back to article Exploits no more! Firefox 26 blocks all Java plugins by default

The latest release of the Firefox web browser, version 26, now blocks Java software on all websites by default unless the user specifically authorizes the Java plugin to run. The change has been a long time coming. The Mozilla Foundation had originally planned to make click-to-run the default for all versions of the Java …


This topic is closed for new posts.
  1. Will Godfrey Silver badge

    Sounds a good plan to me, but I can already imagine the wingeing...

    "I don't care about all that stuff. I want my lol-cats NOW."

    1. ammabamma

      Party like its 2003...

      > Sounds a good plan to me, but I can already imagine the wingeing...

      "I don't care about all that stuff. I want my lol-cats NOW."

      And here is where it will fall down. This may slow down the non-interactive, drive-by exploits, but if Joe Pillock User wants lol-cats, then he (or she) will move heaven and hell to click through, accept, and ignore whatever they deem is standing between them and their funny kitties.

      From the article:

      > Generally speaking, Mozilla plans to activate click-to-run for all plugins by default, although the Adobe Flash Player plugin has been given a pass so far, owing to the prevalence of Flash content on the web.

      Anyone else get a chill and a flashback to the "Click to enable embedded content" hackery from the Eolas patent troll ruling back in 2003?

      1. Anonymous Coward
        Anonymous Coward

        Re: Party like its 2003...

        Maybe I'm different - the very fact I come here, for starters - and have been running FF, with NoScript, AdblockPlus, Ghostery, Cookie Monster, and FlashBlock for many years. It's so long since I've had Java installed it seems like a distant bad dream. Doesn't stop me looking at Lolcats though.

        1. Shades

          Re: Party like its 2003...

          Mary Jane Bogart wrote:

          "been running FF, with NoScript, AdblockPlus, Ghostery, Cookie Monster, and FlashBlock for many years
          Why do you have NoScript and FlashBlock? NoScript blocks Javascript, Java and Flash. In fact, according to the FlashBlock addon page, FlashBlock does not work with NoScript installed. Also, AdBlockPlus is largely redundant as the combination of NoScript and Ghostery blocks 99.9% of adverts anyway. Well, this seems to be the way it works for me as I have NoScript and Ghostery, but not AdBlockPlus, and haven't seen an advert for years.

          You do seem to be missing one addon though: BetterPrivacy. Even though you have Cookie Monster installed BetterPrivacy prevents (NoScript allowed) Flash from leaving LSOs (so-called "super cookies") on your computer which can be used to track you just like a normal Cookie, only they're more persistent as most (all?) browsers don't have the built-in capacity to delete them and they can be used to re-populate normal cookies. While Ghostery does have the capacity to delete LSOs on exit, it doesn't give you the possibility of keeping some LSO's, and deleting all the rest, like BetterPrivacy does. For example you may actually want to keep YouTubes Flash LSOs, with BetterPrivacy you can choose to do so however Ghostery simply nukes all LSOs.

      2. Anonymous Coward
        Anonymous Coward

        Re: Party like its 2003...

        Given that Flash has more vulnerabilities than Java shouldn't it be even more important to block it exactly because it's so widely used?

        But there isn't much point in blocking all these plugins if they aren't going to fix their own problems since the browsers are far less secure than any of the plugins

        1. Tom Chiverton 1

          Re: Party like its 2003...

          Flash has less vulnerabilities than FireFox itself on your chart :-)

    2. Old Handle

      I can't, off hand, think of a single Java powered lol-cat distribution channel.

      Java is getter pretty obscure as web plug-in nowadays. I still see it occasionally powering the odd "enhanced file unloader" and Real VNC optionally serves its own Java based viewer as a web app, but I really can't recall the last time I saw it being used for run of the mill graphic fluff.

      Sadly, the same can't be said about Flash.

  2. Zacherynuk

    There are so many plugins to restrict content already, that so many people use, I can only assume that shit 'enhancements' like these come only after advertiser concessions.

    What about TLS1.2? Or did that creep in when I wasn't looking ?

    Having said that, the HTML5 shit-wave is yet to hit - I imagine the sponsors of Mozilla haven't yet updated their system to fully track that shit yet.

    Something is fishy is Firefox world.

    If only they would move the Favorite and Refresh buttons to the used LEFT side of the screen we might do something useful.

    1. Darryl

      Actually, you can move the buttons around. Just go into 'customize toolbar' and you can drag buttons and stuff around wherever

      1. sam bo

        Thanks for that, I had completely forgotten about it. I hated it hen they moved the "home" icon to the right side and left the other navigation buttons on the left.

        Now, they are grouped together on the left again.

