Forgot your password?
typodupeerror
Firefox Java Mozilla OS X Security Apple

Apple and Mozilla Block Vulnerable Java Plug-ins 88

Posted by Soulskill
from the no-dogs-allowed dept.
hypnosec writes "Following news that a Java 0-day has been rolled into exploit kits, without any patch to fix the vulnerability, Mozilla and Apple have blocked the latest versions of Java on Firefox and Mac OS X respectively. Mozilla has taken steps to protect its user base from the yet-unpatched vulnerability. Mozilla has added to its Firefox add-on block-list: Java 7 Update 10, Java 7 Update 9, Java 6 Update 38 and Java 6 Update 37. Similar steps have also been taken by Apple; it has updated its anti-malware system to only allow version 1.7.10.19 or higher, thereby automatically blocking the vulnerable version, 1.7.10.18." Here are some ways to disable Java, if you're not sure how.
This discussion has been archived. No new comments can be posted.

Apple and Mozilla Block Vulnerable Java Plug-ins

Comments Filter:
  • and to unblock? (Score:3, Interesting)

    by X0563511 (793323) on Friday January 11, 2013 @05:03PM (#42561861) Homepage Journal

    ... and if I need to unblock it, because I need to support shit that runs in these versions?

  • by Art Challenor (2621733) on Friday January 11, 2013 @05:16PM (#42561973)
    Sun was either more dedicated or just better at maintaing Java. There were problems, of course, under Sun, but the anti-Java sentiment based on vulnerabilities seems to be mostly post-Oracle (and somewhat justified).
  • Hypocritical (Score:5, Interesting)

    by phizi0n (1237812) on Friday January 11, 2013 @05:18PM (#42561993)

    While Java applets are very rare and not of much use to me personally (I mostly see it used for irc clients and bad web games), it seems a bit of an overstep to disable it completely for everyone due to a 0-day vulnerability. How is anyone supposed to ever use it if web browsers start disabling it for every 0-day vulnerability that pops up. It's not like Firefox and Safari don't also have 0-day vulnerabilities but you don't see them completely shutting themselves down nor do they roll out fixes the same day, so it seems a bit hypocritical. IMO there should be a small grace period of 1-2 weeks where the browser warns people of the known unpatched vulnerability but allows users to choose to load it anyways if they trust the site (yes, most people will just say yes to get past it) to at least give the plugin authors a chance to fix it before it gets completely disabled.

  • by guanxi (216397) on Friday January 11, 2013 @05:28PM (#42562105)

    There are many zero-day exploits out there for many applications (and operating systems, etc.). Why does this one deserve special treatment?

    It's the second time that I remember Mozilla doing it with Java.

  • Re:Hypocritical (Score:5, Interesting)

    by VGPowerlord (621254) on Friday January 11, 2013 @05:31PM (#42562135)

    I really wish I could disable it at work, but we both have an (externally developed) Java applet in our main product and use WebEx to audio-conference and screen-share with the contractors who produce said Java applet.

    At home, I occasionally do Java development, but I just install the 64-bit JDK, which doesn't include the plugin for 32-bit web browsers like Chrome and Firefox. Problem solved there!

  • by OMG (669971) on Friday January 11, 2013 @07:07PM (#42563053)

    Why is no one recommending to raise the security level for Java applets from "medium" to "high" or "very high"?

    Since Update 10 there is this new control that could be employed exactly right now:
    http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html [oracle.com]

The world is moving so fast these days that the man who says it can't be done is generally interrupted by someone doing it. -- E. Hubbard

Working...