Closed Bug 843373 Opened 11 years ago Closed 11 years ago

Please Enable CTP for all released versions of Java

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: ygjb, Unassigned)

References

(
URL
)

Details

(Whiteboard: [plugin])

Attachments

(1 obsolete file) 

+++ This bug was initially created as a clone of Bug #803152 +++
<mcoates> can someone file a bug to extend CTP for all versions of Java again. Please mention in the bug that manual blocking by version is an intermediate process until the reamining changes for CTP are implemented (per blog post)
No longer depends on: 804552, 807258, 808824, 795387, 803152
Summary: Please CTP block all versions of Java → Please Enable CTP for all versions of Java
Assigning myself as QA Contact. I'll coordinate testing once staged.
QA Contact: anthony.s.hughes
Background:

1) Active zero day exploits against Java:
http://arstechnica.com/security/2013/02/facebook-computers-compromised-by-zero-day-java-exploit/
http://thenextweb.com/apple/2013/02/19/facebook-apple-employees-visited-iphonedevsdk-where-their-computers-were-compromised-by-java-exploit/

2) Apple is removing Java plugin by default from Safari. 
http://support.apple.com/kb/HT5651


We've previously applied CTP for the Java plugin, up to and including, the current version. Per our blog post plan to soon CTP all versions of Java. During this interim there is a small window where new versions of Java will only have CTP if we specifically enable it. Based upon items 1 and 2 above we should continue applying CTP to Java at this time.
(In reply to Michael Coates [:mcoates] from comment #2)
> We've previously applied CTP for the Java plugin, up to and including, the
> current version. Per our blog post plan to soon CTP all versions of Java.
> During this interim there is a small window where new versions of Java will
> only have CTP if we specifically enable it. Based upon items 1 and 2 above
> we should continue applying CTP to Java at this time.

Sounds good to me. Sounds like we'll file a separate bug for when we want to block Java versions *.*.
Summary: Please Enable CTP for all versions of Java → Please Enable CTP for all released versions of Java
Why wouldn't we change the blocklist to *.* now rather than this per-version updating? It seems more likely that we'll keep blocking until something changes than that we'll want to keep evaluating each version as it comes out.
(In reply to Daniel Veditz [:dveditz] from comment #4)
> Why wouldn't we change the blocklist to *.* now rather than this per-version
> updating? It seems more likely that we'll keep blocking until something
> changes than that we'll want to keep evaluating each version as it comes out.

I endorse this approach if it is possible. It seems to be costing a lot more resources to constantly do these blocks than it would if we blocked everything and unblocked known good versions.
It's definitely possible, and it would save us lots of time in the long run.
We decided a couple releases ago only to deploy the java blocks when a vulnerability was credible, and wait for the better UI to turn CtP on by default. But showing users the scary "your plugin is insecure" UI without actually being able to point to a vulnerability is IMO not a good choice.

If we believe that Java is so far gone that it cannot be secure, we should go ahead and say that publicly and block all versions with a pointer to our statement.
(In reply to Jorge Villalobos [:jorgev] from comment #8)
> The blocks for all current versions (not *.*) are now staged:
> 
> https://addons-dev.allizom.org/en-US/firefox/blocked/p283
> https://addons-dev.allizom.org/en-US/firefox/blocked/p285
> https://addons-dev.allizom.org/en-US/firefox/blocked/p287
> https://addons-dev.allizom.org/en-US/firefox/blocked/p289
> https://addons-dev.allizom.org/en-US/firefox/blocked/p291
> https://addons-dev.allizom.org/en-US/firefox/blocked/p293

Which versions do these specifically correspond to? Aside, can we get this information up front in the future?
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #9)
> Which versions do these specifically correspond to?

The title in the block pages should be self-explanatory.

> Aside, can we get this information up front in the future?

Sure.

> https://addons-dev.allizom.org/en-US/firefox/blocked/p283
Java Plugin 7 update 12 to 15 (click-to-play), Mac OS X

> https://addons-dev.allizom.org/en-US/firefox/blocked/p285
Java Plugin 7 update 12 to 15 (click-to-play), Windows

> https://addons-dev.allizom.org/en-US/firefox/blocked/p287
Java Plugin 7 update 12 to 15 (click-to-play), Linux

> https://addons-dev.allizom.org/en-US/firefox/blocked/p289
Java Plugin 6 updates 39 to 41 (click-to-play), Mac OS X

> https://addons-dev.allizom.org/en-US/firefox/blocked/p291
Java Plugin 6 updates 39 to 41 (click-to-play), Windows

> https://addons-dev.allizom.org/en-US/firefox/blocked/p293
Java Plugin 6 updates 39 to 41 (click-to-play), Linux
Sorry for the delay but just for clarification which Firefox versions should these apply to?
17 and above.
Do to issues related to Aurora l10n, I will not be able to test this until Monday at the earliest. Setting QA Contact to Paul.

