Protecting Users Against Java Vulnerability

mcoates

70

Update – January 18, 2013
Mozilla is extending Click to Play for Java 7u11 due to reports of exploit code available for 7u11 and information that all elements of the original Java bug have not been fully addressed by Oracle in the 7u11 patch.

Update – January 13, 2013

Oracle has released an update to address this vulnerability. Read more here and download updates here.

Issue

Mozilla is aware of a security vulnerability in the current version of Java (Java 7 Update 10) that is being actively exploited and affects any browser using the Java plugin. Firefox users may be vulnerable to this issue if they have the Java plugin installed in their browser. Information on how to check which plugins are installed can be found here.

Impact
An attacker could exploit this vulnerability to execute malicious software on a victim’s machine. This vulnerability is being actively used in attacks and the malicious exploit code is also available in common exploit kits.

Status

There is no patch currently available for this issue from Oracle. To protect Firefox users we have enabled Click To Play for recent versions of Java on all platforms (Java 7u9, 7u10, 6u37, 6u38). Firefox users with older versions of Java are already protected by existing plugin blocking or Click To Play defenses.

The Click To Play feature ensures that the Java plugin will not load unless a user specifically clicks to enable the plugin. This protects users against drive-by exploitation, one of the most common exploit techniques used to compromise vulnerable users. Click To Play also allows users to enable the Java plugin on a per-site basis if they absolutely need the Java plugin for the site.

 

Demo screenshot of Click To Play

 

Additional Information

We encourage users to always keep plugins up to date. Visit the plugin check website to update plugins now.

Information to fully disable the Java plugin can be found at the following page: http://support.mozilla.org/kb/How to turn off Java applets

 

Michael Coates
Director of Security Assurance

70 responses

  1. anon wrote on :

    would be great if this was an option on all plugins – enable, disable, restirct (click to play / whitelist)

    1. Jared Wein wrote on ::

      In fact it is :)

      Go to about:config and set plugins.click_to_play=true and you will get this functionality.

    2. Daniel Veditz wrote on :

      You can force all plugins to be Click to Play by going to about:config and changing the preference plugins.click_to_play to true.

      From the Click to Play UI (the drop-down shown in the picture above, or by clicking the blue-block icon in the address bar) you can block or allow plugins for the site you’re on.

      We have not yet exposed a way to block or allow specific plugins on specific sites, that is, you can’t block Java but allow Flash; right now it’s all or nothing on a per-site basis. You can permanently disable any plugin for all sites from the Add-on manager dialog, but then you can’t use Click to Play to enable it.

  2. Sreenath Sasikumar wrote on :

    Very quick response to protect its users. Great work Mozilla Team ! Cheers !

  3. skeptic wrote on :

    Why are you blocking the jre 6u38? I thought only 7 was vulnerable to these problems.

    1. mcoates wrote on :

      We are being extra cautious to ensure all users are protected in the event the scope of the vulnerability is larger than the initial reports have indicated. We are erring on the side of caution.

      1. james wrote on ::

        well great firefox! some1 forgot to tell my firefox browser to put the red block in my address bar so how do i view java when theres nothing to click to activate??????????
        cant play the games i pay to play, i’ll have to use IE now

  4. Carol Wilson wrote on :

    You have totally ruined me for pogo! I cannot play any of the games because they all use Java. I have installed, uninstalled, downloaded offline, every trick imaginable, and still Firefox won’t let it open. Won’t let the thing be enabled. I don’t get a screen to allow it. I’ve spend 6 hours today on this! Totally disgusted with all of you: Firefox, Java, and Pogo! Wouldn’t even work on IE–still defaulted to Firefox. Grrrrrrrrrrrrrrr!

    1. Shawn wrote on ::

      I play on Pogo as well Carol. When you open the link to play the game, up in the top left hand corner you will see a red block appear. Click on the red block, click on the arrow next to ‘Activate all plugins’ and it will give you the option to run Java on that site and that site only. Mozilla has done something very smart for their users here. If you were to go to a website you do not trust and Java were to run on its own as we are used to, your computer could be compromised in the process including very personal information.

