Categories: Press Security

Protecting Users Against Java Vulnerability

Update – January 18, 2013
Mozilla is extending Click to Play for Java 7u11 due to reports of exploit code available for 7u11 and information that all elements of the original Java bug have not been fully addressed by Oracle in the 7u11 patch.

Update – January 13, 2013

Oracle has released an update to address this vulnerability. Read more here and download updates here.


Mozilla is aware of a security vulnerability in the current version of Java (Java 7 Update 10) that is being actively exploited and affects any browser using the Java plugin. Firefox users may be vulnerable to this issue if they have the Java plugin installed in their browser. Information on how to check which plugins are installed can be found here.

An attacker could exploit this vulnerability to execute malicious software on a victim’s machine. This vulnerability is being actively used in attacks and the malicious exploit code is also available in common exploit kits.


There is no patch currently available for this issue from Oracle. To protect Firefox users we have enabled Click To Play for recent versions of Java on all platforms (Java 7u9, 7u10, 6u37, 6u38). Firefox users with older versions of Java are already protected by existing plugin blocking or Click To Play defenses.

The Click To Play feature ensures that the Java plugin will not load unless a user specifically clicks to enable the plugin. This protects users against drive-by exploitation, one of the most common exploit techniques used to compromise vulnerable users. Click To Play also allows users to enable the Java plugin on a per-site basis if they absolutely need the Java plugin for the site.


Demo screenshot of Click To Play


Additional Information

We encourage users to always keep plugins up to date. Visit the plugin check website to update plugins now.

Information to fully disable the Java plugin can be found at the following page: to turn off Java applets


Michael Coates
Director of Security Assurance

70 comments on “Protecting Users Against Java Vulnerability”

  1. anon wrote on

    would be great if this was an option on all plugins – enable, disable, restirct (click to play / whitelist)

    1. Jared Wein wrote on

      In fact it is 🙂

      Go to about:config and set plugins.click_to_play=true and you will get this functionality.

    2. Daniel Veditz wrote on

      You can force all plugins to be Click to Play by going to about:config and changing the preference plugins.click_to_play to true.

      From the Click to Play UI (the drop-down shown in the picture above, or by clicking the blue-block icon in the address bar) you can block or allow plugins for the site you’re on.

      We have not yet exposed a way to block or allow specific plugins on specific sites, that is, you can’t block Java but allow Flash; right now it’s all or nothing on a per-site basis. You can permanently disable any plugin for all sites from the Add-on manager dialog, but then you can’t use Click to Play to enable it.

  2. Sreenath Sasikumar wrote on

    Very quick response to protect its users. Great work Mozilla Team ! Cheers !

  3. skeptic wrote on

    Why are you blocking the jre 6u38? I thought only 7 was vulnerable to these problems.

    1. mcoates wrote on

      We are being extra cautious to ensure all users are protected in the event the scope of the vulnerability is larger than the initial reports have indicated. We are erring on the side of caution.

      1. james wrote on

        well great firefox! some1 forgot to tell my firefox browser to put the red block in my address bar so how do i view java when theres nothing to click to activate??????????
        cant play the games i pay to play, i’ll have to use IE now

  4. Carol Wilson wrote on

    You have totally ruined me for pogo! I cannot play any of the games because they all use Java. I have installed, uninstalled, downloaded offline, every trick imaginable, and still Firefox won’t let it open. Won’t let the thing be enabled. I don’t get a screen to allow it. I’ve spend 6 hours today on this! Totally disgusted with all of you: Firefox, Java, and Pogo! Wouldn’t even work on IE–still defaulted to Firefox. Grrrrrrrrrrrrrrr!

    1. Shawn wrote on

      I play on Pogo as well Carol. When you open the link to play the game, up in the top left hand corner you will see a red block appear. Click on the red block, click on the arrow next to ‘Activate all plugins’ and it will give you the option to run Java on that site and that site only. Mozilla has done something very smart for their users here. If you were to go to a website you do not trust and Java were to run on its own as we are used to, your computer could be compromised in the process including very personal information.

      1. Hank wrote on

        Well, I would like to know if is safe to visit allowing Java 7 update 11. It seems to be alot of hackers at the game tables for card dealing or dice roll generator.

    2. Nate wrote on

      You are an idiot

      1. Dj wrote on

        you are the idiot! What she posted is true as many, including myself have encountered the same problem and roadblock. You must feel really low to insult someone like you did; however, it doesn’t make you appear any wiser but rather a jerk!