      2. Zacherynuk

        nice one cheers

  3. Adam 1 Silver badge

    UI Design Principle Fail

    There needs to be a great big "Don't Allow" button on that popup (selected as default).

    1. Tom Chiverton 1

      Re: UI Design Principle Fail

      Don't touch it, and it goes away, and the content doesn't run.

  4. Vociferous

    About time.

    How hard can it be to make java secure? I don't know, but clearly it's too hard for Oracle.

    1. asdf Silver badge

      Re: About time.

      Yeah especially since security was supposed to be a big part of the original design of the language (at least the vm and bytecode part of the original Java implementation) and one of the big things SUN was touting originally for why its new fangled internet technology was going to take over the world.

      1. asdf Silver badge

        Re: About time.

        >big part of the original design of the language

        meant to say big part of the original design of the Java software platform just for the anal types.


        Re: About time.

        I wonder about all these exploits. Are they really exploits on Windows, and then Sun/Oracle has to go in and fix the VM to protect the underlying OS? That is, are these exploits also in the Unix, Linux and MacOS VM's?

        1. asdf Silver badge

          Re: About time.

          Most of the critical CVE allow not only breaking out of java's sandbox but also having a shell with rights of the user who invoked java. To get root on the underlying OS unless someone is stupid enough to run java as root you have to use another OS exploit from there. It may be technically possible to run something in kernel space on some platforms by exploiting a graphical bug as some OSs do put part of the video driver in kernel space for performance reasons which would mean the Java exploit could technically root the OS itself but haven't heard about any defects like this personally. They also would obviously not be cross platform.

  5. phil dude

    multi process/threading...?

    This is nice, java is a hog. But what about multiprocess/threading per tab? As we all know chrome has.

    At the very least nasty bits of java can be killed with its tab. Just like flash....

    I know nothing else, just today I got bitten by the "can't cancel background download without closing whole sodding browser" problem....


  6. Anonymous Coward
    Anonymous Coward

    Unfair, Flash should be treat worse, it's more dangerous!

    I only accept this for Java because the update process could be better, and many morons are too damned lazy to keep the plugin up-to-date, which is /why/ they got pawned!

    Flash should be driven off the internet, it is as secure as Active-X was(n't), and can be far even worse to update than Java because Adobe's FUpdate page regularly malfunction now, and they make it /very/ hard to find a plain exe to workaround their FUpdate page!

    "UI Design Principle Fail" can get crammed where the Sun does not shine because they clueless; I use Java stuff every day from various sites, and my CCTV cameras, and never got anything because I keep my machines up-to-date and secure.

    Mozilla would do better in Thunderbird, and Firefox to proactively smite the social engineering emails with zips attached, probably containing pdfs with that crypto extortion nastiness embedded, because that is a far far worse problem. It is so boring have to manually spot and delete this tricky poison in my IMAP Junk folder.

    1. asdf Silver badge

      Re: Unfair, Flash should be treat worse, it's more dangerous!

      >Unfair, Flash should be treat worse, it's more dangerous!

      Neither are anything but malware vector portals but lately there have been more critical CVEs for Java. Probably due to Oracle still adding features instead of fixing its fundamental flaws. Adobe has largely quit adding features to flash lately.

      1. Stephen Booth

        Re: Unfair, Flash should be treat worse, it's more dangerous!

        The difference is that though JAVA does have a security model it is also a fully features programming language with existing class libraries to do almost anything so when you break out of the sandbox you have all the tools available to do anything you want. In addition there is a much larger functional space to look for holes in. On the other hand if the platform has no security model but only generates graphical output you probably need to find a way of inserting new executable code insert to do anything. Add in the poor update handling and java starts to look like an attractive target despite its security model.

        The real interesting thing to watch is going to be javascript. Because it is only targeting presentation and network facing operations it can be reasonably sandboxed away from the underlying hardware. However this does not help you at all if all your data has moved into the cloud and there is nothing of value left on the local machine. I suspect over time the black hats will cease to care about trying to take-over the browser except as one possible route to owning online accounts.

        1. asdf Silver badge

          Re: Unfair, Flash should be treat worse, it's more dangerous!

          You do know flash does a lot more than internet cat videos right? Granted its does not quite have the attack surface of Java but I think you are greatly underestimating its attack surface. Both are for hacks who can't handle their own memory management. Hello world programs should be multi megs in this brave new world.

        2. Not That Andrew

          Re: Unfair, Flash should be treat worse, it's more dangerous!