      1. Hank wrote on :

        Well, I would like to know if Pogo.com is safe to visit allowing Java 7 update 11. It seems to be alot of hackers at the game tables for card dealing or dice roll generator.

    2. Nate wrote on :

      You are an idiot

      1. Dj wrote on :

        you are the idiot! What she posted is true as many, including myself have encountered the same problem and roadblock. You must feel really low to insult someone like you did; however, it doesn’t make you appear any wiser but rather a jerk!

  5. John Medearis wrote on :

    A vendor secure website I have to use for work starts up a web app using the JVM upon clicking the appropriate link. It does not display a page where I can “Click to Play”, it just verifies if the JVM is running. With the plugin blocked, I have no way of putting this site in as an exception.

    Why can’t you provide me that ability as well? This is preventing us from entering overrides necessary for medical benefits coverage. And because the vendor site uses a certificate that is browser based, I am unable to temporarily use another option.

    Thank you for the general public protection but please provide, as soon as possible, a way to unblock by site prior to visiting a site.

    1. mcoates wrote on :

      John,

      In the event you do not see the Click to Play box you are still able to click the blue plugin icon in the URL bar. Within the displayed drop down you can then select the option of “always activate plugins” for the site if desired.

      See this post for additional information:
      https://blog.mozilla.org/security/2012/10/11/click-to-play-plugins-blocklist-style/

      Here is the direct link to the image:
      https://blog.mozilla.org/security/files/2012/10/plugin-icon.png

      1. Michael wrote on :

        I need to run an application on from a site in order to run a critical recovery program for a specialized system. It requires java to run. The site offers neither the Click to Play box or the blue icon in the URL. What am I supposed to do?

      2. Dj wrote on :

        this is no the case with all sites, Mr Coates. It does not give you the option nor does clicking the blue icon activate any drop down menu.

      3. stine wrote on :

        Your fix works for Juniper Network Connect in Firefox on Linux.

        Thank you very much.

  6. Jesse Ruderman wrote on ::

    And if *that* doesn’t work, perhaps because the site detects Java using navigator.plugins, you can use about:permissions to explicitly allow plugins on the site.

  7. Martin wrote on :

    I got the “click to play once”, but after the Java update to 7u10 the plugin will not be installed into Firefox 18 at all…. Java reports successful installation, but the JRE plugin is gone for good from the add-ons page.
    What can I do, I like to see it, activate it on demand and play one certain game I pay for.

    I also use the extension Quickjava.

    1. Daniel Veditz wrote on :

      Starting with Java 7 update 10 Java itself has preferences that determines whether it’s used in browsers or not. Perhaps that got turned off? If it did then Java will be invisible to Firefox (and all other browsers) and Click to Play doesn’t come into the picture.

  8. Michael wrote on :

    I need to run an application on from a site in order to run a critical recovery program for a specialized system. It requires java to run. The site offers neither the Click to Play box or the blue icon in the URL. What am I supposed to do?

    1. Billy Zane wrote on :

      Use “Page Info” from the context menu on the page where you have that problem and enable Plugins from the “Permissions” tab.

  9. Amy wrote on :

    I have an outdated Java and didn’t know it. (But I always install recommended updates, …yet this seems QUITE old! SE6 U37 it says!) Should I even bother updating?

    Is there an article that can explain a “What to do” for dummies? I don’t fully understand what they are saying is and isn’t dangerous. If I trust the site, but it isn’t critical in my life to use it right now, can I activate the Java? I mean, is it really trust in the site/page that matters? Or trust in their security to keep themselves from being hacked and thus allowing me to be hacked? I may trust my bank to not be “pulling one over on me” but that doesn’t mean I trust them to prevent a hacker from using their site to get to me. Is that what we’re talking about here? I’m not knowledgeable enough to understand. Also, what about virus protection programs? Are they generally blocking this? Or is this different?

