Vulnerable versions of Java plugin blocked for OS X 10.5 and older

Jorge Villalobos

45 responses

Two weeks ago we blocked vulnerable versions of the Java plugin on Windows and some Linux distributions. We haven’t followed up with the Mac OS X operating system for a couple of reasons.

One reason is that the Apple has already patched its Java software and the Software Update application is very effective doing its job. The other one is that there’s a bug in Firefox that prevents it from reloading plugin metadata after an update. This means that even if someone updates Java on Mac, Firefox will continue to say an old and vulnerable version is installed. This bug will be fixed in Firefox 12 and we will complete the block on Mac OS X after it is released on April 24th.

However, people who are using Mac OS X 10.5 and older won’t get the Java update, which means they will remain vulnerable unless they update their operating system or upgrade their hardware. For these users there’s no point in waiting, so we have blocked the Java plugin for them. This is a soft block, meaning that they are free to continue using the plugin if they choose to, at their own risk.

45 responses

  1. MSeldom wrote on :

    Well, how can update java plug-in manually in MAC OS 10.5.8 then? There is no automatic update available in Software Update… And Firefox has just disabled my java version “1.6.0_26” plug in, and I can’t use it now… Can someone please point where can we download a java plug in update for MAC OS 10.5.8???

    1. Jorge Villalobos wrote on :

      You should be able to activate the plugin again in the Firefox Add-ons Manager (about:addons). There will be no official Java update for 10.5, as far as we know. The recommended upgrade path is that you move to Mac OS 10.6 or 10.7, if your hardware allows it.

      1. Cathy Dixson wrote on :

        I’m running 10.5 and do not have Java working. I have Java version 1.6 listed in my Java list under Utilities: Java. I went to the Add ons manager in Firefox and Java isn’t even listed. How do I add it to the add on list?

        1. Jorge Villalobos wrote on :

          Did you open the Plugins pane in the Add-ons Manager? That’s where the Java plugin should be listed.

      2. beverley wrote on :

        keep getting blocked plugins msge on my live streaming screen have downloaded flash player a couple of times no change ??? please help thanx

  2. John Miles wrote on :

    I am a simple user on OSX 10.5.8 in the office and 10.7.3 at home.

    On OSX 10.5.8
    Is my best bet to allow the 10.5… plugin block and await the Firefox 12? Will I notice a change in perfromance?

    Do I have any concerns for the 10.7.3 machine at home?

    Thank you.
    John

    1. Jorge Villalobos wrote on :

      For the 10.5 machine it’s best that you disable the plugin unless you really need it. I’d recommend keeping it disabled and only enabling it when you need it, and only on sites you trust. Nothing will change for this case when Firefox 12 is out, the only easy way to upgrade your Java software is to also update to Mac OS X 10.6 or 10.7.

      For the home machine, just make sure to check Software Update and install any pending updates. You should be fine if you’re up to date.

  3. Cathy wrote on :

    It would help if in future versions of FF, you make it easy to enable and disable Java – the way we can in Safari. I read the stuff about blocklists and it seems ridiculously complicated – and unreliable, based on all those angry comments. I’ll stick with my unsafe version of Java for now – I have other ways of protecting myself from the ONE trojan that’s currently a problem.

    1. Jorge Villalobos wrote on :

      You can enable and disable the plugin in the Add-ons Manager. It’s only one click and it doesn’t require a restart. If you understand the risks, it should be easy to keep the plugin enabled.

  4. David wrote on :

    Do you know if there is a way to completely delete/remove this Java plugin. Preferences show the plugin disabled but offer no other options? thanks

    1. Jorge Villalobos wrote on :

      It must be possible, but I doubt that it’s simple. Keeping it disabled should suffice to ensure you’re safe.

  5. Rodrigo Pacheco Lim wrote on :

    Hello…

    I’m from Brazil and my English is not really good like yours.

    I’m trying to open my bank account but my Macbook ask about update Java.

    I did but is not working. l opened the Firefox and I went to the complements and there Java say…

    ” The Java Plug in 2 for NPAPI Browsers he is recognized as cause of problems of security or stability.

    What i need to do to still useing my bank account from my Macbook?

    Thanks. Rodrigo.

    1. Jorge Villalobos wrote on :

      Hello Rodrigo,

      I you are using an old version of Mac OS, you’re always going to be using an vulnerable version of the Java plugin and you’ll always see the security warning. You should upgrade your Mac OS whenever possible.

