Mozilla Security Blog
Categories: Firefox Press Security

Protecting Users Against Java Security Vulnerability

mozilla

26 responses

Update – Aug 31, 2012

Yesterday Oracle released a patch for the critical vulnerabilities identified within Java.

Visit the Mozilla Plugin Check webpage to find out if your Java plugin needs to be updated:
https://www.mozilla.org/plugincheck/

Additional information from Oracle can be found here:
https://blogs.oracle.com/security/entry/security_alert_for_cve_20121

 

Update – Aug 29, 2012:

We’ve been closely monitoring the recent Java security vulnerability and evaluating different options to best protect our users.

Our goal is to provide protection to Firefox users against this actively exploited vulnerability in Java while also leaving the user in control so they can choose to allow Java on important sites that they trust.

We are still working out the implementation details, but our solution will accomplish two primary objectives:

  1. By default, vulnerable versions of Java will be disabled for our Firefox users.
  2. Users will be provided the option to enable Java through a clear and visible message that will be displayed anytime the user views a page using Java.

We’ll provide additional updates when items are finalized. In the interim, we still advise users to disable the Java plugin as described below.

Lastly, starting this week in Aurora and Beta we’ll begin adding the components of click-to-play, a Firefox security control that helps protect users against outdated and vulnerable plugins. We anticipate this new security feature to be fully operational by Firefox 18.

 

Original Post Aug 28, 2012

Issue

Mozilla is aware of a security vulnerability (CVE-2012-4681) in the current version of Java 7 (version 1.7, updates 0 through 6) that is being actively exploited to compromise users. Firefox users may be vulnerable to this issue if they are running the Java plugin within their browser.

Impact to Users

An attacker could exploit this vulnerability to download and execute malware on to a user’s machine.

We have received reports of this vulnerability being actively used in targeted attacks and the malicious exploit code is also available in common exploit kits indicating the number of attacks may increase.

Status

At this time there is no patch available from Oracle to address the vulnerability within Java. We recommend that users disable the Java plugin within Firefox to ensure they are protected against this vulnerability.

Steps to disable the Java plugin can be found here:
http://support.mozilla.org/kb/How+to+turn+off+Java+applets

26 comments on “Protecting Users Against Java Security Vulnerability”

  1. Ben wrote on

    Michael,

    Interesting that using FF to bookmark my Elink page has worked over the last 6 years without a glitch. On Aug 27 the webpage loading froze up for both email and customized local news. Upon working around this, the Hulu email notice allowed to select the program only to have a list of all programs show that Java script had issues that needed customer support corrections. Is this a part of the above security problems?

  2. M. Natiello wrote on

    Does this refer to SUN java or to any implementation?
    Is the IcedTea-Web Plugin (using IcedTea-Web 1.2.1) also a problem?

  3. Ralf wrote on

    Why are those plugin versions not added to the Mozilla blocklist? I mean a vulnerability cannot become more serious than that.

  4. Danny Moules wrote on

    “show that Java script had issues that needed customer support corrections”

    @Ben Javascript isn’t Java. Totally unrelated.

    “Does this refer to SUN java or to any implementation?
    Is the IcedTea-Web Plugin (using IcedTea-Web 1.2.1) also a problem?”

    @M. Natiello IcedTea has an additional security layer which prevents this. Sourced from https://bugzilla.redhat.com/show_bug.cgi?id=852051

    “Why are those plugin versions not added to the Mozilla blocklist? I mean a vulnerability cannot become more serious than that.”

    @Ralf See https://bugzilla.mozilla.org/show_bug.cgi?id=785837

  5. Ralf wrote on

    Thanks, I checked the Bugzilla page but I couldn’t find any explanation there about why the affected Java versions are not added to the blocklist. The last comment only says “I’ll verify if/when we decide to push this live”, which means no decision has been made yet. Since this is a time critical issue and all information is on the table since yesterday, I don’t understand what is holding the decision up.
    Meanwhile I rolled my own solution to disable Java in Firefox since I cannot leave my users unprotected for days, but if I could have been sure that the insecure plugins will get blocked anytime soon, this work would not have been necessary.

    1. malvin wrote on

      my java is working fine how do i know this is not a virus i run java and it said it was upto date and i have the correct one running

  6. Danny Moules wrote on

    @Ralf https://bugzilla.mozilla.org/show_bug.cgi?id=785837#c1 Comment 1, Paragraph 3

    “Since this is a time critical issue and all information is on the table since yesterday, I don’t understand what is holding the decision up.”

    Disabling the latest version of Java with no alternative for hundreds of millions of users is… best treated as non-trivial.

  7. Lionel wrote on

    I was notified of Firefox 15 yesterday (by Firefox). When I wanted to install today, I googled “Firefox 15” and ended up at a site that at first, to me at least, looked deceptively like Mozilla (I don’t visit Mozilla often…); I fear this could have been the beginning of a very sad story…

    (The following is interlaced with some of my paranoia) The site is http://www.todownload.com/. It offers a number of free downloads, including Firefox. I nearly downloaded their free downloader (yeah, not very smart of me), but paranoia about security saved me (that’s my story…). An unknown downloader would be an excellent way of sneaking unwanted content onto a system…….

    I assume you are aware of this site, perhaps others are not. Please don’t be offended, but if Firefox loses the integrated downloader, I will probably have to stop using it (personal paranoia). I consider any foreign downloader a security threat.

    Thanks for a great browser.

  8. Ralf wrote on

    As far as I know a softblock can be overriden by the user, so everyone who needs a Java 7 plugin can enable it again on his own risk.

