Mozilla Blocks Vulnerable Java Versions In Firefox

Trailrunner7 writes with this excerpt from Threatpost: "Mozilla has made a change in Firefox that will block all of the older versions of Java that contain a critical vulnerability that's being actively exploited. The decision to add these vulnerable versions of Java to the browser's blocklist is designed to protect users who may not be aware of the flaw and attacks. 'This vulnerability — present in the older versions of the JDK and JRE — is actively being exploited, and is a potential risk to users. To mitigate this risk, we have added affected versions of the Java plugin for Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and below) to Firefox's blocklist. A blocklist entry for the Java plugin on OS X may be added at a future date. Mozilla strongly encourages anyone who requires the JDK and JRE to update to the current version as soon as possible on all platforms,' Mozilla's Kev Needham said."

Java dying?

[Compaqt]

So sad what has become of Java.

I know a large part of Slashdot hates Java, but:

-Java passed C/C++ on Sourceforge a while back
-Java was the first language of a lot of people because a lot of colleges adopted it
-Java was the first real and powerful language for a lot of people
-Java held out the promise of developing programs not beholden to M$, thereby making a lot of platforms viable
-Java was supposed to make things easier for the small developer (ISV) by allowing write-once, run anywhere.

So that's why a lot of people have good feelings for Java. Unfortunately, it's dying of a thousand cuts.

Re:Java dying?

[jellomizer]

I think Java is just maturing not dying.

Java found it niche. JavaEE is still big, as it is a great platform for Web Services. However Java Applications have never gotten popular because they always end up looking a bit out of date (although it has greatly improved) compared to what the other platforms offer.

Slashdot hates Java because they hate anything that isn't Pure GNU open source.

Re:Java dying?

[Necroman]

Java's server-side is still very strong and won't be going anywhere anytime soon.

Java as a language for UIs, not so much. The built in UI widgets and windowing (Swing) is weak at best. While it has many of the basic widget types, it hasn't really evolved much as time has moved forward. Plus it always felt just enough different from native applications to stop developers from using it.

Java applets, I feel, have been dead for a long time. Applet initialization time was just too long or would break during loading to discourage people from using it. Though, I've seen Java Web Start work pretty well for deploying Java applications.

Re:Java dying?

[afidel]

Maybe java applications never got popular with end users but they're pretty much the standard for advanced GUI management interfaces on enterprise equipment. I hope for the sake of people who need older java versions to access the management interface on their switches, storage arrays, etc that there is an advanced preference to turn this feature off (if not globally then on a per-domain basis).

Re:Java dying?

[eternaldoctorwho]

According to the language rankings by TIOBE, Java is still very much in the lead, with only C as a "competitor" (although I think the practical usages of both languages are disjoint enough to not worry about competition). Everything else is training behind by a fair margin.

Re:Java dying?

[The+MAZZTer]

Minecraft runs on Java, so it'll stick around for a bit longer whether we like it or not.

Re:Java dying?

[oh_my_080980980]

And that (the enterprise) my dear sir, is where the money is at.

Re:Java dying?

[rudy_wayne]

-Java held out the promise of developing programs not beholden to M$

So now you can make programs that are beholden to Oracle, who are just as bad, or worse.

Re:Java dying?

[Myopic]

Java definitely isn't dying. I thought it was over the hump about five years ago, and started using other languages. Since then, Android dev has exploded, and now I spend my time using Cassandra database (Java) and Storm topology runner (Java).

In the past we used Java to make web pages a little more interesting. Today, web pages can do enough with HTML and JavaScript, so we don't need Java applets anymore -- and good riddance, at that. But that hardly means Java is dying. It isn't. Not at all.

Re:Java dying?

[CubicleZombie]

However Java Applications have never gotten popular because they always end up looking a bit out of date

The Windows look-and-feel should have been enabled by default. Then Java wouldn't look like a 15 year old version of Solaris.

Re:Java dying?

More like Slashdot hates Java because they flunked their intro CompSci course at the community college and now "develop" by tweaking PHP blogging software.

Re:Java dying?

[CubicleZombie]

The built in UI widgets and windowing (Swing) is weak at best. While it has many of the basic widget types, it hasn't really evolved much as time has moved forward.

