Mozilla Blocks Vulnerable Java Versions In Firefox

Trailrunner7 writes with this excerpt from Threatpost: "Mozilla has made a change in Firefox that will block all of the older versions of Java that contain a critical vulnerability that's being actively exploited. The decision to add these vulnerable versions of Java to the browser's blocklist is designed to protect users who may not be aware of the flaw and attacks. 'This vulnerability — present in the older versions of the JDK and JRE — is actively being exploited, and is a potential risk to users. To mitigate this risk, we have added affected versions of the Java plugin for Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and below) to Firefox's blocklist. A blocklist entry for the Java plugin on OS X may be added at a future date. Mozilla strongly encourages anyone who requires the JDK and JRE to update to the current version as soon as possible on all platforms,' Mozilla's Kev Needham said."

Java dying?

[Compaqt]

So sad what has become of Java.

I know a large part of Slashdot hates Java, but:

-Java passed C/C++ on Sourceforge a while back
-Java was the first language of a lot of people because a lot of colleges adopted it
-Java was the first real and powerful language for a lot of people
-Java held out the promise of developing programs not beholden to M$, thereby making a lot of platforms viable
-Java was supposed to make things easier for the small developer (ISV) by allowing write-once, run anywhere.

So that's why a lot of people have good feelings for Java. Unfortunately, it's dying of a thousand cuts.

Re:Java dying?

[Necroman]

Java's server-side is still very strong and won't be going anywhere anytime soon.

Java as a language for UIs, not so much. The built in UI widgets and windowing (Swing) is weak at best. While it has many of the basic widget types, it hasn't really evolved much as time has moved forward. Plus it always felt just enough different from native applications to stop developers from using it.

Java applets, I feel, have been dead for a long time. Applet initialization time was just too long or would break during loading to discourage people from using it. Though, I've seen Java Web Start work pretty well for deploying Java applications.

Re:Java dying?

[afidel]

Maybe java applications never got popular with end users but they're pretty much the standard for advanced GUI management interfaces on enterprise equipment. I hope for the sake of people who need older java versions to access the management interface on their switches, storage arrays, etc that there is an advanced preference to turn this feature off (if not globally then on a per-domain basis).

Re:Java dying?

[The+MAZZTer]

Minecraft runs on Java, so it'll stick around for a bit longer whether we like it or not.

Re:Java dying?

[rudy_wayne]

-Java held out the promise of developing programs not beholden to M$

So now you can make programs that are beholden to Oracle, who are just as bad, or worse.

Mozilla gives middle finger to enterprise again

[jellomizer]

I don't know why all the fuss is about breaking our version scheme so the Enterprise has a harder time planning appropriate upgrades to their work stations. And now we decided to break compatibility with your legacy Java systems.

So now we have to be sure that we upgrade our Java first then Firefox... However we had planned to do Fire Fox this week and Java next month, after you know we test our applications that we need to run our business with the new Java version.

The enterprise doesn't stick with IE because they think it is a good browser they know how much it sucks. They stick with it because it can be maintained and managed properly in an enterprise environment.

Re:Mozilla gives middle finger to enterprise again

[i+kan+reed]

If you have to choose between clearly dangerous infection vector and updating ancient and fragile legacy java applets, I'd say Mozilla is the least of your problems.

Re:Mozilla gives middle finger to enterprise again

[jellomizer]

A lot of enterprises would love to give Firefox or Chrome as their standard browser. Much better use of the standards and faster and predictable running of modern stuff. So if you want to move away from your Legacy Java Applets to a new System Mozilla is a good choice for an enterprise technically to standardize on. However the Mozilla foundations are being a bunch of Elitists Richards, and seemed hell bent to make sure that Mozilla isn't incorporated in an Enterprise environment. And Enterprises need to make a policy of saying we do not support this product. So as we migrate away from those old legacy Java Applets, which can take years to do. We are replacing them with Apps specialized and optimized for IE because we don't have any other logical choice. Because IE is the only browser that will allow the Enterprise run its own way.

Re:Mozilla gives middle finger to enterprise again

[nashv]

And you would deserve it. If you maintain an insecure system, you are a threat not just to yourself, but to the entire internet.

You foster malicious code that can be used to pit your system against others. Everyone is connected on the Internet, and if you chose to be a weak link, you are everyone's problem.

I am usually sympathetic to upgrade issues, but if you are going to be in the wild of the internet, fix your software. You are on an internal closed network, no one is forcing you to upgrade Firefox. Maintain your legacy setup.

Re:Mozilla gives middle finger to enterprise again

[Kagato]

Enterprise customers don't just roll out browsers. They do testing, they tweak the configuration and then they roll it out. Having to take the extra step to configuring some settings doesn't sound like a deal breaker. If anything, it sounds like a feature enterprise could really use. If your organization is whining about this, they likely aren't following due diligence in testing the browsers in the first place.

How about a huge blinky warning instead?

[khasim]

Instead of Mozilla just fucking DISABLING it, how about adding a huge blinky warning to it?

"Oh, wow. I should upgrade as soon as I get the opportunity."
vs
"Fuck, it broke!"

Re:And there was me believing managed code was saf

[rudy_wayne]

that will block all of the older versions of Java that contain a critical vulnerability that's being actively exploited.

No software is perfect. No software will ever be perfect. Any non-trivial code will contain some bugs, but there's something seriously wrong here.

Software like Java, Flash and Acrobat Reader aren't weekend projects thrown together in a few hours by a highschool student. They have been around a long time and are produced by large companies with lots of resources. The fact that these programs still have to constantly be patched to fix gaping security holes, is beyond absurd.

It would be funny if it wasn't so stupid.

Re:And there was me believing managed code was saf

[TheRaven64]

Every so often, someone says to themselves 'software is complex, and therefore prone to bugs. Some of these are exploitable, giving security holes. I bet we can fix that by adding another layer of complex software.' The most surprising thing is that people actually believe them.

Re:And there was me believing managed code was saf

[Mister+Whirly]

The fact that these programs still have to constantly be patched to fix gaping security holes, is beyond absurd.

I think this is addressed by your first statement-

No software is perfect.

Re:And there was me believing managed code was saf

[Anonymous+Brave+Guy]

There are two ways of constructing a software design.

One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies.

The first method is far more difficult.

C. A. R. Hoare, 1980 Turing Award lecture