Mozilla Adds Vulnerable Java Plug-in Versions to Firefox Blocklist
Mozilla has blacklisted unpatched versions of the Java plug-in from Firefox on Windows in order to protect its users from attacks that exploit known vulnerabilities in those versions.
Mozilla can add extensions or plug-ins to the Firefox add-on blocklist if they cause significant security or performance issues. Firefox installations automatically query the blocklist and notify users before disabling the targeted add-ons.
"The February 2012 update to the Java Development Kit (JDK) and Java Runtime Environment (JRE) included a patch to correct a critical vulnerability that can permit the loading of arbitrary code on an end-user's computer," said Mozilla's channel manager Kev Needham in a blog post Monday.
"This vulnerability -- present in the older versions of the JDK and JRE -- is actively being exploited, and is a potential risk to users," Needham said. "To mitigate this risk, we have added affected versions of the Java plugin for Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and below) to Firefox's blocklist."
Needham did not specify the vulnerability being actively exploited, but security companies have warned during the past couple of weeks that exploits for the CVE-2010-0507 Java vulnerability were being used in widespread attacks and have been incorporated into the popular Blackhole exploit toolkit.
Unlike Google's Chrome browser, which has a feature specifically aimed at disabling outdated plug-ins, Firefox relies on Mozilla developers deciding which plug-ins pose a risk to users. However, users retain the choice of preventing those plug-ins from being disabled.
The Firefox blocklist has rarely been used to disable plug-ins from big software vendors like Oracle, but precedents do exist. In October 2009, Mozilla decided to add Microsoft's Windows Presentation Foundation (WPF) plug-in to the Firefox blocklist after Microsoft revealed that it had a vulnerability.
"Mozilla strongly encourages anyone who requires the JDK and JRE to update to the current version as soon as possible on all platforms," Needham said. The latest versions of Java for Windows are Java 6 Update 31 and Java 7 Update 3.
Mozilla is also considering adding a blocklist entry for the Java plug-in on OS X. However, blocking Java on OS X might be trickier than on Windows, because Apple is usually months behind Oracle in delivering Java patches.
On Monday, security researchers from F-Secure announced that new Web-based attacks are exploiting a vulnerability in the latest Java version for Mac OS in order to install malware. Preventing those attacks from affecting Firefox users would mean blacklisting the latest version of the Java plug-in for Mac, which would leave them without the ability to use Java applications in Firefox.