      In the meantime you can just enable the Java plugin whenever you need it, and ideally keep it disabled the rest of the time.

  6. Jeff wrote on :

    I don’t know much about computers that is why I bought an Apple for the peace of mind.
    I have a 4 year old Mac desktop os 10.5.8
    I cannot play any games on pogo.com now on Firefox or Safari.
    I disabled the java but cannot download the new version no matter how often I try.
    Is there a solution, now or later?
    Thanks in advance for the answer.

    1. HONEST JOHN wrote on :

      NEED HELP ON PLUG-IN SET UP

  7. Jesse Bass wrote on :

    i love how you keep saying that is is just one simple click to enable it, yet i cant seem to find it no matter what i do.. I am running 10.5.8 … i have searched to enable it and you continue to say it yet never tell anyone the process of doing it…

    thanx for your help with this

    1. Jorge Villalobos wrote on :

      From the main menu, select Tools > Add-ons. This opens a new tab with the Add-ons Manager. Look for the Plugins pane and select it. Locate the Java Plugin entry and click on the Enable button.

  8. Suza Martinez wrote on :

    I went to Add-ons Manager and it does not have a Enable button for Java or Shockwave Flash, it just states that it has been disabled. This is sure way of getting us to not use mozilla Firefox!

    1. Jorge Villalobos wrote on :

      Which version of Firefox are you using? Is this on Windows or Mac OS?

      1. Suza Martinez wrote on :

        I’m running Mac OS 10.5.8. I have a 30 macbook computer lab at an elementary school. I had no issue until I updated to Firefox 12.0. Firefox was my preferred browser until I encountered this problem. I may have to go back to Safari if this can’t be resolved. Upgrading to 10.6 is not a solution due to lack of funds.

        1. Jorge Villalobos wrote on :

          Do you see the enable / disable buttons for other plugins? You can send me a screenshot to jorge AT mozilla DOT com.

          1. Suza Martinez wrote on :

            Yes. I can see the enable/disable buttons for other plugins. I sent you a screenshot.

  9. Linda O’Connell wrote on :

    I am using OSX 10.7.4 and am confused as to what I can do. I cannot view pdf files that I download from a very secured site any longer. I am a manager with lia sophia jewelry and when I log in to their server to view reports (pdf files), they come up a blank screen.

    I have been reading the comments and suggestions and if I’m not mistaken it sounds like it is happening because of an update I made with firefox ( using version 12.0 now), and for security reasons the plug-ins are blocked. If this is the case. Are there any options other than unblocking and blocking every time I want to log in to the system?

  10. Linda O’Connell wrote on :

    ok, I stand corrected. I enabled the plug-in and signed on to view the reports thinking it would have allowed it, however, the report opened as a blank screen. Can you please direct me as to what I am doing wrong, and what I may try?

    Thanks so much 🙂

    1. Jorge Villalobos wrote on :

      The problem is the plugin, not Firefox. You’ll get blank pages regardless of which Firefox version you use. What I recommend is that you disable the plugin again and just install the PDF Viewer extension.

  11. Katherine wrote on :

    I’m sorry, but it’s really annoying that people just expect users using OSX 10.5 and older versions are just expected to update their mac, which costs money, so Java and Firefox just dump the users who don’t have the financial resources to get the newest and the best version ?
    Maybe it’s just a way to squeeze money out of people ?
    I can’t do a lot of things that i was used to doing while I still had the Java plugin.
    I don’t see the point of using Firefox anymore.

  12. kent green wrote on :

    I use OS 10.5.8 and if I upgrade to latest OS I will have to upgrade all my CAD and graphics software as well ($4500+).

    I am very disappointed that that Mozilla is dumping us senior citizens.

    I guess I will be testing Chrome’s bookmark import feature soon!

    1. Rachel wrote on :

      Agreed. I have several core programs that are necessary for my business and they do not work with the newer OS, nor have they released versions that are compatible with anything later than 10.5, so I’m pretty much stuck with 10.5.

      I really wish that more people thought about the implications of these upgrades for people running older systems; back-compatibility ought to be one of the priorities.

  13. Bob wrote on :

    Several years ago I had to download Firefox to open some documents that Safari wouldn’t open. Shortly after, I got an ‘update’ notice from Firefox and as soon as I had downloaded it, up popped a (very professional-looking) update box from Adobe Flash saying it too had an update for me. The result was a full-blown Trojan virus ! It is still happening (several days ago), although I don’t fall for the Adobe update anymore.
    Now, each time I go to run a video on Firefox, I get a small (amateurish-looking) box, right in the middle of the video screen, asking for permission to use some space on my computer. You can ‘Accept’ or ‘Deny’, but you can’t delete it. If you hit ‘Deny’, it just keeps coming back.
    Apple, Adobe, and Mozilla have known about these viruses for years but done little or nothing. Why do you allow this to contunue ? We expect more.

