New Java Blocklist

Jorge Villalobos

52 responses

The June 2012 update to the Java Development Kit (JDK) and Java Runtime Environment (JRE) included a patch to correct a critical vulnerability that can permit the loading of arbitrary code on an end-user’s computer.

This vulnerability—present in the older versions of the JDK and JRE—is actively being exploited, and is a potential risk to users. To mitigate this risk, we have added affected versions of the Java plugin (Version 6 Update 32 and below as well as Version 7 Update 4 and below) to Firefox’s blocklist.

Mozilla strongly encourages anyone who requires the Java JDK and JRE to update to the current version as soon as possible on all platforms.

Affected versions of the Java plugin will be disabled unless a user makes an explicit choice to keep it enabled at the time they are notified of the block being applied. If the block is accidentally accepted, the plugin can be enabled again in the Add-ons Manager, in the Plugins pane.

Updated versions of the JRE for Windows and Linux operating systems are available through java.com. Mac OS X users can update to the latest version using the Software Update utility.

52 responses

  1. Kimberley wrote on :

    I updated my Java. So can I turn the plug-in back on or should I keep it disabled? Java Platform Se 6 U31. Will it always be a risk? Thank You.

    1. Jorge Villalobos wrote on :

      If you don’t use Java in your regular browsing, I recommend that you don’t enable it unless you need it. Java is rarely used on the web and it is a possible attack vector.

      You should have at least Java Platform Se 6 U33 to be safe of all known security problems.

      1. Roberto wrote on :

        You are quick with blocking add ons but you are not quick to tell us how to install the replacement under ubuntu natty narwhal! All the How to do in the web including that from oracle are crab and they do not work! I think that all these security blabla comes from very paranoid brains. You are not right to tell us that java isn’t used in the web very often. I need Java for much apps like webmin etc.

  2. Torvald Flemming wrote on :

    I really dislike the vagueness of security warnings. Give us concrete examples so that we can be equipped to evaluate what we are deciding. Who has been compromised by this vulnerability, when was it first discovered and how does the attack work in practice.

    1. Jorge Villalobos wrote on :

      The June 2012 update link has all the details that Oracle has provided about it. We know that an exploit for this bug is now part of a popular hacker software package, so anyone interested in attacking this vulnerability can easily do so.

      An attack could occur if you load a malicious applet on a webpage. The applet code can use the vulnerability to break out of its security sandbox and run malicious code with local permissions, potentially gaining control over your system. I’m not sure what “authenticated” means in the link you posted below, though.

  3. Torvald Flemming wrote on :

    http://www.infosecurity-magazine.com/view/27570/oracle-warns-about-privilege-escalation-flaw-in-its-database-server/

  4. Any File wrote on :

    On the following pages of the addons web site

    https://addons.mozilla.org/en-US/seamonkey/blocked/p125

    https://addons.mozilla.org/en-US/seamonkey/blocked/p123

    https://addons.mozilla.org/en-US/seamonkey/blocked/p119

    I can read

    Who is affected?
    All Firefox users who have installed the Java plugin, JRE versions below 1.6.0_33 or between 1.7.0 and 1.7.0_5.

    Instead in this page it is written

    […] Version 7 Update 4 and below)

    so the question is

    Is the Version 7 Update 5 valid or is it blocked?

    1. Jorge Villalobos wrote on :

      Version 7 update 5 has the patch for this security bug and is not blocked. You are correct, the descriptions in the blocks were wrong and should say “between 1.7.0 and 1.7.0_4”. I’ve corrected them now.

      Thanks!

  5. Tom wrote on :

    I have updated java using the link above, may I now reenable the plugin – Java(TM) Platform SE U5 10.5.1.255

  6. MikeMacMan wrote on :

    I think the block notification page is incorrect. It lists versions between 1.7.0 and 1.7.0_5 are affected. As far as I can tell, 1.7.0_5 is not affected.

    https://addons.mozilla.org/en-US/firefox/blocked/p125

    1. Jorge Villalobos wrote on :

      Yeah, it’s fixed now. Thanks!

  7. rohit kumar raut wrote on :

    why my java block how can i open video

    1. Jorge Villalobos wrote on :

      Rohit, you can either update your Java or just enable the plugin again at your own risk.

