Yes, that information is surely useful for people that are not familiar with the purpose of the ZeuS trojan, thanks for mentioning

> However Kim Ludvigsen still has a point that it would have been better to direct users to update their java install, since many have two browser installed, so can, and will, go back to IE when Firefox fails to do their on-line banking.

He certainly has a point, and I agreed with that before. The blocklisting UI needs more work and that is already known and recognized as a problem. Very soon, we will also have a click-to-play mechanism that might make some blockings obsolete.

Just because there is a recommendation and a possible security vulnerability, that doesn’t mean we should immediately blocklist something without further investigation.

We did it for Java for the reasons described in this article (and a very important factor was that there is an exploit in-the-wild and actively being used). I don’t know of any such exploit for the mentioned Flash version.

I wouldn’t be surprised if there was a Zeus module dedicated to the capture of those danish bank identifiers that sound like a perfect target for an evil doer, but it needs to be said that Zeus uses java here only to get on your computer, and once it’s there can steel any kind of identifier, java using bank or not.
There’s even a module to proxy all the attackers request through your computer in case your bank checks with ip address the request come from, to run it through further scrutiny when it doesn’t match the usual address.

However Kim Ludvigsen still has a point that it would have been better to direct users to update their java install, since many have two browser installed, so can, and will, go back to IE when Firefox fails to do their on-line banking.

“Adobe recommends users of Adobe Flash Player 11.1.102.63 and earlier versions for Windows, Macintosh and Linux update to Adobe Flash Player 11.2.202.228. ”

Please blocklist all Flash Player versions older than 11.2.202.228. You did it for Java, it’s time to do it for Flash.

That is one of the fatal assumptions people make. Of course most of the other sites do not use Java *regularly*. But when they are hacked/infected with Blackhole, then they *will* use Java, but you will not see it. You can also use Java in a hidden way on any website and that’s exactly what exploiters do. So there is absolutely no security gain my only browsing to websites that don’t use Java.

Yes, looks – and more important information and functionality.

> but it says that the plugin has been deactivated because of a security problem

That is simply not good enough. It has to tell people how they can solve this problem: by updating Java. Otherwise the users (at least in Denmark) will not be able to use their online banking with Firefox. Meaning they will change to another browser. Guess which Java version that browser will use.

That means that the users are not any safer – and they are not using Firefox.

> but I believe this is already being worked on as we speak here.

That sound good, no reason to make this mistake again.

> You are also free to help.

I can not code, I am only a translator.

> But I personally would prefer my online banking not working until I figured out what’s wrong, vs. my computer being infected with malware

I choose my online banking over security. The sites I usually visit do not use Java, except my bank.

But many will do as you, and that is what caused a lot of problems here, because the users lost their online banking and several other important sites. We have a national system where Java is used for login for banking, governmental sites and more.

> I don’t know about the Sun (now Oracle) update policy

I haven’t checked, but I have been told that they update once a month, and if the computer is not online at the update time, it will try again a month later. That would certainly explain why I didn’t see any messages about a new version.

Ok, so you are not arguing about the block but how it looks like I assume? (+ the issues you mentioned later, e.g. IcedTea, which has been fixed quickly as well).

> I did not see that page. If there was a link to that page in the message box, it was not very clear.

I just checked how it looks like on Windows. The message box that pops up does not seem to contain the link, but it says that the plugin has been deactivated because of a security problem. The UI there could be improved and that is already being done right now (see Security Roadmap at https://wiki.mozilla.org/Security/Roadmap , first entry).

The link I mentioned is in the Addons/Plugins Menu, where you can reactivate Java. But I agree that it should be moved to the main box (+ a link to plugin check which gives you the direct update path), but I believe this is already being worked on as we speak here.

You are also free to help. Mozilla is an open community and we depend on everyone to try and make things better all the time.

> In Denmark we all use Java for online banking. The banks have had serious problems with user not being able to use online banking.

I can understand that this caused problems for people that were not on the newest version. But I personally would prefer my online banking not working until I figured out what’s wrong, vs. my computer being infected with malware (and the article hopefully outlines that this is *not* a theoretical scenario but happening all over the world right now).

> Yes, my Java was too old, and it shouldn’t have been. I am a bit ashamed about that. I thought Sun pushed updates “live”, hence I was not aware my version was too old, as I never say no to update.

I don’t know about the Sun (now Oracle) update policy as I use OpenJDK. But the update for Sun JDK has been out since February, and I also got that update automatically in a VM I have (just checked it).

No, I was able to override the block. The hard block is one of the things I referred to in my “And then comes” (the Ice Tea problem is the other) . Those things happens, but it is not good, and perhaps with some more time to test, they wouldn’t.

> Which is what this page says, isn’t it? https://addons.mozilla.org/en-US/firefox/blocked/p80

I did not see that page. If there was a link to that page in the message box, it was not very clear. And certainly not one that the average Mr. Smith would find.

What the message box should have done is something like this:
—
[Warning logo] There is a serious vulnerability in your Java plugin. A new version is available and you should upgrade or turn off Java to avoid getting your computer compromised. [link]More about the problem [/link]

1. I want to upgrade, [Link to upgrade]please help me do so[/link].
2. I want to turn off Java (some web content may no longer work).
3. I will take the risk and keep my old Java (not advised).
—

> This was thought through

If it was thought through, then the people thinking should get a new job. They probably thought that it was thought through, but it wasn’t. I am sure you will come to that conclusion in the post mortem. Read the comments in http://blog.mozilla.org/addons/2012/04/02/blocking-java/ and that is just some of the nerdy users. Some of them with a lot of seats.

In Denmark we all use Java for online banking. The banks have had serious problems with user not being able to use online banking. What do you think those users will do? And what do you think the bank will tell them to do?

And a footnote. Yes, my Java was too old, and it shouldn’t have been. I am a bit ashamed about that. I thought Sun pushed updates “live”, hence I was not aware my version was too old, as I never say no to update.

The message box did not make me any wiser. It was not until I asked in the forum of MozillaDenmark, that I learned of Sun’s update practice, then I checked the version number and then I upgraded.