Hasn't evolved, compared to what? Its big competitor for the rich-client is .NET, which is basically just a wrapper over same old Win32 controls we were using with MFC in the 90's. I can do anything with Swing.

Java applets, I feel, have been dead for a long time. Applet initialization time was just too long or would break during loading to discourage people from using it. Though, I've seen Java Web Start work pretty well for deploying Java applications.

The worst thing to ever happen to Java was Netscape 3.x and the Hotspot VM. Everybody remembers the "Starting Java..." message on the task bar - for several minutes - and then the inevitable browser crash. That sealed Java's fate on the client.

Re:Java dying?

[TheRaven64]

Slashdot hates Java because they hate anything that isn't Pure GNU open source.

No, there are a lot of legitimate reasons to hate Java, mainly because it promised things it couldn't deliver. It promised to be portable, but running it on anything that isn't one of under half a dozen blessed platforms is painful. That new MIPS server? Sorry, no Java for you! For a long time, even Java on *BSD on x86 was painful due to onerous licensing requirements (binaries weren't redistributable, so you needed to download the source - manually so you could agree to the license agreement - download the Linux version, use the Linux version to compile the BSD version).

Then there's performance. Java performance is on a par with StrongTalk or Self, yet it's a much lower-level language. Performance is usually okay, but again Java promised C-like performance and then shows misleading benchmarks to demonstrate it.

Next there's the pain of interfacing Java with other languages. If I have a C library, I can trivially call it from most scripting languages, from Objective-C, from C++, from D, from Pascal, from Lisp, and so on. If I have a Java library, it's difficult to use it from anything that's not Java. Conversely, it's difficult to use existing libraries from Java - JNI is a whole world of pain. This means that Java often involves reinventing the wheel, while other languages just provide thin (and often automatically generated) wrappers around libraries written in other languages where appropriate.

Then there's the incompatibilities between versions. Once you've got your write-once-run-anywhere program working on your customer's machine, he installs a new version of the JRE and it stops working. Meanwhile, the statically compiled, statically linked, program in another language works just fine...

And then there's the library system. Some rookie mistakes, like making String final. More importantly there's the design patterns fetishism that's so prevalent. There's a reason for all of those JavaProgramFactoryFactoryFactory jokes...

Re:Java dying?

[TheRaven64]

Oh, and I forgot to mention the UI problem. Java UIs look and feel wrong on every platform, although they look and feel least wrong on Windows. Java promoted the idea that you should use the same UI on every platform (ignoring the fact that different user interface guidelines are one of the main differences between platforms, from a user's perspective). They intentionally made it difficult to use the target platform's user interface APIs with Java code (although Apple fixed that on OS X in 10.0, before deprecating it around 10.4) to push the idea that you'd run the same code everywhere. Good cross-platform GUI apps are MVC, using native views and slightly different controllers on each platform, but the same model code. Doing this in Java is much harder than it should be.

Re:Java dying?

[Compaqt]

>Some rookie mistakes, like making String final.

Well, the way the father of Java (Gosling) explained it, I think he said something like if you could subclass String, then you could send a MyString to a someplace that expected a String, and possibly hack into something rather (password, etc.).

Re:Java dying?

[Bill_the_Engineer]

I'm just going to respond to a few of your points:

No, there are a lot of legitimate reasons to hate Java, mainly because it promised things it couldn't deliver.

There are plenty of other languages that promises much and deliver few. I think a lot of language preference depends on what you learned first and who you choose to associate with. I know plenty of Perl programmers who swear Perl is the one true language, and the same with C++, Python, Ruby, etc. Each language has its strength and weaknesses, but none of them have anything that warrants the level of hate. Except for Perl it is perfectly fine to hate that one. :P

Then there's performance. Java performance is on a par with StrongTalk or Self, yet it's a much lower-level language. Performance is usually okay, but again Java promised C-like performance and then shows misleading benchmarks to demonstrate it.

I don't know where you get your information from but Java does pretty well on the performance front. It benefits greatly from its static typing system and doesn't suffer from the overhead that is associated with the dynamic languages like Perl, Ruby, and Python. Java is magnitudes faster than the current batch of young languages and is in close ranks with the big three (C, Fortran, and C++). The fact that it runs without recompile on multiple hardware platforms is a bonus.