Paul, can you test these staged CTP blocks overnight Sunday? Thanks.
QA Contact: anthony.s.hughes → paul.silaghi
Verified CTP blocked on staging:
j6u39, j6u41, j7u13, j7u15 on FF 17.0.1, 18.0.2, 19, 20b1, 21.0a2 (2013-02-24), 22.0a1 (2013-02-24) on Win 7 and Ubuntu 12.04

On Mac OS X 10.8.2 j7u13, j7u15 are NOT blocked. Wasn't able to test with java 6, didn't find the installation kit.
Also, are you aware of the java 7 default notifications?
http://img705.imageshack.us/img705/6550/javanotifications.png
first one - with j7u13
second one - j7u15 (latest)
Based on Paul's results...

The following blocks appear to be working as expected:
> Java Plugin 7 update 12 to 15 (click-to-play), Windows
> Java Plugin 7 update 12 to 15 (click-to-play), Linux
> Java Plugin 6 updates 39 to 41 (click-to-play), Windows
> Java Plugin 6 updates 39 to 41 (click-to-play), Linux

The following are not testable:
> Java Plugin 6 updates 39 to 41 (click-to-play), Mac OS X

The following appear to be broken:
> Java Plugin 7 update 12 to 15 (click-to-play), Mac OS X

I'll have to double check Java 7u{12-15} on Mac before signing off for push to production.
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #16)
> The following appear to be broken:
> > Java Plugin 7 update 12 to 15 (click-to-play), Mac OS X
> 
> I'll have to double check Java 7u{12-15} on Mac before signing off for push
> to production.

I confirm this block is not working as expected.

> Already installed Java 7u13
1. Start Firefox with a new profile
2. Change addons.mozilla.org to addons-dev.allizom.org in extensions.blocklist.url 
3. Change extensions.blocklist.interval to 10
4. Restart Firefox
5. Force a blocklist ping by evaluating the following code in Error Console
>  Components.classes["@mozilla.org/extensions/blocklist;1"].getService(Components.interfaces.nsITimerCallback).notify(null);
6. Load some of the Java demos from here
> http://neuron.eng.wayne.edu/software.html

Result:
A Java window appears asking for my permission to execute the app. Checking "I accept..." and clicking "Run" loads the app. 

Given these results my recommendation would be to push the remaining blocks live and figure out what's going on here in a follow-up bug.
The problem is server-side. I noticed this when staging the blocks, but I thought it was a temporary caching problem. If you go to the staging blocklist page (https://addons-dev.allizom.org/en-US/firefox/blocked/), the Mac OS block (283) is not listed, and the Windows block (285) is listed twice. The same is happening in the downloaded blocklist.xml.

I'll file a bug this, and create a new Mac OS block so we can test it.
The new block is now staged. Please give it an hour or so before testing.
All blocks are now working as expected on staging. Feel free to push live at your earliest convenience.
Done.

https://addons.mozilla.org/en-US/firefox/blocked/p292
Java Plugin 7 update 12 to 15 (click-to-play), Mac OS X

https://addons.mozilla.org/en-US/firefox/blocked/p294
Java Plugin 7 update 12 to 15 (click-to-play), Windows

https://addons.mozilla.org/en-US/firefox/blocked/p296
Java Plugin 7 update 12 to 15 (click-to-play), Linux

https://addons.mozilla.org/en-US/firefox/blocked/p298
Java Plugin 6 updates 39 to 41 (click-to-play), Mac OS X

https://addons.mozilla.org/en-US/firefox/blocked/p300
Java Plugin 6 updates 39 to 41 (click-to-play), Windows

https://addons.mozilla.org/en-US/firefox/blocked/p302
Java Plugin 6 updates 39 to 41 (click-to-play), Linux
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
I've confirmed these blocks are working as expected in production.
Status: RESOLVED → VERIFIED
Keywords: qawanted
Why is my Java (TM)Platform SE 7 U15 being blocked? I need Java to print out coupons and it can't when it's being blocked. Please help me fix this problem! Thanks
(In reply to melliethek from comment #23)
> Please help me fix this problem!
See https://support.mozilla.org/kb/how-to-use-java-if-its-been-blocked
tibor, read commment 24 and see also https://bugzilla.mozilla.org/page.cgi?id=etiquette.html
(In reply to tibor from comment #25)
Tibor - your comment has been removed. Please read https://bugzilla.mozilla.org/page.cgi?id=etiquette.html before posting again.

