Protecting Users Against Java Vulnerability

mcoates

70

Update – January 18, 2013
Mozilla is extending Click to Play for Java 7u11 due to reports of exploit code available for 7u11 and information that all elements of the original Java bug have not been fully addressed by Oracle in the 7u11 patch.

Update – January 13, 2013

Oracle has released an update to address this vulnerability. Read more here and download updates here.

Issue

Mozilla is aware of a security vulnerability in the current version of Java (Java 7 Update 10) that is being actively exploited and affects any browser using the Java plugin. Firefox users may be vulnerable to this issue if they have the Java plugin installed in their browser. Information on how to check which plugins are installed can be found here.

Impact
An attacker could exploit this vulnerability to execute malicious software on a victim’s machine. This vulnerability is being actively used in attacks and the malicious exploit code is also available in common exploit kits.

Status

There is no patch currently available for this issue from Oracle. To protect Firefox users we have enabled Click To Play for recent versions of Java on all platforms (Java 7u9, 7u10, 6u37, 6u38). Firefox users with older versions of Java are already protected by existing plugin blocking or Click To Play defenses.

The Click To Play feature ensures that the Java plugin will not load unless a user specifically clicks to enable the plugin. This protects users against drive-by exploitation, one of the most common exploit techniques used to compromise vulnerable users. Click To Play also allows users to enable the Java plugin on a per-site basis if they absolutely need the Java plugin for the site.

 

Demo screenshot of Click To Play

 

Additional Information

We encourage users to always keep plugins up to date. Visit the plugin check website to update plugins now.

Information to fully disable the Java plugin can be found at the following page: http://support.mozilla.org/kb/How to turn off Java applets

 

Michael Coates
Director of Security Assurance

70 responses

  1. Dr No wrote on :

    Firefox is blocking the plugin component of JRE 7 Update 11. Firefox shows the plugin as version Java(TM) Platform SE 7 U5 10.5.1.255. Perhaps the block includes any Java plugin that is identified as SE 7 U5, regardless of the version number? If this update does fix the vulnerability, then the scope of the block should be narrowed.

    1. Helios wrote on :

      Workaround: Uninstall the standalone JavaFX 2.x.

      http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html
      http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=8005410

      1. G_A wrote on :

        In addition to this, you might need to close the browser, open the Java control panel, go to security, untick the “Enable Java content in the browser, press OK, then the java control panel again, tick the same checkkbox and press OK.

        Might be something is bugged when you installed u11 with FX installed in the frist place. Even a total uninstall of everythinhg java, reboot, reinstall and reboot again still didn’t enable the java plugin in neither IE nor FF.

    2. alex_mayorga wrote on :

      That’s apparently a bug from Oracle[1], try removing all versions of the JRE, then install just 7u11.
      Hope it helps.

      1 http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=8005410

      1. Forrest wrote on :

        Nope, that’s not the issue. That’s a Windows specific issue, and Firefox is still blocking the patched version of Java on Macs too.

  2. Axis wrote on :

    Thank you for making this troublesome add-on issue a “click-to-play” block rather than a full block. It respects a users rights while also offers security. That is WAY better than the ordeal everyone was going through just a week or so ago with the last Java update confusion.

  3. Joel Rees wrote on :

    The plugin check page — ouch!

    It’s in Japanese.

    Well, I read Japanese sort of well, actually operate in mixed mode a lot of the time, but a lot of my foreign national friends living in Japan don’t.

    Automatically selecting the language by browser setting and/or location, and failing to provide a language switch link/button on the page is so, well, ’90s.

    BTW, I go to that page and it tells me my gnash is an out of date flash. Does not mention java at all. (Debian Squeeze:
    —————————————————————————
    useralpha@ws001:/home/useralpha$ java -version
    java version “1.6.0_18″
    OpenJDK Runtime Environment (IcedTea6 1.8.13) (6b18-1.8.13-0+squeeze2)
    OpenJDK Client VM (build 14.0-b16, mixed mode, sharing)
    —————————————————————————)

    So, is IcedTea not vulnerable? (Heard some rumor that suggests otherwise.)