  14. Runi wrote on :

    I have an OS X 10.5.8, and today I downloaded the latest java update for OS X 10.5.8. users because another application on my machine required it, but when opening my hotmail account, I can’t open my messages anymore, how come?

  15. Sarah wrote on :

    Mac 10.5.8 and older didn’t get a Java update because it didn’t NEED one, it wasn’t vulnerable to the security loophole in the first place. There’s no reason for you to be blocking our software. I don’t have the money to upgrade my software, and frankly, I wouldn’t want to, because I don’t like the restrictions Apple places on you once you get into Lion and start having to use the App Store for everything. Thank you for at least making this a soft block, but purchasing new software should not be your solution here.

  16. Vishal wrote on :

    One of my software stopped working after I updated my Java Plugin in Firefox to 13.7.0. I am having a MAC system. I want to go back to older version of Java plugin 13.5.0. how can I do that.

  17. Michael wrote on :

    I am extremely disappointed about FF 13 (on Mac OS X 10.5.8) because I am not able to re-enable Java. There is no button to activate the plugin.

    With Safari I had a way more user friendly experience:
    (1) It actively told me about the de-activation
    (2) It also told me how to re-activate Java
    (3) it worked !!!

    Safari is now my default browser.

    Thanks for the good SW in the past.

    br
    Michael

  18. Matt wrote on :

    I can accept that Firefox disables flash for security reasons. What I cannot accept is the constant warning everytime the browser comes to page that requires flash. I think I got it the first 500 times or so. Seriously, there is no way to update to with G4 macs to the newer flash software so please give us a break. Eesh.

  19. Sherry wrote on :

    I am running a MAC 10.6.8. I have tried everything and can not re-enable my Java. It is not even listed in the plug-in list on FF. My computer software is up to date according to the Updater. I will have to start using Safari if you can’t help me enable it. Please help!

    1. Jorge Villalobos wrote on :

      Can you check on about:plugins and see if it’s listed there?

  20. Myxa wrote on :

    Very bad move by Mozilla. I have 10.5 computer and no Enable button you speak of. Like other said I will be turning users to Chrome now to avoid problems in future. Why not just give us a warning and let US decide if we want to turn off Java or not is beyond me.

  21. Talaat gazala wrote on :

    I have a new iPad ( ipad3 – 32 gb-4g) as I begin to watch my ip camera it ask java blug in. How can I get this in my iPad. Thanks

  22. Tess Tarkels wrote on :

    Bollocks!
    I need java in my browser… But can’t use it because the twats at apple won’t release a java 7 for mac os 10.5.8
    Screw paying apple for an upgrade just for the privilege of being able to keep java up-to-date.
    Morons…

  23. Jerry wrote on :

    I keep getting messages that my Firefox needs upgrade but because of my 10.5 system, I can’t go any further. Computer works fine and I don’t plan to purchase new one.
    Does it mean good bye Firefox? Those messages are annoying!

    1. Jorge Villalobos wrote on :

      Some of the recent update messages may be related to other plugins, like Flash or Adobe Reader. You should go to the plugincheck page and see if there are any updates available.

      There’s no way around the Java issue on 10.5, unfortunately.

  24. Cossie wrote on :

    All of a sudden both my macbook and my iMac decided not to allow me to play any games that require java plug-in. I am using OS X 10.8.2 and whenever I try to play an online game that have been playing for sometime now, I get and “blocked plug-in” icon and once clicked it prompts me to download the latest Java. I have done it a few time but it doesnt want to work. Any ideas??

    1. Jorge Villalobos wrote on :

      You should see an option to enable the plugin on that site. Do you not see it?

      The reasons for the recent block are given in this new post.

  25. Karin wrote on :

    I disabled the JAVA and found that one of my trusted websites no longer worked correctly.

    I enabled it again, and although it says enabled, and I have rebooted, it still doesn’t work.

    OS 10.5.8, and no I can’t afford to upgrade. Who can in this economy??

    1. Jorge Villalobos wrote on :

      You should see a message on the page giving you the option to enable the plugin once. You should also see an icon to the left of the URL bar where you click and enable the plugin for that site.