The response provided in comment 24 will address your concerns.
my java dont works :(( ...plese help me step by step ( http://img687.imageshack.us/img687/9450/95951630.png )
What do you mean by "don't work" ?
You just have to click on the plugin screen and the java content should be displayed. That message in Addons Manager only warns you to use with caution, java is very vulnerable lately.
(In reply to Paul Silaghi [QA] from comment #29)
> What do you mean by "don't work" ?
> You just have to click on the plugin screen and the java content should be
> displayed. That message in Addons Manager only warns you to use with
> caution, java is very vulnerable lately.

pls cant how me in pictures?? dont speak very good english
btw Paul u are romanian? if u are pls send a mail at J_Kwon_Ro@Yahoo.Com to help me to solve this problem. thanks
Problem solved in private. It wasn't a CTP bug, not even a Firefox one.
(In reply to Jorge Villalobos [:jorgev] from comment #21)
> Done.
> 
> https://addons.mozilla.org/en-US/firefox/blocked/p292
> Java Plugin 7 update 12 to 15 (click-to-play), Mac OS X
> 
> https://addons.mozilla.org/en-US/firefox/blocked/p294
> Java Plugin 7 update 12 to 15 (click-to-play), Windows
> 
> https://addons.mozilla.org/en-US/firefox/blocked/p296
> Java Plugin 7 update 12 to 15 (click-to-play), Linux
> 
> https://addons.mozilla.org/en-US/firefox/blocked/p298
> Java Plugin 6 updates 39 to 41 (click-to-play), Mac OS X
> 
> https://addons.mozilla.org/en-US/firefox/blocked/p300
> Java Plugin 6 updates 39 to 41 (click-to-play), Windows
> 
> https://addons.mozilla.org/en-US/firefox/blocked/p302
> Java Plugin 6 updates 39 to 41 (click-to-play), Linux

    
  

        Attachment #718964 -
        Attachment is obsolete: true

        Attachment #718964 -
        Attachment is patch: false

    
    

    
  
Would this be a reason for Mozilla Firefox to crash???

    
    

    
  
I'm not aware of any crash related to Click To Play so far. Please go to about:crashes and post here the link of the crash for investigation.

    
    

    
  
Here's the whole thing:


Submitted Crash Reports

  
    
      
        Report ID
        Date Submitted
      
    
    