    And why doesn’t java show as a plugin? JDK installed globally, perhaps?

    I think there are a lot of rough edges being exposed here.

    1. joel.rees wrote on :

      Answering one of my own questions, Oracle’s advisory indicates that java 6, 5, and 4 are not affected, although all updates of Java 7 through update 10 are, and the just released update 11 provides a temporary patch similar to Mozilla’s plugin blocking function.

      The CERT advisory and vulnerability note only specify Oracle Java with a new feature from version 7, so it looks like IcedTea will not be affected.

  4. Jürgen wrote on :

    http://www.javatester.org/version.html tells me I’m using Java Version: 1.7.0_u9 from Oracle Corporation but I’m having IcedTea Plugin installed (Linux Mint 14). So it would be nice if there would be a way that Mozilla can protect IcedTea users as well.

    Mozilla Plugin Check tells me about my IcedTea thingy: unknown plugin.

  5. Mary Lou wrote on :

    on the eve of 1/13 i noticed a update #11 was available for java i down loaded it seems to be ok but not sure of the safty. I have not been able to find out any news about this update.

  6. Scott40 wrote on :

    1/14/13 — Today I successfully manually installed Java 7.1 U11 using the downloaded file ” jre-7u11-windows-i586.exe” on a 32 bit XP3 machine with IE and Firefox 18. The Firefox plugin for Java will not install. Using Firefox to go to “http://www.java.com/en/download/testjava.jsp”, to test if Java is working, results in a message saying ” A plugin is needed to display this content” “Install plugin”. Clicking on “Install plugin” results in an “Available plugins download” window being displayed. Within the window one plugin is listed. It is ” Java Runtime Enviroment 1.7 u10″ Clicking the NEXT button attempts to install the plugin but fails. The plugin “Java Deployment Toolkit 7.0.110.21 does show in the list of installed Firefox plugins but that is the only Java plugin in the list. The newly installed Java U11 works fine with IE.

    Is Firefox blocking the plugin installation because Java (Oracle) is attempting to install the non-secure version 1.7 u10 ? Did the JRE FF plugin fail to install due to and error in the Java u11 installation file (possible lack of registry entries from Oracle ) ?
    .

  7. Jive Dadson wrote on :

    I have installed the latest Java from Oracle, and as of Jan 15, I still cannot get Firefox to run any Java ap. For example, http://netdania.com/Products/live-streaming-currency-exchange-rates/real-time-forex-charts/FinanceChart.aspx?m=c. At the top, I get a message that says “Additional plugins are required to display all media on this page.” On the right is a button labeled, “Install missing plugins…” I click it and the banner with the message and button disappears. The ap does not start. In the area where it is supposed to start, there is what appears to be a link, labeled “Install plugin…” I click it and nothing happens.

    I have tried everything I can think of, but no joy. I have removed all Java installations and re-installed the latest. I have rebooted everything.

    I can get Windows Explorer to run the ap. It prompts me first, which is fine with me.

    Any ideas?

    1. Jive Dadson wrote on :

      Update. I uninstalled Java FX. I have no idea what that is. Anyway, now it works.

      What a mess!

    2. David wrote on :

      Same issue, Firefox (latest version, 18) informs me the plugin is out of date, clicking the Install Plugin link tries to install U10 not U11 (patched version I believe).

      Not sure what version I was on this morning, (guessing u10) but after trying Chrome the update they linked to was U11 so running v11 now.

      Under https://www.mozilla.org/en-US/plugincheck/#list-plugins it says I’m up to date Java Deployment Toolkit 7.0.110.21 (1.7.0.11)

      Tried rebooting Firefox multiple times, no joy, left with a message a plugin is needed to display this content with an install link below which tried to install U10 which fails.

