Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Mozilla blocks outdated Java plugin in Firefox for some Mac users

Disables outdated plug-in for Firefox on Leopard and earlier

Article comments

Mozilla this week began blocking outdated versions of a Java plug-in in Firefox for some Mac users after calling the threat posed by the Flashback malware "evident and imminent."

The move came two weeks after Mozilla disabled unpatched versions of Oracle's software on Firefox for Windows.

Although Mozilla said on 2 April that it might add the Java plug-in to Firefox for Mac's blocklist - a list it maintains of add-ons and plug-ins that the company disables because they're infected with malware or have been targeted by attackers - it didn't follow through until Monday.

In a post to the company's Add-Ons blog, Mozilla said the delay was due to the uptake of the patched plug-in Apple began distributing April 3.

As Mozilla noted, cleanup efforts have made headway on the number of Macs infected with the Flashback malware. While more than 600,000 Macs were infested with Flashback as recently as two weeks ago, that number fell by 60 percent last week.

On Tuesday, Symantec -- which had "sinkholed" command-and-control domains used by Flashback to communicate with its makers -- said the botnet had shrunk even more in the last several days, and controlled fewer than 100,000 Macs.

Another reason for Mozilla's pause between blocklisting Java on Windows and Mac: Firefox has a bug.

"There's a bug in Firefox that prevents it from reloading plug-in metadata after an update," acknowledged Mozilla. "This means that even if someone updates Java on Mac, Firefox will continue to say an old and vulnerable version is installed."

Mozilla has fixed the bug and will roll the patch into Firefox 12, which is set for release April 24.

For those reasons, Mozilla instituted only a partial block of the Java plug-in, limiting it to copies of Firefox running on Macs powered by OS X 10.5 or earlier. OS X 10.5 is better known as Leopard.

While Apple no longer packages Oracle's Java with OS X - it stopped that practice with Lion in July 2011 - it continues to issue Java security updates to people running Lion as well as 2009's Snow Leopard, or OS X 10.6. Java may be on some Lion systems: Users are prompted to install the software the first time they try to run a Java applet.

Because Apple no longer supports OS X 10.5, or Leopard, its predecessor Tiger or any older operating system, it doesn't ship patches for Java to those users.

"People who are using Mac OS X 10.5 and older won't get the Java update, which means they will remain vulnerable unless they update their operating system or upgrade their hardware," noted Mozilla. "For these users there's no point in waiting, so we have blocked the Java plug-in for them."

Firefox users running OS X 10.5 or earlier, will have JRE 1.6.0_31 and earlier, or JRE versions 1.7.0 through 1.7.0_2 disabled.

Mozilla called its move a "soft block," which means users are notified that the plug-in has been disabled, but they can continue using it at their own risk by clearing the "Disable" box in the notification dialog. Users can also later enable the plug-in from the Plug-ins section of Add-ons Manager by selecting "Add-ons" from the Tools menu.

Firefox users running OS X 10.6 and later will have outdated Java plug-ins disabled next week if they upgrade to version 12 of the browser.

While Mozilla's block of Java on Firefox for Windows didn't go flawlessly - it mistakenly was issued as a "hard block," which gave users no way to use the plug-in - there's no evidence of a similar problem on Mozilla's support forum for Mac users after Monday's move.

In a blog post 6 April, Christian Holler, a Mozilla security engineer, gave more details on the thinking behind Mozilla's blocking of the Java plug-in.

"As the popularity of the Mac platform has grown so has its attractiveness as a target for attackers," Holler said. "The threat to Mac users is evident and imminent, thus prompting our response on all platforms."



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *