real fix, better using a other browser for a while so we can work than leaving and never coming back, we are trying to stay on, if you care, lets see

  10. Vijay

    I am using Firefox 3 and Java 1.6.0_02, as my application works better only with specific versions of Java and Firefox.

    1. Open about:support. – Didn’t work in Firefox 3
    2. Look for the Profile Directory entry and click on the button next to it in order to open it. – Where is it in Firefox 3
    3. Look for blocklist.xml. – deleted the file, but didn’t work.

    I spent enough time to find a fix, but couldn’t. Please assist.

    1. Jorge Villalobos Author

      In your case, you can look into this article on how to find your profile folder. However, Firefox 3 doesn’t make a distinction between softblocking and hardblocking, so you can’t permanently continue using the vulnerable version, unless you disable the blocklist altogether.

      You should definitely update to a more modern version of Firefox, though. If you depend on an application to do this, then you should find a way to contact the developers and try to get them to update it. Not only are you using a very vulnerable version of Java, but you’re also using a very vulnerable version of Firefox.

  11. m80116

    Thanks for ruining my day with your STUPID block list editc.

    I have my own mind to decide what’s worth for me, what are the risks, what are the downsides. I’ve lost far more time trying to unlock the NECESSARY plugin I NEED (that blocked version) rather than fight 100 viruses and trojan horses.

  12. m80116

    You shouldn’t have the option to leave users w/out choice in the first place.

    That’s like a cocked shotgun you see… you don’t want to shoot us, but eventually you do.

  13. Pierre D.

    You say that “the block is back to working as a softblock”.

    Problem is that I have to maintain a web application designed for Firefox 3.0.9 and Java 1.6.0.17 (old versions imposed by software policy), and on this version of Firefox, it’still a hardblock.

    I think it’s because you used the “severity” attribute of “version range” element in “blocklist.xml”. But as mentionned on https://wiki.mozilla.org/Extension_Blocklisting:Code_Design , this attribute seems to not work on versions under Firefox 3.1.

    The only solution I found is to delete the p80 block in blocklist file, but:
    - my users can’t do it themselves
    - blocklist is overwritten every day…

    Any suggestion ?

    1. Pierre D.

      Sorry, I didn’t see your answer to Vijay before posting.
      It’s not possible for my client to update Firefox, and it’s not necessary for him (this web application is only deployed in private network).

      1. Blenno

        Then why are these machines connected to the Internet?

    2. Anon

      “this web application is only deployed in private network”

      Then set it up so that version of Firefox isn’t allowed to access the Internet. You do have some sort of firewall, don’t you?

  14. mark

    Worked fine for me once i had deleted the blocklist file, thanks

  15. Anonymous

    Great!
    I have the latest JDK (.31) and it got blocked.
    The described fix doesn’t work.
    Now I have to look for a new browser, cause there are too many problems FF is triggering nowadays and that was the final one I was willing to observe…

  16. Anonymous

    Well, on FF 12, there is no blocklist.xml in t he profile folder.

    1. Jorge Villalobos Author

      The only circumstance I know in which this can happen is that the blocklist hasn’t been loaded yet. Are you looking at the right profile folder?

  17. TimO

    Windows 7, Firefox 11, Java 7.3. Still cannot get Java to display my applet from my Website, comes up in Internet Explorer. Blocklist is deleted. Pluginreg.dat is regenerated when Firefox comes up so any changes to that is rewritten.
    Java Platform does not appear in adds-on manager/plugins or about:plugins BUT, Java Deployment Toolkit appears in both places.
    How does Firefox know where the Java Plugin lives? Does it use a search? does it have a Path Name coded somewhere? Is the information on how to process an applet cached somewhere?
    Jorge, are there other places I can look other than this blog?
    Sure like to figure this one out, I got nothing better to do. :)

    1. Jorge Villalobos Author

      If the plugin is not listed in the Add-ons Manager or about:plugins, then it means it’s not even installed. If this were a blocklist problem, you would see it listed and disabled. I recommend that you reinstall Java.

      1. TimO

        I should have included the information that Java runs from the command line and can display a little dialog box from a java swing program I wrote. Also Netbeans uses the installed java successfully. I uninstalled all other versions of Java except for Java 7.3. In the Program Files\Java folder there are jdk1.7.0_03 and jre folders, and there are dlls in both the jre folders with some of the common names, like,deployJava1.dll, and npdeployJava1.dll, in folders with names like bin\dtplugin and bin\dtplugin2. I don’t know what they are except I see those type of names in the blog entries I am reading.
        I made the (JAVA(TM) Platform SE 6 U22 6.0.220.4) tile in the addon Manager plugins disappear by messing around with some of those dlls. (it’s a debugging practice of mine to write things down like that so I can remember what they were if they go away). I have reinstalled Java 7.3 twice now in an attempt to bring it back.
        A plug in, should be just that, PLUG the thing in the right place and the music plays.
        All this is evidence that java is installed and the problem is Firefox cannot find it. I suspect I should try reinstalling Java 7.3, and if not working, I’ll reinstall the original 6.0.220.4 and try that..
        Next, I think I’ll reinstall Firefox with a clean profile, hope I can find a way to preserve my bookmarks!

        1. Jorge Villalobos Author

          This article explains how to back up your profile.

  18. TimO

    Got Java plugin running after days of messing around. When I went to reinstall Java following the link from Mozilla to Oracle and instead of pushing the big DOWNLOAD button, I followed a link in a sidebar to get Java 7.3, believing that version of Java was without the vulnerability. When I instead pushed the big DOWNLOAD button to install Java 6.31, then Java Platform reappeared in Tool/Plugins and in about:plugins, so I am puzzled but no longer sad, and back to using Mozilla instead of Internet Explorer.