Update – Aug 31, 2012
Yesterday Oracle released a patch for the critical vulnerabilities identified within Java.
Visit the Mozilla Plugin Check webpage to find out if your Java plugin needs to be updated:
https://www.mozilla.org/plugincheck/
Additional information from Oracle can be found here:
https://blogs.oracle.com/security/entry/security_alert_for_cve_20121
Update – Aug 29, 2012:
We’ve been closely monitoring the recent Java security vulnerability and evaluating different options to best protect our users.
Our goal is to provide protection to Firefox users against this actively exploited vulnerability in Java while also leaving the user in control so they can choose to allow Java on important sites that they trust.
We are still working out the implementation details, but our solution will accomplish two primary objectives:
- By default, vulnerable versions of Java will be disabled for our Firefox users.
- Users will be provided the option to enable Java through a clear and visible message that will be displayed anytime the user views a page using Java.
We’ll provide additional updates when items are finalized. In the interim, we still advise users to disable the Java plugin as described below.
Lastly, starting this week in Aurora and Beta we’ll begin adding the components of click-to-play, a Firefox security control that helps protect users against outdated and vulnerable plugins. We anticipate this new security feature to be fully operational by Firefox 18.
Original Post Aug 28, 2012
Issue
Mozilla is aware of a security vulnerability (CVE-2012-4681) in the current version of Java 7 (version 1.7, updates 0 through 6) that is being actively exploited to compromise users. Firefox users may be vulnerable to this issue if they are running the Java plugin within their browser.
Impact to Users
An attacker could exploit this vulnerability to download and execute malware on to a user’s machine.
We have received reports of this vulnerability being actively used in targeted attacks and the malicious exploit code is also available in common exploit kits indicating the number of attacks may increase.
Status
At this time there is no patch available from Oracle to address the vulnerability within Java. We recommend that users disable the Java plugin within Firefox to ensure they are protected against this vulnerability.
Steps to disable the Java plugin can be found here:
http://support.mozilla.org/kb/How+to+turn+off+Java+applets
Ben
wrote on
M. Natiello
wrote on
Ralf
wrote on
Danny Moules
wrote on
Ralf
wrote on
malvin
wrote on
Danny Moules
wrote on
Lionel
wrote on
Ralf
wrote on
Malcolm
wrote on
Ralf
wrote on
Albin
wrote on
Ralf
wrote on
vericonLabs
wrote on
fjf
wrote on
fjf
wrote on
Daniel Veditz
wrote on
fjf
wrote on
fjf
wrote on
Thomas F.
wrote on
Paul M
wrote on
Daniel Veditz
wrote on
John T Hannon
wrote on
Daniel Veditz
wrote on
Mist
wrote on
Andrew
wrote on