Next there's the pain of interfacing Java with other languages. If I have a C library, I can trivially call it from most scripting languages, from Objective-C, from C++, from D, from Pascal, from Lisp, and so on.

To be fair, I'd hope it would be trivial to call a C library from within C++ and Objective-C otherwise something is seriously wrong since they are pretty much derived from C. As for "so on" I do know that there is usually a binding meta languages involved (Perl's comes to mind), so I don't think JNI is any less different than the others. Since the other languages tend to be *much* slower, binding to a C library is much more important for them.

Then there's the incompatibilities between versions. Once you've got your write-once-run-anywhere program working on your customer's machine, he installs a new version of the JRE and it stops working. Meanwhile, the statically compiled, statically linked, program in another language works just fine...

Not necessarily true. You can keep your older versions of the JRE installed. Of course your comparison is with a "statically compiled, statically linked program" and not the more compact and prevalent dynamically linked programs. Nothing prevents someone from continuing to use the older JRE with a Java application that has all of its dependencies included in the application JAR file.

And then there's the library system. Some rookie mistakes, like making String final. More importantly there's the design patterns fetishism that's so prevalent. There's a reason for all of those JavaProgramFactoryFactoryFactory jokes...

And this is unique to Java?

Re:Java dying?

[olau]

And then there's the library system. Some rookie mistakes, like making String final.

I disagree. The best thing Gosling could have done to Java were making all classes final. It's certainly better than the other way around. Inheritance is in many cases one of the fastest ways of turning an otherwise sensible design into OOP spaghetti.

Re:Java dying?

[CubicleZombie]

Windows look and feel should have been the default for every platform.

Re:Java dying?

[Anomalyst]

I think Java is just maturing not dying.

Two words:Menopause & Osteoporosis.

Re:Java dying?

[shutdown+-p+now]

So Microsoft invented a new language to "be LIKE Java" but not Java.

This was relevant 10 years ago when C# first appeared. Since then, it has evolved at a pace much faster than Java, and has many more useful features. Case in point: C# has had full-featured closures for 7 years now; Java is only getting them in the upcoming release.

Re:Java dying?

[Anonymous+Brave+Guy]

As far as look and feel goes, it's a fallacy that all you have to do to make a GUI feel native is change the chrome. You can't turn a Windows native application into an OS X native application just by altering how you draw a button and a checkbox. No GUI toolkit that is based on the assumption that you can will ever be any good for making professional level user interfaces on any platform (or at least, on any more than one platform that it secretly favours).

Re:Java dying?

[dkf]

More accurately, everyone is focussing too much on microbenchmark performance. C++ is a language designed for an inlining-happy compiler with lots of compile-time specialisation. This results in very large code, which means that you end up with a lot of instruction cache churn. That's a total performance killer on modern hardware for large programs, but new features of C++ (with the possible exception of lambdas) are designed to make it even worse.

It doesn't help that C++'s standard library features aren't really all that strong either. Only C is really weaker, but that's a language with a tiny standard library anyway; building your own better version out of the C primitives is quite acceptable. C++ aspires to be better... and fluffs it. Don't believe me? Compare the string handling of C++ with that of Java or C# or Perl or Tcl or ... Well, let's say it like this: C++ gives you the pain of the complexity without nearly enough of the gain of well-implemented features.

The biggest problem with most large C++ programs though is in the way they handle memory. On exit, they like to neatly tidy up everything across their virtual memory space to a lovely pristine state with everything perfect. When the OS can do so much more cheaply (at nearly zero cost) and without stalling everything while every last bit is paged back in just so it can be deallocated. If C++ was a programmer, it would be an asshole with OCD. Just exit already! (Before you ask, I do know why it works the way it does. I just think that the net result is one of total fail from a user's perspective; it's making the computer "act stupid" for no truly good reason.)

Re:Java dying?