  9. Malcolm wrote on

    I did a clean install of XP Pro today and I’ve got Javascript issues, Java plug-in is enabled and I’m running Firefox 15.0?

    What gives?

  10. Ralf wrote on

    New situation: Sun released Java 7 Update 7 a few minutes ago. Now version 1-6 should go on the blocklist.
    @Malcolm: Javascript and Java are entirely unrelated, except that they share 4 letters in their name, which is admittetdy confusing. So you’re Javascript issues must have a different cause than what is explained in this blog posting.

    1. Albin wrote on

      Thanks for clarification re Java plugin vs javascript – the site I use as homepage needs javascript to work and I noticed it still works after disabling the plugin. I found about:config has a toggle for javascript and so got curious about where the risk is.

      BTW my current plugin is SE7 U6 updated as of August 16 – I take it that is still vulnerable (?)

      1. Ralf wrote on

        Yes, Java 7 Update 1 through Update 6 are all vulnerable. You need Java 7 Update 7.

  11. vericonLabs wrote on

    There is a patch available right now to solve the 0day bug:
    http://www.oracle.com/technetwork/java/javase/downloads/jre7u7-downloads-1836441.html

  12. fjf wrote on

    FF directed me to this blog for more information after disabling the vulnerable Java plugin. But when I clicked on it, I got the following warning:

    blog.mozilla.org uses an invalid security certificate.

    The certificate is only valid for blog.mozilla.com

    (Error code: ssl_error_bad_cert_domain)

    It seems strange to me that a security blog, of all places, would use an invalid certificate. What’s going on, and can you correct this?

    1. fjf wrote on

      And when I tried to post my comment above, I got an error about an invalid security code (I didn’t enter any, what should I enter anyway?), but the comment was posted nevertheless.

      I must say this whole site looks very strange to me and not very trustworthy.

      To be on the safe side, I’ll disable Java completely until I get independent confirmation.

    2. Daniel Veditz wrote on

      I’ve seen other complaints about a mis-matched cert on the blog site, but have never been able to reproduce the problem. We have two different domains, theobsolete blog.mozilla.com that re-directs, and the new blog.mozilla.org. Both have valid single-domain certs (it’s possible to get a certificate that has two names, but that’s not how this particular site is set up). From where I sit both are hosted at address 63.245.217.99 and all three of our nameservers return the same result.

      It’s mysterious.

      1. fjf wrote on

        I seem to see the problem every time, reproducibly. Do you want more infomation? I see the same IP adress as you for both sites.

        Anyway, I thought having several HTTPS sites with different certificates on the same address was impossible, since the certificiate has to be exchanged before the HTTP conversation starts and the requested host name is known to the server. So that might explain things. But then I don’t understand why it works for you. Did you actually get the certificate recently, or do you perhaps have an older, correct(?) one stored?

        I thought this was a well-known limitation of HTTPS. The usual solution is to use different IP addresses or ports for the different sites.

        … well … or not to use HTTPS at all!? When I was about to submit the comment, FF warned me: “Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.” I thought, mixing HTTP and HTTPS within one page is considered bad style, and surely not confidence-inspiring for a security site.

        1. fjf wrote on

          And when I posted the comment above, I again got the warning about a mismatched code and then an empty page, with no indication that my comment was posted. I had to reload the original page to see it.

          Sorry, but this whole site looks quite broken in many ways, both regarding security (certificates) and plain web programming or whatever. For an official *security* blog of a popular *web browser* of all things, this is very alarming!

  13. Thomas F. wrote on

    I installed jre-7u7-windows-x64.exe twice, but FF still tells me that I have 7u5 on my PC and that it is vulnerable. Furthermore, using jxpiinstall from SUN I get a warning that the the signature is invalid, preventing me from installing the update.

    What is this?!

    1. Paul M wrote on

      I am getting the same error.
      Probably a good idea to disable the plugin for a day or two and see if the issue is resolved.

    2. Daniel Veditz wrote on

      SUN is no more, Oracle bought them. The current version of Java are produced and signed by Oracle, but if you got your jxpiinstall utility during the SUN era it may be checking for a SUN signature.

      Go to https://www.java.com/en/ and download the update from there.

  14. John T Hannon wrote on

    I tried going to the “Advanced” tab in the Java Control Panel to select “Mozilla family” and “Apply”, but the selection isn’t updated. I need this for the above website to access my network drive. (It works in Explorer.)

    Is this vulnerability the reason I can’t update the setting?

    Thanks,
    John

    1. Daniel Veditz wrote on

      Possibly. The Java Control panel controls where Java is installed, but doesn’t adjust any Mozilla Firefox settings. If you have an older vulnerable version of Java we have automatically disabled it and you really should get the update. If you update to the latest version it will automatically be enabled again. Browsing the web while running the vulnerable version is an extremely bad idea, but if you need to do so anyway you can re-enable Java from the Plugins section of the Add-on dialog. On Windows you’ll find Add-ons under the “Firefox” button in the top left corner, and on other platforms it’s under the Tools menu.

      For additional help if that doesn’t get you going please visit https://support.mozilla.org

      To check whether your other plugins might be vulnerable or out of date (which is often the same thing) please visit https://www.mozilla.org/plugincheck/

  15. Mist wrote on

    Is there a live correction for JAVA?
    I’ve seen suggestions to revert to JAVA 6 but later a notice that also was haywire.
    Nothing since.
    Thanks.

    1. Andrew wrote on

      Java 7 update 7 and Java 6 update 35 both fix these problems
      http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html