      David

  8. Rad wrote on :

    Just to share with you what I did on my Windows 7 32-bit and Firefox 18. I am studying Java and I was trying to view my 1st applet ever in a browser. I got the issue of the plugin, and Firefox asked me to manually install Java as the plugin failed to be installed from within Firefox. I did that then closed my Firefox and started it up again. Firefox asked me if I want to run this applet and I said yes and never ask again. It worked nicely ever since. I have now certified myself as Java Applets Guru, Firefox Guru, and Music Writing Guru (for no related reason).

  9. Doug Huffman wrote on :

    I have given up on Java. I’ve gone round and round reading ‘helpful’ blogs and snide retorts, how-tos and restatements of the problem. At one time I had to delete ten copies of the “plug-in” that wouldn’t load.

    When there is a comprehensive step-by-step protocol to establish a known browser/OS status, reinstall Java, reinstall FF, reinstall all common plug-ins, et cetera ad nauseam, then I’ll try again. Thank goodness I haven’t found anything essential that doesn’t work.

    Sun/Oracle, Re-write Java.

  10. Mike S wrote on :

    Does Mozilla plan on requiring Click-to-play for all future JRE’s by default? Or will the patched Java JRE run automatically in the next Firefox update?

  11. Sean Scott wrote on :

    I need a way to disable your “click to play”! I have rolled Java back to 6-38 but still FF keeps making me click. My application (Maplesoft’s “Maple T.A.” Equation Editor”) does not work properly with this feature, I need Java to run unhindered. Can you help ASAP?

    1. Gary C wrote on :

      Sean – about:config. Find plugins.click_to_play. It is likely set to “True”. Double click or rt click and select toggle to set it to “False”. You may need to restart the browser for the setting to take effect. Just remember, if the Java plug-in remains enabled, it will be enabled for all pages your browser hit, leaving your system vulnerable to exploits. At least your needed site should work ok again.

  12. Anonymous wrote on :

    So annoying! Firefox goes and automatically blocks it and I can seem to make it work again. Stops Nintendo UK website working. Guess I’ll have to wait to join club Nintendo :'(

  13. Blair Nastasi wrote on :

    There’s an easy way to disable Java immediately using Group Policy or your own management tool. We have a blog and video to show you exactly how to do it:

    http://www.policypak.com/blog/entry/exactly-how-are-you-going-to-turn-off-java-now-in-your-enterprise.html

  14. Thomas Thomassen wrote on :

    Seems that 7.11 is also blocked. I have to activate it. Firefox gives me this message:

    “Java Plugin 7 update 11 and lower (click-to-play), Windows has been blocked for your protection.”

    1. Jody wrote on :

      Just saw version 18.0.1 firefox out there. Does this in fact fix the 7.11 set to vulnerability.

  15. Ari wrote on :

    Java fix does not work at all – Java test says that all is ok, but when i try to access any java site it says – “this java plugin has security vulnerabilities…blaa blaablaa” but after a while it says java has been updated?????

    THat bugs me b coz of confusing messages – does not work on online banking at all or so – what the F****.

    IE works fine + other browsers – sure it is for our safety because of the security risk, but normal users like grannies or so may wonder what the hell is going on….

  16. Paul wrote on :

    What the hell is going on?
    I don’t need FF to take care of my security, we’ve 100+ users in my company using java apps daily in their browser and they go crazy since they have to click all days on your stupid ‘click to play’ button.

    Woohoo guys, I have now to ask them to run it into IE… What a shame.

  17. Doug Huffman wrote on :

    Is the observation that the plug-in downloaded and failing to load is JRE 7 u10?

    Following the unhelpful directions I uninstalled Java, ran the M$ registry repair, disabled all protection and reinstalled JRE (and JDK separately). Testing at Java.com causes the plug-in needed warning, responding to which is similarly unhelpful as it sends one, me, back to the JRE download page.

    I continue to wait for Java 7 u13 or Java 8 or a complete re-write, maybe of some simplified subset for users.

More comments: 1 2