  8. Pavel Cvrček wrote on :

    This block is useless for Windows 2000 users. Yes, Mozilla still supports this OS in Firefox LTS. At this moment there is no option to upgrade Java to the newest (and safe) version. Java 7 is not supported, Java 6 has a bug in Java 6 Update 32 and higher. You cannot install newest update.

    http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7166889

  9. Florian Meyer wrote on :

    Is their a new Update out?

    1. Jorge Villalobos wrote on :

      The latest version of Java is not vulnerable to this problem. It was released back in June. If you have that version installed, you should be OK.

  10. Alejandro wrote on :

    Hi Jorge, is there any way to know when a new version of java is going to be blocked by firefox? maybe some days before?
    I’m developing a web aplication for a company and when this occurs causes a lots of headaches and users get angry
    Thanks.

    1. Jorge Villalobos wrote on :

      One way to know about this is to follow the Blocklisting component in Bugzilla, which would generate some noise but would at least give you a heads up about it. We also talk about major blocks in the Channel Meetings, but that also has a bunch of unrelated stuff. You could also have a computer pointing to our staging server, where we stage major blocks a few days in advance… that’s probably the closest to what you need.

      1. Alejandro wrote on :

        Thanks for your information,I will try it.

        One more question, I know two ways to solve my problem.

        a) Disable plugin updates (Firefox options)

        b) Disable blocklist checking (about:config -> extensions.blocklist.enabled = false)

        Which is better and why? Do i have any problems?

        Thanks

        1. Jorge Villalobos wrote on :

          Both of these approaches will put the system at risk, and option (a) won’t prevent the blocklist from doing its job. You can ask in the Enterprise list for more details, but I do think that many recommend option (b).

        2. Jorge Villalobos wrote on :

          Oh, and Java is already being considered for a new block. See this bug report for more info.

          1. Alejandro wrote on :

            Where do you publish the new block post when it happens?

            Perhaps in this blog as other times?

            SURE Java 6u33 or 6u34 does not affect?

            Thanks for your quick response.

          2. Jorge Villalobos wrote on :

            It will be posted on this blog, for sure. You can add yourself to the CC list in the bug to track any changes to it, including when it is staged and pushed live.

            It doesn’t affect the 1.6 branch.

          3. Alejandro wrote on :

            Thanks for all Jorge.

      2. Alejandro wrote on :

        Hi again Jorge, i have two questions:

        1) Could you tell me something about this entry?

        about:config

        extensions.blocklist.itemURL

        2) It’s posible to change this entry value:

        extensions.blocklist.detailsURL

        From

        https://www.mozilla.com/%LOCALE%/blocklist/

        To

        https://addons-dev.allizom.org/%LOCALE%/blocklist/

        Thanks for your attention.

        1. Jorge Villalobos wrote on :

          extensions.blocklist.url is the preference that really matters, because it’s the one that tells Firefox where to get the blocklist from. itemURL is used to point users to “more details”. detailsURL appears to be unused, but you can make it point to the URL you indicated.

          1. Alejandro wrote on :

            Thanks for your knowledge Jorge.

            When java 7u6 will be blocked by firefox? Maybe during this weekend?

            Thanks for your time.

          2. Alejandro wrote on :

            What about Java 6 u 35?

          3. Jorge Villalobos wrote on :

            There’s no plan or schedule. I’ll post in the blog if/when we decide to go for it.

          4. Jorge Villalobos wrote on :

            There’s no plan to block anything in the Java 6 branch. It’s not vulnerable as far as we know.

          5. Alejandro wrote on :

            Thanks again Jorge, I will read the blog for new notices.

          6. Alejandro wrote on :

            There is a new block of java?

          7. Alejandro wrote on :

            Sorry for what I wrote before, because was not right.
            I have the version Javau35, this version is blocked by Firefox so users can not use?

          8. Jorge Villalobos wrote on :

            Update 35 shouldn’t be blocked.

          9. Alejandro wrote on :

            thanks for your attention

  11. Mel Martin wrote on :

    Hi Jorge,

    I hate to ask but how do you enable to old plug-in?

    I need to enable the old plug-in for a testing application (Rational Functional Tester) that doesn’t seem to work with the new plug-in (who knows maybe they were exploiting the hole).

    Thanks,
    Mel

    1. Jorge Villalobos wrote on :

      You would need to remove the new JRE and then install the old one. The blocklist dialog will appear, and all you need to do is uncheck the plugin so that the block doesn’t apply.