          Flash has included a complete javascript implementation for a loong time (since version 5, according to Wackpedia)

  7. Anonymous Coward
    Anonymous Coward

    Good material in here for a behavioral study

    I think it's time to break out the behavioral science:

    - change the pop up to default to denying the plugin

    - tell people how many other users have denied the plugin ("233,221,837 users chose 'deny' "). No need to say how many people chose 'allow', of course...

    - give people a way to express their desire to have plug-in free operation on the target site. This is a bit unpleasant but sadly it works, as the response rates to the kinds of "call your senator to tell them to lay off medicare" ads shows. But it would certainly focus the minds of the operators still using flash and java.

    I feel a grant application coming on.

    1. Robert Helpmann?? Silver badge

      Re: Good material in here for a behavioral study

      Go a step further: create a plug-in that checks for the presence of scripts on a site through a third party which verifies that they do what the site owner claims they are there for. If something unexpected shows up, you get a strongly worded warning in much the same way as an invalid certificate might generate. Of course, these are attacked on a regular basis and many site owners can't be bothered to keep theirs up-to-date, but these sites should probably be avoided anyway... There's probably money to be made in third party script validation, so there is some incentive for someone to implement something like this.

  8. Ol'Peculier

    Unfortunately, one of our PC's here has to run Java to print delivery labels. Adding the "remember" feature is a hell of a plus though, at the moment people have to click "Yes" for each single sticker.

    1. Destroy All Monsters Silver badge

      Yeah, so why does it also all of the following too:

      1) have unrestricted accesses the Internet

      2) run applets via the Java plugin

      3) is not being change-managed and/or rolled back every evening to a defined state

      4) has no further security measures

      5) is running windows

      Failure does not come from sticker printing.

  9. Sir Sham Cad

    Great reason to upgrade

    My version of FF started blocking my old version of Flash a while back requiring me to explicitly allow just like this. I thought it was a great way to browse. I use a lot of Java apps at work and "always allow from this site" would not be a hinderance in any way. Nice one Moz.

  10. Phil O'Sophical Silver badge

    nanny mozilla strikes again

    This will be so fscking annoying. We use Java apps internally on our corporate network, and Firefox is the mandated browser. This "mozilla knows best" nannying of "we've disabled this plugin for your own good" gets my goat. Every time I'm 30 seconds late installing the latest patch/upgrade everything stops working until I bring my system up to whatever level Mozilla thinks it should be at.

    Listen guys IT'S MY FUCKING COMPUTER AND I WILL DECIDE WHAT RUNS ON IT. Now take your plugin blocker crap and BUTT OUT. If I didn't want the plugin I wouldn't have installed it in the first place.

    How long until they start hitting AdBlock, etc., since "our suppliers need you to watch the nice ads to pay for their services".

    1. Anonymous Coward
      Anonymous Coward

      Re: nanny mozilla strikes again


      I'm confused why you're getting angry... surely the whole purpose of this nice little feature in Firefox is to let you do just that? It gives a handy little pop so you can decide what apps you want to allow to run, instead of just allowing all Java apps to run regardless.

      1. Phil O'Sophical Silver badge

        Re: nanny mozilla strikes again

        Read the comments in the thread at:

        Already, FF simply refuses to run any Java app unless the very latest version of the plugin is installed, and I often don't have the time to drop everything and upgrade Java (which also requires a browser restart, losing all open work).

        Now it's going to question me about every Java app I try, with no way to say "Just always run Java, stop asking"?

        If I didn't want to run Java , I would uninstall the fucking plugin, I am angry because my computer is a tool, not my Mummy. I tell IT what I want to do, not the other way around.

        1. chris lively

          Re: nanny mozilla strikes again

          You failed at reading comprehension in school didn't you?

          You can whitelist your corporate network in about 0.5 seconds and not have to worry about it.

        2. Destroy All Monsters Silver badge
          Thumb Down

          Re: nanny mozilla strikes again

          > and I often don't have the time to drop everything and upgrade Java

          You better get your lazy arse in gear and employ half an hour to do something productive, then.

  11. Conrad Rockenhaus

    The Java update procedure for the average end user (think the average home user that doesn't know the difference between a process and a processor) is so user unfriendly that they usually wind up skipping the the Java update, creating most of the vulnerable systems with Java installed on them in the first place.

    Oracle needs to fix Java update.

  12. Ian 55

    Let's hope it's a bit more stable than 25.0 was

    Until the .01 update, that crashed on me more times than any version since they changed the name.

  13. PeterM42

    Ah Java from Oracle

    As an IT Consultant, I used to hate it if any of my customers needed an Oracle-based application, 'cos I came to the conclusion that if it was Oracle-based, it was a pain in the proverbials.

    Java comes from the same stable - 'nuff said!

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019