  5. John Medearis wrote on

    A vendor secure website I have to use for work starts up a web app using the JVM upon clicking the appropriate link. It does not display a page where I can “Click to Play”, it just verifies if the JVM is running. With the plugin blocked, I have no way of putting this site in as an exception.

    Why can’t you provide me that ability as well? This is preventing us from entering overrides necessary for medical benefits coverage. And because the vendor site uses a certificate that is browser based, I am unable to temporarily use another option.

    Thank you for the general public protection but please provide, as soon as possible, a way to unblock by site prior to visiting a site.

    1. mcoates wrote on


      In the event you do not see the Click to Play box you are still able to click the blue plugin icon in the URL bar. Within the displayed drop down you can then select the option of “always activate plugins” for the site if desired.

      See this post for additional information:

      Here is the direct link to the image:

      1. Michael wrote on

        I need to run an application on from a site in order to run a critical recovery program for a specialized system. It requires java to run. The site offers neither the Click to Play box or the blue icon in the URL. What am I supposed to do?

      2. Dj wrote on

        this is no the case with all sites, Mr Coates. It does not give you the option nor does clicking the blue icon activate any drop down menu.

      3. stine wrote on

        Your fix works for Juniper Network Connect in Firefox on Linux.

        Thank you very much.

  6. Jesse Ruderman wrote on

    And if *that* doesn’t work, perhaps because the site detects Java using navigator.plugins, you can use about:permissions to explicitly allow plugins on the site.

  7. Martin wrote on

    I got the “click to play once”, but after the Java update to 7u10 the plugin will not be installed into Firefox 18 at all…. Java reports successful installation, but the JRE plugin is gone for good from the add-ons page.
    What can I do, I like to see it, activate it on demand and play one certain game I pay for.

    I also use the extension Quickjava.

    1. Daniel Veditz wrote on

      Starting with Java 7 update 10 Java itself has preferences that determines whether it’s used in browsers or not. Perhaps that got turned off? If it did then Java will be invisible to Firefox (and all other browsers) and Click to Play doesn’t come into the picture.

  8. Michael wrote on

    I need to run an application on from a site in order to run a critical recovery program for a specialized system. It requires java to run. The site offers neither the Click to Play box or the blue icon in the URL. What am I supposed to do?

    1. Billy Zane wrote on

      Use “Page Info” from the context menu on the page where you have that problem and enable Plugins from the “Permissions” tab.

  9. Amy wrote on

    I have an outdated Java and didn’t know it. (But I always install recommended updates, …yet this seems QUITE old! SE6 U37 it says!) Should I even bother updating?

    Is there an article that can explain a “What to do” for dummies? I don’t fully understand what they are saying is and isn’t dangerous. If I trust the site, but it isn’t critical in my life to use it right now, can I activate the Java? I mean, is it really trust in the site/page that matters? Or trust in their security to keep themselves from being hacked and thus allowing me to be hacked? I may trust my bank to not be “pulling one over on me” but that doesn’t mean I trust them to prevent a hacker from using their site to get to me. Is that what we’re talking about here? I’m not knowledgeable enough to understand. Also, what about virus protection programs? Are they generally blocking this? Or is this different?

    A stranger question – a site I want to use that needs a plugin currently blocked by this, – the site claims Google Chrome does not require an add on at all. Is this because Chrome inherently has the same dangerous thing, but it’s just automatically included? Or would it be safer? I love Google, but not Chrome. I prefer my Firefox!

    1. Joe wrote on

      Hi Amy!

      All is well! Never trust your bank, though!

  10. Yo Ma Ma wrote on

  11. rashydos wrote on

    I have the same problem! firefox 18 request installation of java all the time.

    I have win7 64bits.

    I have uninstall all java the install the newest but the problem not solved!

    It should be a bug on firefox 18

  12. Jay Dee wrote on

    The first time I saw this alert, it was an alert from Homeland Security advising users to disable or delete Java. When I came to this part of the web, Ken Arnold, James Gosling, David Holmes had just found the Java Programing Language James is known as the Father of Java language, he was at Sun Microsystems too 1984 to 2010 and the deceased Steve Jobs also
    I trust these people at Oracle to know what they are doing. I have upgraded to the new Java and will continue to use it. I trust them and not Homeland Security. I do not trust Homeland Security and FEMA with any thing and for sure not my homeland America.

    Long Live Oracle and Java

    Jay Dee

    1. Daniel Veditz wrote on

      The brilliance of its creators does not guarantee a product is without security flaws — even Firefox is regularly updated to address potential security problems. In this instance DHS is not wrong: this particular Java flaw is actively being used as part of a exploit package that is widely deployed by criminals on legitimate-but-hacked websites that millions of people regularly visit.

