Java 7 Update Notification Now Live

A serious Java vulnerability was made public earlier this week, which is being actively exploited by attackers. Oracle released an update that fixed this vulnerability today, so we are now moving ahead to encourage all users to move to this new version.

We have enabled an update notification that will show up every time a user visits a site with a Java applet using a vulnerable Java plugin. The notification points to our Plugin Check page, which should assist users in getting Java up to date.

This block will be initially applied to Windows users and Linux users who have the Oracle version of the Java RE, but we expect to extend it to Mac OS X (where the majority of users are unaffected) and the IcedTea plugin on Linux.

You can check if your Java plugin is out of date on the Plugin Check page.

5 responses

  1. XtC4UaLL wrote on :

    FWIW, I presume you are aware of http://www.securityfocus.com/archive/1/524073 already, no?

    1. Jorge Villalobos wrote on :

      Yes, we know about it. Since the vulnerability hasn’t been confirmed and there isn’t confirmation of it being exploited in the wild, we still believe that update 7 is the safest choice.

  2. Ken Saunders wrote on :

    “We have enabled an update notification that will show up every time a user visits a site with a Java applet using a vulnerable Java plugin”

    If the plugin check page can detect old, vulnerable, etc, plugins, can’t something be implemented to automatically check plugins and then notify users? It’s done for add-ons daily (at least the check is). I understand that they’re 3rd party plugins, but still, it would really help to keep users (including me) safe and up to date.
    Perhaps an official Mozilla add-on, or option to do it.

    I do my best to stay up to date on things through various tech news sites and by using software like FileHippo’s UpdateChecker, but sometimes I do miss things and the only time that Firefox users are notified is when there are very serious plugin issues, and even still, that news comes through places like here, and other blogs.

  3. Dave Tarbox wrote on :

    So firefox (15.0, 64-bit, Linux) has disabled my Java plugin, doesn’t show it in my plugin list, and if I counter-intuitively, desperately, go to check addons, it tells me it disabled the plugin to protect me. Why can’t it tell me what it found, and what it wants ? Since I can’t run the plugin, it can’t tell me what version it is. Furthermore, I did indeed download the newest JRE (1.7.0_03), and that’s rejected. Then I downloaded the latest 1.6.x JRE (1.6.0_35), and that’s rejected. Either of those should pass the regular expressions in the blocklist xml file.
    Or maybe I’m still getting the message because something is cached somewhere. I can’t tell, because it won’t tell me.
    Maybe the Java plugin doesn’t work in 64-bit Firefox on Linux ? Maybe the 64-bit Firefox doesn’t work right for any plugin on Linux ? Reading the source code of the report page, I speculate that in fact the page isn’t even getting a version string. That should display a different message.
    This really stinks in an enterprise environment where I can’t have root access.
    In effect I’m not being protected against anything; I’m being prevented from using Firefox.
    I’m not expressing my anger here, but it requires great restraint.

    1. Jorge Villalobos wrote on :

      The plugin should always be listed in the Add-ons Manager, in the plugins tab. If it isn’t listed there, it means that Firefox hasn’t detected it at all. If it is there, it should be possible to enable it again. Version 1.7.0_03 is considered unsafe, and you should use the latest one, which is 1.7.0_07.