[SplashMyBandit]

The feature that C# doesn't have is 'cross-platform'. This is not a language flaw, it is a library and design flaw - targeting Windows. Mono does not implement the same libraries as the Microsoft .NET stack, and it turn out it never will. Unless you are a Windows only shop (which only households and smaller companies are) then the .NET stack has a lot of wonderful features but will always be technically inferior to Java because of the lack of true cross-platform capabilities. The fact that C# has some nice syntactic sugar is great, but still misses the point that you want your language *everywhere* you need to be. Java adopts features slowly not because the maintainers don't know about closures etc, it is because the language maintainers are trying to avoid Java turning into C++, which is harmful for enterprise adoption (with some lesser skilled programmers). This is one reason Java gets about 3 times the adoption world-wide as C#, despite the C# language niceties (see Tiobe for numbers). I can't see that changing for a long time no matter how many funky features C# gets first.

Re:Java dying?

[znrt]

I think Java is just maturing not dying.

Java found it niche. JavaEE is still big, as it is a great platform for Web Services. However Java Applications have never gotten popular because they always end up looking a bit out of date (although it has greatly improved) compared to what the other platforms offer.

java is dying from success. and of course i'm referring to j2ee. java on desktop or browser is anecdotical. it's technically sound but never made it through.

if you think about it, java is the perfect tool for any medium-big size software shop. everything is available: the language is basically sound, the api is endless and rich, there are lots of good tools for building, bug finding, profiling, optimizing, deploying ... you name it. java (j2ee) success in this area is indisputable (in fact, it has busted the .net monkeys thingie, that pursued exactly the same thing, to a limited captive market).

so what's the problem? well ... it's all just too easy. medium-big size software shops rely on all those standards and tools, build workflows on them ... so they can hire armies of clueless developers. and, obviously, produce glorious crap. throw in agile development (understood as blind running forward methodolgy) and you're pretty screwed.

java made cheap software possible. the problem is that there's no such thing as *good* cheap software, because it isn't so much about the tools, but about the brains.

throw in it is now mantained to oracle and you'll see this end in a big, big, big mess.

Mozilla gives middle finger to enterprise again

[jellomizer]

I don't know why all the fuss is about breaking our version scheme so the Enterprise has a harder time planning appropriate upgrades to their work stations. And now we decided to break compatibility with your legacy Java systems.

So now we have to be sure that we upgrade our Java first then Firefox... However we had planned to do Fire Fox this week and Java next month, after you know we test our applications that we need to run our business with the new Java version.

The enterprise doesn't stick with IE because they think it is a good browser they know how much it sucks. They stick with it because it can be maintained and managed properly in an enterprise environment.

Re:Mozilla gives middle finger to enterprise again

[i+kan+reed]

If you have to choose between clearly dangerous infection vector and updating ancient and fragile legacy java applets, I'd say Mozilla is the least of your problems.

Re:Mozilla gives middle finger to enterprise again

From the article:

Affected versions of the Java plugin will be disabled unless a user makes an explicit choice to keep it enabled at the time they are notified of the block being applied.

The block isn't compulsory. Undo the block and keep working in the mean time.

Re:Mozilla gives middle finger to enterprise again

[nashv]

And you would deserve it. If you maintain an insecure system, you are a threat not just to yourself, but to the entire internet.

You foster malicious code that can be used to pit your system against others. Everyone is connected on the Internet, and if you chose to be a weak link, you are everyone's problem.

I am usually sympathetic to upgrade issues, but if you are going to be in the wild of the internet, fix your software. You are on an internal closed network, no one is forcing you to upgrade Firefox. Maintain your legacy setup.

Re:Mozilla gives middle finger to enterprise again

[Kagato]

Enterprise customers don't just roll out browsers. They do testing, they tweak the configuration and then they roll it out. Having to take the extra step to configuring some settings doesn't sound like a deal breaker. If anything, it sounds like a feature enterprise could really use. If your organization is whining about this, they likely aren't following due diligence in testing the browsers in the first place.

Re:Mozilla gives middle finger to enterprise again

[supremebob]

I hear ya.... I needed to scramble this morning to disable this warning message on two dozen kiosk systems, even though I configured Firefox to never check for plug-in updates.

Thank you once again for screwing up my production environments without any warning, Mozilla. I'm switching my kiosks over the Chrome, where the option for disabling plug-in checks actually works as promised.

