Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Blocks Vulnerable Java Versions In Firefox

Posted by timothy on from the some-people-like-their-coffee-filtered dept.

Trailrunner7 writes with this excerpt from Threatpost: "Mozilla has made a change in Firefox that will block all of the older versions of Java that contain a critical vulnerability that's being actively exploited. The decision to add these vulnerable versions of Java to the browser's blocklist is designed to protect users who may not be aware of the flaw and attacks. 'This vulnerability — present in the older versions of the JDK and JRE — is actively being exploited, and is a potential risk to users. To mitigate this risk, we have added affected versions of the Java plugin for Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and below) to Firefox's blocklist. A blocklist entry for the Java plugin on OS X may be added at a future date. Mozilla strongly encourages anyone who requires the JDK and JRE to update to the current version as soon as possible on all platforms,' Mozilla's Kev Needham said."

14 of 205 comments (clear)

  1. Java dying? by Compaqt · · Score: 4, Insightful

    So sad what has become of Java.

    I know a large part of Slashdot hates Java, but:

    -Java passed C/C++ on Sourceforge a while back
    -Java was the first language of a lot of people because a lot of colleges adopted it
    -Java was the first real and powerful language for a lot of people
    -Java held out the promise of developing programs not beholden to M$, thereby making a lot of platforms viable
    -Java was supposed to make things easier for the small developer (ISV) by allowing write-once, run anywhere.

    So that's why a lot of people have good feelings for Java. Unfortunately, it's dying of a thousand cuts.

    --
    I'm not a lawyer, but I play one on the Internet. Blog
    1. Re:Java dying? by jellomizer · · Score: 4, Interesting

      I think Java is just maturing not dying.

      Java found it niche. JavaEE is still big, as it is a great platform for Web Services. However Java Applications have never gotten popular because they always end up looking a bit out of date (although it has greatly improved) compared to what the other platforms offer.

      Slashdot hates Java because they hate anything that isn't Pure GNU open source.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    2. Re:Java dying? by Necroman · · Score: 5, Insightful

      Java's server-side is still very strong and won't be going anywhere anytime soon.

      Java as a language for UIs, not so much. The built in UI widgets and windowing (Swing) is weak at best. While it has many of the basic widget types, it hasn't really evolved much as time has moved forward. Plus it always felt just enough different from native applications to stop developers from using it.

      Java applets, I feel, have been dead for a long time. Applet initialization time was just too long or would break during loading to discourage people from using it. Though, I've seen Java Web Start work pretty well for deploying Java applications.

      --
      Its not what it is, its something else.
    3. Re:Java dying? by afidel · · Score: 4, Insightful

      Maybe java applications never got popular with end users but they're pretty much the standard for advanced GUI management interfaces on enterprise equipment. I hope for the sake of people who need older java versions to access the management interface on their switches, storage arrays, etc that there is an advanced preference to turn this feature off (if not globally then on a per-domain basis).

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    4. Re:Java dying? by rudy_wayne · · Score: 4, Insightful

      -Java held out the promise of developing programs not beholden to M$

      So now you can make programs that are beholden to Oracle, who are just as bad, or worse.

    5. Re:Java dying? by Anonymous Coward · · Score: 5, Funny

      More like Slashdot hates Java because they flunked their intro CompSci course at the community college and now "develop" by tweaking PHP blogging software.

    6. Re:Java dying? by TheRaven64 · · Score: 4, Informative

      Slashdot hates Java because they hate anything that isn't Pure GNU open source.

      No, there are a lot of legitimate reasons to hate Java, mainly because it promised things it couldn't deliver. It promised to be portable, but running it on anything that isn't one of under half a dozen blessed platforms is painful. That new MIPS server? Sorry, no Java for you! For a long time, even Java on *BSD on x86 was painful due to onerous licensing requirements (binaries weren't redistributable, so you needed to download the source - manually so you could agree to the license agreement - download the Linux version, use the Linux version to compile the BSD version).

      Then there's performance. Java performance is on a par with StrongTalk or Self, yet it's a much lower-level language. Performance is usually okay, but again Java promised C-like performance and then shows misleading benchmarks to demonstrate it.