    A stranger question – a site I want to use that needs a plugin currently blocked by this, – the site claims Google Chrome does not require an add on at all. Is this because Chrome inherently has the same dangerous thing, but it’s just automatically included? Or would it be safer? I love Google, but not Chrome. I prefer my Firefox!

    1. Joe wrote on :

      Hi Amy!

      All is well! Never trust your bank, though!

  10. Yo Ma Ma wrote on :

    http://noscript.net/

  11. rashydos wrote on ::

    I have the same problem! firefox 18 request installation of java all the time.

    I have win7 64bits.

    I have uninstall all java the install the newest but the problem not solved!

    It should be a bug on firefox 18

  12. Jay Dee wrote on ::

    The first time I saw this alert, it was an alert from Homeland Security advising users to disable or delete Java. When I came to this part of the web, Ken Arnold, James Gosling, David Holmes had just found the Java Programing Language James is known as the Father of Java language, he was at Sun Microsystems too 1984 to 2010 and the deceased Steve Jobs also
    I trust these people at Oracle to know what they are doing. I have upgraded to the new Java and will continue to use it. I trust them and not Homeland Security. I do not trust Homeland Security and FEMA with any thing and for sure not my homeland America.

    Long Live Oracle and Java

    Jay Dee

    1. Daniel Veditz wrote on :

      The brilliance of its creators does not guarantee a product is without security flaws — even Firefox is regularly updated to address potential security problems. In this instance DHS is not wrong: this particular Java flaw is actively being used as part of a exploit package that is widely deployed by criminals on legitimate-but-hacked websites that millions of people regularly visit.

      Oracle has now released an update to fix this flaw, and the DHS warning/advice does not apply to this new version.

  13. Joel wrote on :

    Unable to print US Postage for my ebay shipping…”plug in” icon appears…I click on it…postage label screen appears, but printer doesn’t print.
    I go to my AOL email, open the ebay shipping label printed email…click on “reprint label”…printer works fine.
    So, any suggestions to avoid the email click to reprint method workaround??

    1. Chris wrote on :

      I was having the same issue. When the label appears there is a red icon one the left side of the address bar, click and activate the flash plug-in.

      1. Junior wrote on :

        Thank you !!!
        I was having the same problem

  14. Erich wrote on :

    Would you please explain better what you mean with:
    “To protect Firefox users we have enabled Click To Play for recent versions
    of Java on all platforms (Java 7u9, 7u10, 6u37, 6u38).”

    It seems one of the following regarding Click To Play is the case:
    - It was previously enabled for newer versions of Java. If so, why are we even discussing it in this manner? And where is the documentation on what CTP is enabled for and how to make granular (plugin/version/site) changes?
    - It has been enabled on new/current downloads If so, do we need to re-download/install? Is there a (minor) version change?
    - Mozilla has somehow remotely enabled it for recent Java versions? If so, where is the discussion of the implications of this ability to unilaterally make changes on our machines?

    Now, I hate Java, but unfortunately it it necessary for some workplace functions. I also love Firefox, but unfortunately, I don’t have a means to make enterpise-wide changes to settings/add-ons/etc. for it like I can for IE. The combination of these two “problems” has me a little freaked out.

    1. Daniel Veditz wrote on :

      Firefox, like other browsers, has the ability to block malicious or broken plugins. The list of things we’ve blocked can be found at our web-site; click each item to find why we’ve blocked that particular item. https://addons.mozilla.org/en-US/firefox/blocked/

  15. jennysweeth wrote on :

    I would love to know grrr, I haven’t updated still here on Java 9, ok so I get its outdated, but does that make it vulnerable too, am I at risk here?..I know Java 10 needs be disabled I’ve spent agonizing hrs reading and can only find it needed patches up before 9, was hoping I would be fine to stay, but at the risk of it being outdated can anyone help please I’m not willing to take any extra risks here!!!

    1. Joel Rees wrote on :

      Java 9?

      I don’t think there is such a thing yet.

      Or are you running some beyond-bleeding-edge software from the future?

      I’m going to guess you mean update 9, perhaps of java 6 or 7. Check Oracle’s site for specifics on versions, for instance, on this page:

      http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html

      where they talk about a temporary fix similar to Mozilla’s temporary fix, but don’t mention that it’s just a temporary fix.

