Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple and Mozilla Block Vulnerable Java Plug-ins

Posted by Soulskill on from the no-dogs-allowed dept.

hypnosec writes "Following news that a Java 0-day has been rolled into exploit kits, without any patch to fix the vulnerability, Mozilla and Apple have blocked the latest versions of Java on Firefox and Mac OS X respectively. Mozilla has taken steps to protect its user base from the yet-unpatched vulnerability. Mozilla has added to its Firefox add-on block-list: Java 7 Update 10, Java 7 Update 9, Java 6 Update 38 and Java 6 Update 37. Similar steps have also been taken by Apple; it has updated its anti-malware system to only allow version 1.7.10.19 or higher, thereby automatically blocking the vulnerable version, 1.7.10.18." Here are some ways to disable Java, if you're not sure how.

4 of 88 comments (clear)

  1. Re:and to unblock? by Desler · · Score: 5, Informative

    From Mozilla:

    There is no patch currently available for this issue from Oracle. To protect Firefox users we have enabled Click To Play for recent versions of Java on all platforms (Java 7u9, 7u10, 6u37, 6u38). Firefox users with older versions of Java are already protected by existing plugin blocking or Click To Play defenses.

    The Click To Play feature ensures that the Java plugin will not load unless a user specifically clicks to enable the plugin. This protects users against drive-by exploitation, one of the most common exploit techniques used to compromise vulnerable users. Click To Play also allows users to enable the Java plugin on a per-site basis if they absolutely need the Java plugin for the site.

    With OS X it's blacklisted. But then again everyone is recommending to uninstall these versions anyway. If you have critical software depending on vulnerable versions you should beat the developers over the head to fix it.

  2. Chrome - "Click to Play" by adisakp · · Score: 5, Informative

    Chrome has a "Click to Play" mode that won't run any plug-ins on a page without user intervention but it's fairly easy (one click) to run the plug-in on content you want to see.

    In Chrome select "Settings" from options menu or navigate to "chrome://chrome/settings/"

    Click Link "Show advanced Settings"

    Click button "Content settings..." under Privacy

    Look Under "Plug-ins"

    Select the option "Click to play" which will prevent plug-ins from running on a page unless you manually click on a bar which allows them to run.

  3. Re:Why this zero-day? Why Java? by thsths · · Score: 5, Insightful

    > Why does this one deserve special treatment?

    Because it is
    * wide spread, both in terms of users and in terms of malicious sites
    * serious: remote exploit with none but the initial user interaction
    * arrogant of Oracle not to respond
    * avoidable, because nearly nobody needs Java anyway

    Oracle really dropped the ball here, and they deserve to be kicked.

  4. Mozilla: Why break stuff instead of fixing it? by OMG · · Score: 5, Interesting

    Why is no one recommending to raise the security level for Java applets from "medium" to "high" or "very high"?

    Since Update 10 there is this new control that could be employed exactly right now:
    http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html