      Oracle has now released an update to fix this flaw, and the DHS warning/advice does not apply to this new version.

  13. Joel wrote on

    Unable to print US Postage for my ebay shipping…”plug in” icon appears…I click on it…postage label screen appears, but printer doesn’t print.
    I go to my AOL email, open the ebay shipping label printed email…click on “reprint label”…printer works fine.
    So, any suggestions to avoid the email click to reprint method workaround??

    1. Chris wrote on

      I was having the same issue. When the label appears there is a red icon one the left side of the address bar, click and activate the flash plug-in.

      1. Junior wrote on

        Thank you !!!
        I was having the same problem

  14. Erich wrote on

    Would you please explain better what you mean with:
    “To protect Firefox users we have enabled Click To Play for recent versions
    of Java on all platforms (Java 7u9, 7u10, 6u37, 6u38).”

    It seems one of the following regarding Click To Play is the case:
    – It was previously enabled for newer versions of Java. If so, why are we even discussing it in this manner? And where is the documentation on what CTP is enabled for and how to make granular (plugin/version/site) changes?
    – It has been enabled on new/current downloads If so, do we need to re-download/install? Is there a (minor) version change?
    – Mozilla has somehow remotely enabled it for recent Java versions? If so, where is the discussion of the implications of this ability to unilaterally make changes on our machines?

    Now, I hate Java, but unfortunately it it necessary for some workplace functions. I also love Firefox, but unfortunately, I don’t have a means to make enterpise-wide changes to settings/add-ons/etc. for it like I can for IE. The combination of these two “problems” has me a little freaked out.

    1. Daniel Veditz wrote on

      Firefox, like other browsers, has the ability to block malicious or broken plugins. The list of things we’ve blocked can be found at our web-site; click each item to find why we’ve blocked that particular item.

  15. jennysweeth wrote on

    I would love to know grrr, I haven’t updated still here on Java 9, ok so I get its outdated, but does that make it vulnerable too, am I at risk here?..I know Java 10 needs be disabled I’ve spent agonizing hrs reading and can only find it needed patches up before 9, was hoping I would be fine to stay, but at the risk of it being outdated can anyone help please I’m not willing to take any extra risks here!!!

    1. Joel Rees wrote on

      Java 9?

      I don’t think there is such a thing yet.

      Or are you running some beyond-bleeding-edge software from the future?

      I’m going to guess you mean update 9, perhaps of java 6 or 7. Check Oracle’s site for specifics on versions, for instance, on this page:

      where they talk about a temporary fix similar to Mozilla’s temporary fix, but don’t mention that it’s just a temporary fix.

  16. akane wrote on

    Does this vulnerability affect the IcedTea plugin?
    Also, NoScript FTW!

    1. FlashingYoshi wrote on

      No. No you don’t.

  17. Wholesale Merchandise wrote on

    I am not showing Java installed as a plugin with Firefox even though it is, I am also not showing the blue box and I could not find anything to enable plugins in the context menu for the specific page.

    A response would be appreciated.

    Thank you for your time.

  18. Fred wrote on

    I am also finding that “click to play” does not work for all sites- even when I click on the option. Pogo is one example. Although, I would rather live without the games than have malware. Does anyone know if antiviral/spyware software is picking up the threat?

  19. Simon wrote on

    While I get the security need, when a change is made like this, and people like me – with limited or no JAVA technical knowledge – suddenly can no longer operate their business because key commercial services like PAYPAL stop working and the way PAYPAL (which is truly terrible with popups) links to external service the payment processors this change does not work.

    At the very least, I should be able to accept the “risk” for a site and get on with life.


    1. Wilcox1976 wrote on

      Amen Buddy I’m with you. Run ebay business and can’t print any labels with my Brother roll label printer because of Java Firefox issues. IE is working and I have got the labels out from there. Can also print the old click n’ ship labels as long as you did not create the label in another format.

    2. Richie wrote on

      I am in the same boat. I can no longer print labels from Firefox because of Mozilla’s need to disable it. Even after I accept the risk, nothing works.

      I understand that 99% of the people on the internet are morons and do not know which sites are safe, but us 1% want an option to turn java back on so I can print a damn shipping label.

      FIX THIS.

  20. Ildjarn wrote on

    I have installed JRE 7.11 which was released today. Still no Java turning up in the installed plugins….

    1. Steve wrote on

      ditto. JRE 7.11 which was released today. Still no Java turning up in the installed plugins.

      IE working okay though.

More comments:1 2