As its name indicates, all you need to do is click on the dark plugin box in order to enable the plugin and continue using it normally. Additionally, there’s an icon that appears to the left of the location bar that allows you to enable hidden plugins, also depicted in the image above.

If you are using an affected version of the Flash Player plugin, we strongly recommend that you update it to the latest version as soon as possible.  Flash Player updates are available at adobe.com.

This is a click-to-play block, meaning that the plugin will be disabled by default, but you will be prompted if you visit a site that has a Java applet, giving you the option to enable it for that session, or always enable it for that site.

We recommend that you visit our plugin check page frequently, in case an update for the Java plugin becomes available soon.

We have enabled an update notification that will show up every time a user visits a site with a Java applet using a vulnerable Java plugin. The notification points to our Plugin Check page, which should assist users in getting Java up to date.

This block will be initially applied to Windows users and Linux users who have the Oracle version of the Java RE, but we expect to extend it to Mac OS X (where the majority of users are unaffected) and the IcedTea plugin on Linux.

You can check if your Java plugin is out of date on the Plugin Check page.

This vulnerability—present in the older versions of the JDK and JRE—is actively being exploited, and is a potential risk to users. To mitigate this risk, we have added affected versions of the Java plugin (Version 6 Update 32 and below as well as Version 7 Update 4 and below) to Firefox’s blocklist.

Mozilla strongly encourages anyone who requires the Java JDK and JRE to update to the current version as soon as possible on all platforms.

Affected versions of the Java plugin will be disabled unless a user makes an explicit choice to keep it enabled at the time they are notified of the block being applied. If the block is accidentally accepted, the plugin can be enabled again in the Add-ons Manager, in the Plugins pane.

Updated versions of the JRE for Windows and Linux operating systems are available through java.com. Mac OS X users can update to the latest version using the Software Update utility.

All users of Mac OS X 10.6 and above should have already been prompted to install this update. In order to avoid the block, please update immediately using Software Update. If for some reason you need to continue using an old version of the plugin, you can re-enable it in the Add-ons Manager.

One reason is that the Apple has already patched its Java software and the Software Update application is very effective doing its job. The other one is that there’s a bug in Firefox that prevents it from reloading plugin metadata after an update. This means that even if someone updates Java on Mac, Firefox will continue to say an old and vulnerable version is installed. This bug will be fixed in Firefox 12 and we will complete the block on Mac OS X after it is released on April 24th.

However, people who are using Mac OS X 10.5 and older won’t get the Java update, which means they will remain vulnerable unless they update their operating system or upgrade their hardware. For these users there’s no point in waiting, so we have blocked the Java plugin for them. This is a soft block, meaning that they are free to continue using the plugin if they choose to, at their own risk.

Firstly, Apple has released a security update that fixes the security vulnerability in Java. All Mac OS X users should run Software Update and update their Java software as soon as possible. It should be noted that we haven’t blocklisted Java on Mac OS X yet, but we might do so in the following days. If we do so, it will be softblocked, meaning that you still have the choice to keep the plugin enabled.

Secondly, we made a mistake that caused the Windows and Linux block to apply as a hardblock instead of a softblock. This gave affected users no alternative other than disabling the plugin. The problem has been corrected and now the block is back to working as a softblock. However, it can take as much as 24 hours for the blocklist to be reloaded, so here are the instructions that you should follow in order to reload it and enable the plugin.

There are 2 ways to do this, and either one should be sufficient to correct the problem.

A) Install the latest version of Java from java.com.

B) Delete the blocklist.

1. Open about:support.
2. Look for the Profile Directory entry and click on the button next to it in order to open it.
3. Look for blocklist.xml.
4. Close Firefox and delete the file. Update: according to the comments below, you might also need to delete pluginreg.dat on the same directory.
5. Open about:addons.
6. Enable the plugin again.

In a day or so (when the blocklist is reloaded) you’ll see a new warning about the plugin if you’re using a vulnerable version, which you should be able to ignore. Even if you accidentally disable it again, you can follow steps 4 and 5 and this should correct the problem permanently.

Once again, you only need to do one of the 2.

We apologize for the immense inconvenience this has caused. It was never our intention to leave everybody with no choice, although we still strongly urge everyone to update to safe versions of Java as soon as possible.

