Oracle had issued a Java update to fix the bug last week, but Mozilla developers were concerned that the update does not necessarily remove old, vulnerable versions. Leaving old, vulnerable code on a system is a long-standing issue with Java, albeit one which they have begun to address.
The information came from discussions on Bugzilla, where Mozilla developers and administrators decided to issue the flag.. Mozilla hasn't made any announcement on the matter. Note that the vulnerable plugin is the 'Java Deployment Toolkit' versions prior to 6.0.200.2. Look carefully, as there are quite a few add-in programs in Firefox with the 'Java' name in them.
Changes to the blocklist are issued through Firefox's update mechanism. Some details of how this is done are discussed on the Bugzilla page. A few users complained about the change, offended that Mozilla would shut off software on their system without asking. This complaint seems irrational; only users who are subscribed to Mozilla's automatic updating mechanism receive the change, and they receive substantial software changes from Mozilla all the time. Minor version updates are applied automatically with no user confirmation. Furthermore, such users are free, and well-advised, to apply the Oracle update to Java and they should notice no change in functionality.
I read the Bugzilla thread as indicating that there is still some confusion over who is vulnerable and that the proof-of-concept attack provided by the researcher who reported the bug was not necessarily running on all vulnerable systems. But even so you're clearly better-off with the new version on and old versions off.
Not enough attention is being paid to the fact that Oracle (and, before that, Sun) installs several add-ins of various types to Firefox and Internet Explorer when you install the JRE (Java Runtime Environment). If they inform the user that they are doing this during the installation, it's a subtle notification. When it came to light that Microsoft had installed a Firefox plugin for .NET and that plugin had a vulnerability Microsoft was widely criticized for installing it without asking permission. But such installations are common, as shown by Oracle's actions.
"
Bahrain
Australian
Malaysian
Chinese
Spanish
Monaco
Turkish
Canadian
British
German
Hungarian
Belgian
Italian
Singapore
Japanese
Korean
Brazilian
Abu Dhabi
No comments:
Post a Comment