Re:Mozilla gives middle finger to enterprise again

[kwrzesien]

So there is EXACTLY ONE version of Java that is usable: 7u3. There is NO PATCHED version of jre6 or jdk6 that is available for our 80,000+ workstations managed by Tivoli that have jre6 installed. Upgrading to 7 requires going through Field Certification of months of application compatibility checking.

Not to mention the servers that have jdk6 installed to a specific path, jdk7 would go in a different path and require changes to configuration files and regression testing. This is a 2-3 month process usually rolled into other development processes and doesn't just drop on the datacenter in one day. I think at least five departments would be involved in getting this change implemented.

No, Mozilla should be forcing this on Oracle to release a patched and updated 6u31 that can be automatically pushed to all machines, then wait two weeks and drop the hammer on anyone left behind.

Re:Mozilla gives middle finger to enterprise again

[Wrath0fb0b]

If you have to choose between clearly dangerous infection vector and updating ancient and fragile legacy java applets, I'd say Mozilla is the least of your problems.

Unless I have (an) admin machine(s) configured to access only intranet resources for the purpose of managing my legacy java applets. In that case, it would probably be nice to have an switch somewhere in about:config (maybe with a warning) to disable the blacklist. That's the problem with thinking about security without clearly identifying the context in which the policy is being deployed. For a home user Mozilla should absolutely default to not allowing outdated JREs*, for those within other environments, the calculus might be different.

* By the way, can't they just hire the Google dudes that designed Chrome's "I'm always updated but I never bother you" updater? Can't everyone just do that already? It's been shown to be feasible, workable and damned convenient.

** Of course, * comes with a switch to disable auto-updates for enterprise/OCD consumers that want to manage it themselves. I'm talking about default settings, not forcing everyone onto the silent-update train against their will.

How about a huge blinky warning instead?

[khasim]

Instead of Mozilla just fucking DISABLING it, how about adding a huge blinky warning to it?

"Oh, wow. I should upgrade as soon as I get the opportunity."
vs
"Fuck, it broke!"

Re:How about a huge blinky warning instead?

[Windwraith]

Do you realize that a warning is for average users to ignore? "Oh, wow. I should upgrade as soon as I get the opportunity" only works for people like us. Most people will do "CANCEL CANCEL CANCEL".

Re:How about a huge blinky warning instead?

[jorgevillalobos]

Instead of Mozilla just fucking DISABLING it, how about adding a huge blinky warning to it?

"Oh, wow. I should upgrade as soon as I get the opportunity." vs "Fuck, it broke!"

That is almost exactly what we did. You get a warning with the option to ignore it and continuing like nothing happened.

Re:How about a huge blinky warning instead?

[mcgrew]

It isn't the users, it's their OS. I almost never boot the Linux box; I don't have to. When an update comes up the pike I update, one click and keep working. No problem.

The notebook still has Win7. Almost every update for any program requires a reboot, and damn it, There's a book I'm working on open, with Firefox tabs to other stuff (labeling sampled music, etc). So I almost always hit "not now"... because I don't want to spend twenty minutes updating something that just got updated a few weeks ago, including the time it takes to reboot, open all the programs and browser tabs I had open, etc.

If Windows didn't require a reboot every damned Patch Tuesday (and other programs don't restrict themselves to MS's schedule so I wiond up with one widget or another needing an update at least weekly) and if the patches didn't require reboots, like Linux, and especially if it was able to come back to life after a reboot in the same state it was in, like Linux, people using Windows would update far more often.

PEBKAC is almost always a design flaw. Users hitting "cancel" when they're served updates? That's YOUR fault for making their lives harder. If updating weren't a royal pain in the ass people would update. Your tools are supposed to make work easier, not harder. MS could fix the problem easily, they simply choose not to. As Lily Tomlin always said in her AT&T monopoly skits, "we're the phone company. We don't HAVE to!"

Re:And there was me believing managed code was saf

[subanark]

The codespace where an exploit can occur is limited to only a subsection of VM's code. It is not perfect, but it offers better protection than running C code, and more flexibility than non-scripting HTML does. The same concept is used when running code as non-root even if you do have sudo access.

disable?

[X0563511]

I can't find any means to disable this in about:config.