This vulnerability—present in the older versions of the JDK and JRE—is actively being exploited, and is a potential risk to users. To mitigate this risk, we have added affected versions of the Java plugin for Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and below) to Firefox’s blocklist. A blocklist entry for the Java plugin on OS X may be added at a future date.

Mozilla strongly encourages anyone who requires the JDK and JRE to update to the current version as soon as possible on all platforms.

Affected versions of the Java plugin will be disabled unless a user makes an explicit choice to keep it enabled at the time they are notified of the block being applied.

Updated versions of the JRE for Windows and Linux operating systems are available through java.com.

Update (12/04/04): Apple has released updated versions of the JRE for OS X Snow Leopard (10.6) and OS X Lion (10.7) through Software Update and support.apple.com/downloads/

Mozilla Sniffer

Issue

An add-on called “Mozilla Sniffer” was uploaded on June 6th to addons.mozilla.org. It was discovered that this add-on contains code that intercepts login data submitted to any website, and sends this data to a remote location. Upon discovery on July 12th, the add-on was disabled and added to the blocklist, which will prompt the add-on to be uninstalled for all current users.

Impact to users

If a user installs this add-on and submits a login form with a password field, all form data will be submitted to a remote location. Uninstalling the add-on stops this behavior. Anybody who has installed this add-on should change their passwords as soon as possible.

Status

Mozilla Sniffer has been downloaded approximately 1,800 times since its submission and currently reports 334 active daily users. All current users should receive an uninstall notification within a day or so. The site this add-on sends data to seems to be down at the moment, so it is unknown if data is still being collected.

Mozilla Sniffer was not developed by Mozilla, and it was not reviewed by Mozilla. The add-on was in an experimental state, and all users that installed it should have seen a warning indicating it is unreviewed. Unreviewed add-ons are scanned for known viruses, trojans, and other malware, but some types of malicious behavior can only be detected in a code review.

Credit

This issue was originally reported by Johann-Peter Hartmann.

Note

Having unreviewed add-ons exposed to the public, even with low visibility, has been previously identified as an attack vector for hackers. For this reason, we’re already working on implementing a new security model for addons.mozilla.org that will require all add-ons to be code-reviewed before they are discoverable in the site. Here’s more information about it.

CoolPreviews

Issue

A security escalation vulnerability was discovered in version 3.0.1 of the CoolPreviews add-on. The vulnerability can be triggered using a specially crafted hyperlink. If the user hovers the cursor over this link, the preview function executes remote JavaScript code with local chrome privileges, giving the attacking script control over the host computer. Version 3.0.1 and all older versions have been disabled on addons.mozilla.org, and a fixed version was uploaded and reviewed within a day of the developer being notified.

Impact to users

Proof of concept code for this vulnerability was posted on this blog, but no known malicious exploits have been reported so far. If a user has a vulnerable version installed and clicks on a malicious link that targets the add-on, the code in the malicious link will run with local privileges, potentially gaining access to the file system and allowing code download and execution.

All users of CoolPreviews should update to the latest version as soon as possible in order to avoid exposure.

Status

Currently, 177,000 users have a vulnerable version installed. This is less than 25% of the current install base and it will continue to decrease as more users are prompted to update to a new version. Vulnerable versions will also be blocklisted very soon.

Credit

This issue was originally reported by Alice White.

After a few days’ work, we now have the AMO Editor Guide on the Mozilla wiki. This guide covers all of the editor tools, testing set up, and the usual editor work, that can be summed up to two major responsibilities: reviewing add-ons and moderating flagged user comments.

This is meant to be a comprehensive guide, so I’ve tried to put everything we do in there. Every step we take and every policy we apply should be expressed in this guide in some form. And if it isn’t there, we’ll add it. There are, however, situations where we don’t have exact rules, and editors have to apply their better judgment. You shouldn’t see this as a script editors follow to the letter or as our final word in add-on quality. Add-on authors should always feel free to reply to reviews and let us know if they disagree with them. No message will go unanswered.

This guide should interest add-on authors, to better understand what we do and why. Also, if you’re interested in becoming an editor, this will give you a very good idea of what our day to day work involves. If you want to discuss this guide or suggest changes, I’ve opened up a topic in the Add-ons Forum for it.