Mozilla has begun blocking an unsecured Java plugin for its Firefox browser. The move, applied through the open source outfit's Plugin Check feature, is intended to protect Firefox fans from a recently discovered security flaw affecting the Java Deployment Toolkit on multiple flavours of Firefox. Discussions on Bugzilla show …
Not only Firefox . . .
It isn't only on Firefox ... I was getting this on SeaMonkey last week.
This popped for me, and I was delighted- as the "deployment toolkit" wasn't something that I wanted anyway, was just one of the many bits of cruft that the bloody java installed slathers all over my computer- and I'd long since given up micromanaging it.
Probably my bad, I should really just uninstall bloody java and eschew anything that requires it, but like a lot of people I'm lazy. I do keep stuff patched up (thanks to PSI), but Java is such a such a mess, with confusing version numbers, a zillion spammy components, and an update checker that seems to dry hump your connection randomly most of the time. Hate it.
Thanks, that was cathartic. Think I might remove it, after all. Yay Firefox, too.
Any chance of a note telling us how to tell FireFox to go away and mind its own business?
Some of us are using Java for a good reason, (unlike Flash which it can block as much as it likes.)
From the tests I have done at work, disabling the erroneous plugin it doesn't actually stop Java Runtime from running. I really don't understand the need for all the java related plugins being installed in Firefox though. Maybe Sun can enlighten us as to why the need to secretly install so much 'junkware' add-ons in the browser.
Java updates are a pain the arse
FF blocked the thing yesterday and I discovered there were almost 10 versions of "Java Console" skulking about in extensions list.
I note that there are 3 versions of Java 6 update in my installed programs list on this machine. Are they all needed. When it updates it wants to install an unwanted browser toolbar addon. The whole thing is sort of fucking disgrace that only Open Source Twonks could possible have devised.
Apparently this is not the main Java plugin, nor the current version (update 20) - probably.
I'm not sure if I have got this straight, but this is not the plugin that runs Java applets in the browser, but a legitimate but buggy plugin that allows Java applications to be downloaded and executed with full desktop user privileges. It is being abused to download stuff that shouldn't be downloaded, malicious software.
Java 6 Update 20 for Windows, very recently released for free download, contains an updated and non-vulnerable version of the particular affected program file, but it is reported to not always successfully replace every old copy of the file. One suggestion is that uninstalling Java and then installing the latest version may be more likely to be successful.
Otherwise: "The installer for Java 1.6.0_20 may not correctly update all instances of the Java Deployment Toolkit plugin. In some cases, the plugin that resides in the \bin\new_plugin directory may not be updated to the fixed 22.214.171.124 version of npdeployJava1.dll. If the new_plugin directory contains npdeploytk.dll version 126.96.36.199 or earlier, then browsers that use plug-ins, such as Mozilla Firefox or Google Chrome, may still be vulnerable. To correct this situation, delete the vulnerable npdeploytk.dll from the new_plugin directory and replace it with the npdeployJava1.dll version from the bin directory."
...whatever that means.
And meanwhile, Firefox will (by default) simply refuse to run the older version of the program, i.e. "188.8.131.52" or less.
"Delete and replace the file"
By the way, I got a reply from David Warren at CERT who wrote the document I got the after-the-update instructions from. He says that "delete the old file and replace it with the new one" isn't intended to include "copy the new file and rename it with the old file name." You "just" put the new file into the new-plugins and take the old file out.
Easier, typically, if the number of PCs you're managing doesn't have any commas in it, than if it does. (Well... even at 500 users, you're probably at least considering a systematic, automated approach.) If this is widely glitched then I suppose we can expect update 21 to clean it up right, we hope.
A bit tardy, surely
My FF gave me that message box early last Saturday morning, prompting me to update to 'u20' then. Think I managed to cut out most of the 'many bits of cruft' (thanks, AC 13:43 GMT - true!) this time, so back to being another lazy sod who'd chuck Java and half a dozen other things if he could be arsed.
Java, too, is made of badgers' paws.
Well, at work we're still using this, which to you is "Java 6 Update 10", but really version 1.6, just as "Java 5" was really version 1.5, dunno what they do for 2.0:
C:\Documents and Settings\robertc>java -version
java version "1.6.0_10"
Java(TM) SE Runtime Environment (build 1.6.0_10-b33)
Java HotSpot(TM) Client VM (build 11.0-b15, mixed mode, sharing)
You don't have to use the same Java edition to run programs and to go online - online is the risky part - and I don't own this PC, so I'm not worried.
For some time java updates have left historical versions of java around. (E.g. upgrading from 1.4 -> 1.5 etc, leaves the previous version hanging around on your drive). I think the idea is to support previous versions of java fully.
Java 2 is Java 1.2 or higher (Sun never did use easy-to-understand version numbering).
Java Webstart is the thing that's causing all the security related issues, not applets.
It's a shame because other than the recent insanely stupid security hole Java Webstart is a very nice cross platform way of deploying a java program to a client machine, securely and with a nice "Do you really want to do that Dave?" popup if you want local file access / network access etc.
An example of stuff that can be done in webstart can be found here:
This is not stuff you can do in an applet, and you don't have to worry about "Microsoft VM for Java" because it doesn't support web start (thank god).
It would be reasonably accurate to say "Microsfot VM for Java" is responsible for the bulk of Java related security problems over the years, and for the majority of applet compatibility problems. You would be forgiven for thinking it was a successful attempt by Microsoft to sabotage Java in the browser. No, I'm not bitter, much.
You get Microsoft VM for Java if you don't install a JRE from Sun (at least up to and including Windows XP, I don't know about Vista/7). I'd rather <strike>pull my toenails off with pliers</strike> have the Sun version myself.
Oh yeh, it's Oracle Java these days, forget everything good I said about it, it will take your first born.