Print
Downright malicious browser plugins and add-ons are obviously a massive security risk, but make no mistake unpatched or outdated extensions are just as big a headache. For this reason, Mozilla has a blocklist service to deal with plugins that jeopardize the security, stability, or performance of Firefox. The latest addition to the Firefox blocklist happens to be the ubiquitous Java plugin. Hit the jump for more.
Back in February, Oracle rolled out a “critical patch update” for Java SE, patching as many as 14 remotely exploitable vulnerabilities. But considering the Java plugin’s notoriety for remaining outdated, the holes that Oracle plugged last month still pose a risk to many users. In fact, according to Mozilla, these vulnerabilities are being actively exploited in the wild.
“To mitigate this risk, we have added affected versions of the Java plugin for Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and below) to Firefox’s blocklist,” announced Mozilla channel manager Kev Needham in a blog post Monday.
“Mozilla strongly encourages anyone who requires the JDK and JRE to update to the current version as soon as possible on all platforms,” he further wrote. “Affected versions of the Java plugin will be disabled unless a user makes an explicit choice to keep it enabled at the time they are notified of the block being applied.”
The latest versions of JRE for Windows and Linux can be obtained from the official Java website.
Comments are closed on this article
nevrUmind
April 06, 2012 at 9:54pm
Unfortunately they're also blocking NEWER, ie beta, versions of Java, which presumably are as up-to-date, security-wise, as JRE 7u3. So if you're running JRE 8, it will be blocked.
Stupid. It reminds me of web pages whose flash version-check is so crude that it throws up a "you're running an outdated version of Flash" even though you're actually running a cutting-edge beta build.
Shalbatana
April 05, 2012 at 8:53am
While I personally think this is good, it's wreaking havoc at my company. Some users clicked okay to this, and now they can't get full access to one of our key programs that (I suspect) hasn't been approved for the most recent Java yet.