  16. akane wrote on ::

    Does this vulnerability affect the IcedTea plugin?
    Also, NoScript FTW!

    1. FlashingYoshi wrote on :

      No. No you don’t.

  17. Wholesale Merchandise wrote on ::

    I am not showing Java installed as a plugin with Firefox even though it is, I am also not showing the blue box and I could not find anything to enable plugins in the context menu for the specific page.

    A response would be appreciated.

    Thank you for your time.

  18. Fred wrote on :

    I am also finding that “click to play” does not work for all sites- even when I click on the option. Pogo is one example. Although, I would rather live without the games than have malware. Does anyone know if antiviral/spyware software is picking up the threat?

  19. Simon wrote on :

    While I get the security need, when a change is made like this, and people like me – with limited or no JAVA technical knowledge – suddenly can no longer operate their business because key commercial services like PAYPAL stop working and the way PAYPAL (which is truly terrible with popups) links to external service the payment processors this change does not work.

    At the very least, I should be able to accept the “risk” for a site and get on with life.

    Frustrated…..

    1. Wilcox1976 wrote on :

      Amen Buddy I’m with you. Run ebay business and can’t print any labels with my Brother roll label printer because of Java Firefox issues. IE is working and I have got the labels out from there. Can also print the old click n’ ship labels as long as you did not create the label in another format.

    2. Richie wrote on :

      I am in the same boat. I can no longer print labels from Firefox because of Mozilla’s need to disable it. Even after I accept the risk, nothing works.

      I understand that 99% of the people on the internet are morons and do not know which sites are safe, but us 1% want an option to turn java back on so I can print a damn shipping label.

      FIX THIS.

  20. Ildjarn wrote on :

    I have installed JRE 7.11 which was released today. Still no Java turning up in the installed plugins….

    1. Steve wrote on :

      ditto. JRE 7.11 which was released today. Still no Java turning up in the installed plugins.

      IE working okay though.

  21. Dr No wrote on :

    Firefox is blocking the plugin component of JRE 7 Update 11. Firefox shows the plugin as version Java(TM) Platform SE 7 U5 10.5.1.255. Perhaps the block includes any Java plugin that is identified as SE 7 U5, regardless of the version number? If this update does fix the vulnerability, then the scope of the block should be narrowed.

    1. Helios wrote on :

      Workaround: Uninstall the standalone JavaFX 2.x.

      http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html
      http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=8005410

      1. G_A wrote on :

        In addition to this, you might need to close the browser, open the Java control panel, go to security, untick the “Enable Java content in the browser, press OK, then the java control panel again, tick the same checkkbox and press OK.

        Might be something is bugged when you installed u11 with FX installed in the frist place. Even a total uninstall of everythinhg java, reboot, reinstall and reboot again still didn’t enable the java plugin in neither IE nor FF.

    2. alex_mayorga wrote on ::

      That’s apparently a bug from Oracle[1], try removing all versions of the JRE, then install just 7u11.
      Hope it helps.

      1 http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=8005410

      1. Forrest wrote on :

        Nope, that’s not the issue. That’s a Windows specific issue, and Firefox is still blocking the patched version of Java on Macs too.

  22. Axis wrote on :

    Thank you for making this troublesome add-on issue a “click-to-play” block rather than a full block. It respects a users rights while also offers security. That is WAY better than the ordeal everyone was going through just a week or so ago with the last Java update confusion.

  23. Joel Rees wrote on :

    The plugin check page — ouch!

    It’s in Japanese.

    Well, I read Japanese sort of well, actually operate in mixed mode a lot of the time, but a lot of my foreign national friends living in Japan don’t.

    Automatically selecting the language by browser setting and/or location, and failing to provide a language switch link/button on the page is so, well, ’90s.