I -HAVE- to have older versions of java installed on my workstation to replicate problems with old releases of our software.

Re:disable?

https://wiki.mozilla.org/Extension_Blocklisting:User_Interface

Preferences for controlling the blocklist
The common user should not be allowed to override the automatic updating and application of the blocklist, but there are valid use cases for doing so.

The following preferences should be created to govern this behaviour:
        * extensions.blocklist.enable (boolean), toggles blocklist enabled on/off

Other applications or distributions may want to provide their own backlist update url which will be controlled by the following pref:
        * extensions.blocklist.url (string), url to the blocklist file

The interval in which the blocklist runs will be defined by the following pref:
        * extensions.blocklist.interval (integer), the interval in which to download a new blocklist file

These preferences should be documented on developer.mozilla.org and any announcements for developers about the blocklist functionality.

Re:disable?

[supremebob]

This plug-in block warning doesn't seem to be version specific. I've seen it happen on versions of Firefox as old as version 3.6.

Re:Soo

[poetmatt]

Also makes me wonder what happens to bad legacy apps which rely on the older versions of java?

Re:And there was me believing managed code was saf

[rudy_wayne]

that will block all of the older versions of Java that contain a critical vulnerability that's being actively exploited.

No software is perfect. No software will ever be perfect. Any non-trivial code will contain some bugs, but there's something seriously wrong here.

Software like Java, Flash and Acrobat Reader aren't weekend projects thrown together in a few hours by a highschool student. They have been around a long time and are produced by large companies with lots of resources. The fact that these programs still have to constantly be patched to fix gaping security holes, is beyond absurd.

It would be funny if it wasn't so stupid.

Re:And there was me believing managed code was saf

[TheRaven64]

Every so often, someone says to themselves 'software is complex, and therefore prone to bugs. Some of these are exploitable, giving security holes. I bet we can fix that by adding another layer of complex software.' The most surprising thing is that people actually believe them.

Re:Got bit yesterday

[ifrag]

I spent all morning and much of the afternoon cleaning that crap up...

Usually it's faster to just use a system restore point. Typically these drive by mass attacks are not going to be smart enough to infect system backups. Although perhaps once enough of it starts running other pieces of malware start getting retrieved as well. I'd also immediately pull the ethernet cable if that nonsense starts up, then boot to safe mode.

Re:Soo

[LordLimecat]

I believe you can override it on a per-page basis. Thats how chrome deals with it.

Re:And there was me believing managed code was saf

[Mister+Whirly]

The fact that these programs still have to constantly be patched to fix gaping security holes, is beyond absurd.

I think this is addressed by your first statement-

No software is perfect.

But some bits of software are closer than others

[Anonymous+Brave+Guy]

Maybe no software is perfect, but some bits of software are a lot closer to perfect than others.

Much of this comes down to choice of tools. For example, if you're writing security-sensitive software in something like C or C++ in 2012 and the software in question isn't something very low-level like an OS kernel, you're probably making a mistake as far as security goes. The fact that much of the industry makes this mistake doesn't negate the preceding statement, it just means much of the industry is choosing to allow commercial pressures to override technical merit.

Much of it also comes down to choice of processes. We know very well how to write highly reliable software. Even for cases where ultra-high reliability isn't required, we know of relatively easy changes to processes that can reduce bug rates by almost an order of magnitude over the industry norm. If you're writing security-sensitive software in 2012 and not using these processes, you're also probably making a mistake as far as security goes. The fact that much of the industry makes this mistake doesn't negate the preceding statement, it just means that much of the industry is choosing to prioritise letting developers concentrate on the fun stuff over improving the quality of the work done by those developers.

Re:And there was me believing managed code was saf

[Anomalyst]

[They] aren't weekend projects thrown together in a few hours by a highschool student. They have been around a long time and are produced by large companies with lots of highschool dropouts

FTFY

Re:And there was me believing managed code was saf

[Anonymous+Brave+Guy]

There are two ways of constructing a software design.

One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies.

The first method is far more difficult.

C. A. R. Hoare, 1980 Turing Award lecture

Re:OSX

[jorgevillalobos]

Apple released a Java update today, so everybody should be checking Software Update now, before we block on Mac.