      Next there's the pain of interfacing Java with other languages. If I have a C library, I can trivially call it from most scripting languages, from Objective-C, from C++, from D, from Pascal, from Lisp, and so on. If I have a Java library, it's difficult to use it from anything that's not Java. Conversely, it's difficult to use existing libraries from Java - JNI is a whole world of pain. This means that Java often involves reinventing the wheel, while other languages just provide thin (and often automatically generated) wrappers around libraries written in other languages where appropriate.

      Then there's the incompatibilities between versions. Once you've got your write-once-run-anywhere program working on your customer's machine, he installs a new version of the JRE and it stops working. Meanwhile, the statically compiled, statically linked, program in another language works just fine...

      And then there's the library system. Some rookie mistakes, like making String final. More importantly there's the design patterns fetishism that's so prevalent. There's a reason for all of those JavaProgramFactoryFactoryFactory jokes...

      --
      I am TheRaven on Soylent News
  2. Mozilla gives middle finger to enterprise again by jellomizer · · Score: 4, Insightful

    I don't know why all the fuss is about breaking our version scheme so the Enterprise has a harder time planning appropriate upgrades to their work stations. And now we decided to break compatibility with your legacy Java systems.

    So now we have to be sure that we upgrade our Java first then Firefox... However we had planned to do Fire Fox this week and Java next month, after you know we test our applications that we need to run our business with the new Java version.

    The enterprise doesn't stick with IE because they think it is a good browser they know how much it sucks. They stick with it because it can be maintained and managed properly in an enterprise environment.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    1. Re:Mozilla gives middle finger to enterprise again by i+kan+reed · · Score: 5, Insightful

      If you have to choose between clearly dangerous infection vector and updating ancient and fragile legacy java applets, I'd say Mozilla is the least of your problems.

    2. Re:Mozilla gives middle finger to enterprise again by Anonymous Coward · · Score: 4, Informative

      From the article:

      Affected versions of the Java plugin will be disabled unless a user makes an explicit choice to keep it enabled at the time they are notified of the block being applied.

      The block isn't compulsory. Undo the block and keep working in the mean time.

    3. Re:Mozilla gives middle finger to enterprise again by Kagato · · Score: 4, Insightful

      Enterprise customers don't just roll out browsers. They do testing, they tweak the configuration and then they roll it out. Having to take the extra step to configuring some settings doesn't sound like a deal breaker. If anything, it sounds like a feature enterprise could really use. If your organization is whining about this, they likely aren't following due diligence in testing the browsers in the first place.

  3. Re:disable? by Anonymous Coward · · Score: 5, Informative

    https://wiki.mozilla.org/Extension_Blocklisting:User_Interface

    Preferences for controlling the blocklist
    The common user should not be allowed to override the automatic updating and application of the blocklist, but there are valid use cases for doing so.

    The following preferences should be created to govern this behaviour:
            * extensions.blocklist.enable (boolean), toggles blocklist enabled on/off

    Other applications or distributions may want to provide their own backlist update url which will be controlled by the following pref:
            * extensions.blocklist.url (string), url to the blocklist file

    The interval in which the blocklist runs will be defined by the following pref:
            * extensions.blocklist.interval (integer), the interval in which to download a new blocklist file

    These preferences should be documented on developer.mozilla.org and any announcements for developers about the blocklist functionality.

  4. Re:And there was me believing managed code was saf by rudy_wayne · · Score: 4, Insightful

    that will block all of the older versions of Java that contain a critical vulnerability that's being actively exploited.

    No software is perfect. No software will ever be perfect. Any non-trivial code will contain some bugs, but there's something seriously wrong here.

    Software like Java, Flash and Acrobat Reader aren't weekend projects thrown together in a few hours by a highschool student. They have been around a long time and are produced by large companies with lots of resources. The fact that these programs still have to constantly be patched to fix gaping security holes, is beyond absurd.

    It would be funny if it wasn't so stupid.

  5. Re:And there was me believing managed code was saf by Mister+Whirly · · Score: 4, Insightful

    The fact that these programs still have to constantly be patched to fix gaping security holes, is beyond absurd.

    I think this is addressed by your first statement-

    No software is perfect.

    --
    "But this one goes to 11!"