    BTW, I go to that page and it tells me my gnash is an out of date flash. Does not mention java at all. (Debian Squeeze:
    —————————————————————————
    useralpha@ws001:/home/useralpha$ java -version
    java version “1.6.0_18″
    OpenJDK Runtime Environment (IcedTea6 1.8.13) (6b18-1.8.13-0+squeeze2)
    OpenJDK Client VM (build 14.0-b16, mixed mode, sharing)
    —————————————————————————)

    So, is IcedTea not vulnerable? (Heard some rumor that suggests otherwise.)

    And why doesn’t java show as a plugin? JDK installed globally, perhaps?

    I think there are a lot of rough edges being exposed here.

    1. joel.rees wrote on :

      Answering one of my own questions, Oracle’s advisory indicates that java 6, 5, and 4 are not affected, although all updates of Java 7 through update 10 are, and the just released update 11 provides a temporary patch similar to Mozilla’s plugin blocking function.

      The CERT advisory and vulnerability note only specify Oracle Java with a new feature from version 7, so it looks like IcedTea will not be affected.

  24. Jürgen wrote on ::

    http://www.javatester.org/version.html tells me I’m using Java Version: 1.7.0_u9 from Oracle Corporation but I’m having IcedTea Plugin installed (Linux Mint 14). So it would be nice if there would be a way that Mozilla can protect IcedTea users as well.

    Mozilla Plugin Check tells me about my IcedTea thingy: unknown plugin.

  25. Mary Lou wrote on :

    on the eve of 1/13 i noticed a update #11 was available for java i down loaded it seems to be ok but not sure of the safty. I have not been able to find out any news about this update.

  26. Scott40 wrote on :

    1/14/13 — Today I successfully manually installed Java 7.1 U11 using the downloaded file ” jre-7u11-windows-i586.exe” on a 32 bit XP3 machine with IE and Firefox 18. The Firefox plugin for Java will not install. Using Firefox to go to “http://www.java.com/en/download/testjava.jsp”, to test if Java is working, results in a message saying ” A plugin is needed to display this content” “Install plugin”. Clicking on “Install plugin” results in an “Available plugins download” window being displayed. Within the window one plugin is listed. It is ” Java Runtime Enviroment 1.7 u10″ Clicking the NEXT button attempts to install the plugin but fails. The plugin “Java Deployment Toolkit 7.0.110.21 does show in the list of installed Firefox plugins but that is the only Java plugin in the list. The newly installed Java U11 works fine with IE.

    Is Firefox blocking the plugin installation because Java (Oracle) is attempting to install the non-secure version 1.7 u10 ? Did the JRE FF plugin fail to install due to and error in the Java u11 installation file (possible lack of registry entries from Oracle ) ?
    .

  27. Jive Dadson wrote on :

    I have installed the latest Java from Oracle, and as of Jan 15, I still cannot get Firefox to run any Java ap. For example, http://netdania.com/Products/live-streaming-currency-exchange-rates/real-time-forex-charts/FinanceChart.aspx?m=c. At the top, I get a message that says “Additional plugins are required to display all media on this page.” On the right is a button labeled, “Install missing plugins…” I click it and the banner with the message and button disappears. The ap does not start. In the area where it is supposed to start, there is what appears to be a link, labeled “Install plugin…” I click it and nothing happens.

    I have tried everything I can think of, but no joy. I have removed all Java installations and re-installed the latest. I have rebooted everything.

    I can get Windows Explorer to run the ap. It prompts me first, which is fine with me.

    Any ideas?

    1. Jive Dadson wrote on :

      Update. I uninstalled Java FX. I have no idea what that is. Anyway, now it works.

      What a mess!

    2. David wrote on ::

      Same issue, Firefox (latest version, 18) informs me the plugin is out of date, clicking the Install Plugin link tries to install U10 not U11 (patched version I believe).

      Not sure what version I was on this morning, (guessing u10) but after trying Chrome the update they linked to was U11 so running v11 now.

      Under https://www.mozilla.org/en-US/plugincheck/#list-plugins it says I’m up to date Java Deployment Toolkit 7.0.110.21 (1.7.0.11)

      Tried rebooting Firefox multiple times, no joy, left with a message a plugin is needed to display this content with an install link below which tried to install U10 which fails.