  12. Jack wrote on :

    Thank you for your detailed information, yet none of the solutions seem to work for me.

    I have an iMac running 10.6.8 updated fully as of this note. Using FireFox latest, and yet I can no longer see video on sites like ESPN, nor use the sites like Shutterfly or Picabo to make photo albums

    I have tried every thing that you have listed above and in your previous post on the Java block. Do you have any suggestions as to what I’m missing?

    Thank you!

    1. Jorge Villalobos wrote on :

      Are your plugins up to date? Are you sure it’s Java causing this problem? It sounds more like a Flash issue.

  13. Nem wrote on :

    I have updated java using the link above, may I now reenable the plugin – Java(TM) Platform SE U5 10.5.1.255

  14. Sarah wrote on :

    The instructions at http://www.java.com/en/download/linux_manual.jsp say to check the file size on the download. The 64-bit download sizes do not match. (I have 55.3 MB on disk vs. 52.7 MB on the site for the RPM and 46.7 vs 44.5 MB for the .tar.gz.)

    Are the files actually corrupted? Is it better to install the apparently-corrupted files or leave the current poor-security Java plugins in place? Is there another site where I should be getting files?

    Thanks

  15. WTF wrote on :

    7.11 is blocked – no update available
    PERFECT!!!

  16. Ayla wrote on :

    I installed Java 7.11 but it’s still giving me the warning; is there a way to go back for a different version?

  17. Jessica wrote on :

    Is there a setting I can use in Firefox to disable to plugin check and plugin blocking features from activating? I’ve tried a couple settings, which looked promising until the dreaded “Add-ons may be causing problems” eventually showed up.

    I run an enterprise environment with managed computers where changes to PCs are reset at logoff/restart, and have tight control over all application versions.

    We can’t have the browser suddenly stop working because a plugin is unsafe.

    1. Jorge Villalobos wrote on :

      You can disable the blocklist by setting “extensions.blocklist.enabled” to false. Otherwise you can use an add-on like Click-to-Play Manager to whitelist specific domains from click-to-play blocks.

  18. Steve wrote on :

    Running XPSP3.
    1. The latest version of Java offered for FireFox WILL NOT INSTALL. An error message says that the “Install Wizard was interrupted.” I even exited from all security software I had installed since my previous successful Java installation. Java install still failed. It seems that Oracle needs to do some more work.

    2. Java is needed to do a proper MHTML file save. (File will look like it was saved, but you can’t open it.)

    3. I also successfully updated Flash, but FireFox still says I have the older, vulnerable version. Hey, Mozilla, wake up!

  19. Steve wrote on :

    Whoops, I meant Acrobat, not Flash. Also, although Adobe Acrobat “said” it installed successfully, it didn.t.

  20. Steve wrote on :

    I installed Acrobat XI again. This time it worked.

  21. Dem wrote on :

    I have tried every thing that you have listed above and in your previous post on the Java block. Do you have any suggestions as to what I’m missing?
    thanks

    1. Jorge Villalobos wrote on :

      Can you explain the problem you’re experiencing? Which version of Firefox are you using?

  22. rw wrote on :

    Here is my frustration with making it difficult to keep java v.1.06u.33 without being nagged frequently. I now work for one of the largest and oldest and seemingly most profitable drugstore companies in the US and their time-clock/payroll is managed by Kronos (and an older version at that). And the company is too big to update their Kronos and Kronos is too big to bother leaving Java behind. In fact – our company wants us back at Java v.1.06.17 and IE6. Now – we have to use other proprietary software that uses Java as well – Compellent, Symantec Endpoint Protection, etc. whose consoles are Java based and they also can be a bit slow to respond to every little Java update and then tools get broken and time gets wasted because even behind our firewall – we can’t always upgrade and we can’t always stay put and the browser mandating an update that the enterprise doesn’t allow makes for a lot of frustration. It’s nice that you want to have our backs – but in the end – we need to be able to override your “authority” and get back to work.

    Make it easier to keep the old sh!+ if we want to.

    1. Jorge Villalobos wrote on :

      It sounds like you should ask whoever is in charge of your IT to check out our Enterprise group, where solutions to this problem have been discussed extensively. There are some configurations and tools that IT personnel can use to avoid any problems related to blocklisting.