      David

  28. Rad wrote on :

    Just to share with you what I did on my Windows 7 32-bit and Firefox 18. I am studying Java and I was trying to view my 1st applet ever in a browser. I got the issue of the plugin, and Firefox asked me to manually install Java as the plugin failed to be installed from within Firefox. I did that then closed my Firefox and started it up again. Firefox asked me if I want to run this applet and I said yes and never ask again. It worked nicely ever since. I have now certified myself as Java Applets Guru, Firefox Guru, and Music Writing Guru (for no related reason).

  29. Doug Huffman wrote on :

    I have given up on Java. I’ve gone round and round reading ‘helpful’ blogs and snide retorts, how-tos and restatements of the problem. At one time I had to delete ten copies of the “plug-in” that wouldn’t load.

    When there is a comprehensive step-by-step protocol to establish a known browser/OS status, reinstall Java, reinstall FF, reinstall all common plug-ins, et cetera ad nauseam, then I’ll try again. Thank goodness I haven’t found anything essential that doesn’t work.

    Sun/Oracle, Re-write Java.

  30. Mike S wrote on :

    Does Mozilla plan on requiring Click-to-play for all future JRE’s by default? Or will the patched Java JRE run automatically in the next Firefox update?

  31. Sean Scott wrote on :

    I need a way to disable your “click to play”! I have rolled Java back to 6-38 but still FF keeps making me click. My application (Maplesoft’s “Maple T.A.” Equation Editor”) does not work properly with this feature, I need Java to run unhindered. Can you help ASAP?

    1. Gary C wrote on :

      Sean – about:config. Find plugins.click_to_play. It is likely set to “True”. Double click or rt click and select toggle to set it to “False”. You may need to restart the browser for the setting to take effect. Just remember, if the Java plug-in remains enabled, it will be enabled for all pages your browser hit, leaving your system vulnerable to exploits. At least your needed site should work ok again.

  32. Anonymous wrote on :

    So annoying! Firefox goes and automatically blocks it and I can seem to make it work again. Stops Nintendo UK website working. Guess I’ll have to wait to join club Nintendo :’(

  33. Blair Nastasi wrote on ::

    There’s an easy way to disable Java immediately using Group Policy or your own management tool. We have a blog and video to show you exactly how to do it:

    http://www.policypak.com/blog/entry/exactly-how-are-you-going-to-turn-off-java-now-in-your-enterprise.html

  34. Thomas Thomassen wrote on :

    Seems that 7.11 is also blocked. I have to activate it. Firefox gives me this message:

    “Java Plugin 7 update 11 and lower (click-to-play), Windows has been blocked for your protection.”

    1. Jody wrote on :

      Just saw version 18.0.1 firefox out there. Does this in fact fix the 7.11 set to vulnerability.

  35. Ari wrote on :

    Java fix does not work at all – Java test says that all is ok, but when i try to access any java site it says – “this java plugin has security vulnerabilities…blaa blaablaa” but after a while it says java has been updated?????

    THat bugs me b coz of confusing messages – does not work on online banking at all or so – what the F****.

    IE works fine + other browsers – sure it is for our safety because of the security risk, but normal users like grannies or so may wonder what the hell is going on….

  36. Paul wrote on :

    What the hell is going on?
    I don’t need FF to take care of my security, we’ve 100+ users in my company using java apps daily in their browser and they go crazy since they have to click all days on your stupid ‘click to play’ button.

    Woohoo guys, I have now to ask them to run it into IE… What a shame.

  37. Doug Huffman wrote on :

    Is the observation that the plug-in downloaded and failing to load is JRE 7 u10?

    Following the unhelpful directions I uninstalled Java, ran the M$ registry repair, disabled all protection and reinstalled JRE (and JDK separately). Testing at Java.com causes the plug-in needed warning, responding to which is similarly unhelpful as it sends one, me, back to the JRE download page.

    I continue to wait for Java 7 u13 or Java 8 or a complete re-write, maybe of some simplified subset for users.