    428a3baf-7e26-4477-8a45-f5bda7b0ba752/27/201311:15 PMbp-28a5b291-55ff-400c-a2b4-35cfb21302282/27/201311:14 PMbp-b942f0ef-d4da-4573-ab3f-740d621302282/27/201311:12 PMbp-aba00d8a-6bca-4ff4-9992-7d0d521302282/27/201311:10 PMbp-19323b63-d469-48e1-a13f-4c7ac21302282/27/201311:09 PMbp-e14bf51b-132a-4adb-960d-e49fd21302282/27/201311:07 PMbp-51e2c8a4-c114-4a6a-b3c3-c3d1921302282/27/20139:41 PMbp-13bfaa6c-eac2-444b-87df-3883b21302282/27/20138:45 PMbp-d2f32060-4331-4b18-bbe5-d780921302282/27/20136:14 PMbp-8c2ce5fa-fdc6-4fab-bbbb-50b1e21302272/27/20133:06 PMbp-d06f15cc-0df1-42a8-992d-1563621302272/27/20131:00 PMbp-4d2218cc-8bb6-4d0e-850e-b5ea821302272/27/201312:59 PMbp-81fac4fd-ccd8-42b5-ba65-11a6d21302272/27/201312:54 PMbp-3967c61c-3be1-4e6d-a218-ca40a21302272/27/201312:41 PMbp-ef6dd135-e423-484b-93a4-60d0021302272/27/201312:30 PMbp-8ba7b91b-8f22-4710-a41b-7b6b721302272/27/201312:28 PMbp-cacefeeb-1dd8-4a7e-adb3-0b38421302272/27/201311:40 AMbp-1c2bcbcc-b233-492a-8c10-d9e5421302262/26/201312:42 PMbp-1c2bcbcc-b233-492a-8c10-d9e542130226 - Copy2/26/201312:42 PMbp-633c5fc8-36b8-4ef6-b3eb-ba59921302262/26/201312:41 PMbp-633c5fc8-36b8-4ef6-b3eb-ba5992130226 - Copy2/26/201312:41 PMbp-a54bd951-2aa2-4801-a3b6-ff63721302262/26/201312:34 PMbp-a54bd951-2aa2-4801-a3b6-ff6372130226 - Copy2/26/201312:34 PMbp-f65910a1-e5e9-4fa8-9896-dc21e21302262/26/201312:29 PMbp-f65910a1-e5e9-4fa8-9896-dc21e2130226 - Copy2/26/201312:29 PMbp-3b446179-c020-4120-aefd-da56321302262/26/201312:26 PMbp-3b446179-c020-4120-aefd-da5632130226 - Copy2/26/201312:26 PMbp-3c4a5c0a-dcb8-487e-8d19-7a2ff21302262/26/201310:20 AMbp-3c4a5c0a-dcb8-487e-8d19-7a2ff2130226 - Copy2/26/201310:20 AMbp-d04b9542-cc2c-4db5-8501-0d77621302262/25/20138:39 PMbp-d04b9542-cc2c-4db5-8501-0d7762130226 - Copy2/25/20138:39 PMbp-7e8bfd15-802e-4f2d-8238-e6d1621302262/25/20138:38 PMbp-7e8bfd15-802e-4f2d-8238-e6d162130226 - Copy2/25/20138:38 PMbp-b4e61458-a3ac-4ce1-a71e-6904a21302262/25/20138:35 PMbp-b4e61458-a3ac-4ce1-a71e-6904a2130226 - Copy2/25/20138:35 PMbp-90427d90-b7f3-4455-9e44-3956321302262/25/20138:16 PMbp-90427d90-b7f3-4455-9e44-395632130226 - Copy2/25/20138:16 PMbp-9db30a75-3431-474c-ad1b-2358921302262/25/20138:12 PMbp-9db30a75-3431-474c-ad1b-235892130226 - Copy2/25/20138:12 PMbp-eb15b504-98ec-48a2-878c-d0b7721302262/25/20138:06 PMbp-eb15b504-98ec-48a2-878c-d0b772130226 - Copy2/25/20138:06 PMbp-bd7677d6-cebb-4349-8ded-26d0a21302262/25/20137:30 PMbp-bd7677d6-cebb-4349-8ded-26d0a2130226 - Copy2/25/20137:30 PMbp-c345a227-05fa-4268-9d75-8982521302262/25/20137:29 PMbp-c345a227-05fa-4268-9d75-898252130226 - Copy2/25/20137:29 PMbp-0749ca16-40d1-4e39-bdd5-1edbb21302262/25/20137:16 PMbp-0749ca16-40d1-4e39-bdd5-1edbb2130226 - Copy2/25/20137:16 PMbp-c7eff306-ae7f-4e41-9ad2-8025e21302172/17/20134:29 AMbp-c7eff306-ae7f-4e41-9ad2-8025e2130217 - Copy2/17/20134:29 AMbp-9cb67d4b-1402-4b3c-a9ca-0b1a521302172/16/201311:19 PMbp-9cb67d4b-1402-4b3c-a9ca-0b1a52130217 - Copy2/16/201311:19 PMbp-1bb1012a-b4a1-4c54-a9b6-ebec621302082/8/201312:13 AMbp-1bb1012a-b4a1-4c54-a9b6-ebec62130208 - Copy2/8/201312:13 AMbp-97788858-9955-4031-9b73-cbc9a21302012/1/20136:02 PMbp-97788858-9955-4031-9b73-cbc9a2130201 - Copy2/1/20136:02 PMbp-9bd23d8d-c733-4a41-83b7-1862d21301271/26/20137:14 PMbp-9bd23d8d-c733-4a41-83b7-1862d2130127 - Copy1/26/20137:14 PMbp-b47bedeb-bfb4-49fc-ad57-f138121301261/25/201310:20 PMbp-b47bedeb-bfb4-49fc-ad57-f13812130126 - Copy1/25/201310:20 PMbp-c5691703-3731-4ba5-aa31-d2cc521301231/23/20135:54 PMbp-c5691703-3731-4ba5-aa31-d2cc52130123 - Copy1/23/20135:54 PMbp-84843281-6157-45eb-b882-8e4cb21301231/23/20134:33 PMbp-84843281-6157-45eb-b882-8e4cb2130123 - Copy1/23/20134:33 PMbp-955dbb98-3726-4b0c-946f-3532521301061/6/20132:05 AMbp-955dbb98-3726-4b0c-946f-353252130106 - Copy1/6/20132:05 AMbp-deaaa795-441e-446a-9dc9-a560721301061/5/201311:32 PMbp-deaaa795-441e-446a-9dc9-a56072130106 - Copy1/5/201311:32 PMbp-0889a1be-dc85-4f8b-832b-917b121301031/3/20133:30 AMbp-0889a1be-dc85-4f8b-832b-917b12130103 - Copy1/3/20133:30 AMbp-c32f8404-1fb1-423e-9f33-bf0c921301031/2/201311:08 PMbp-c32f8404-1fb1-423e-9f33-bf0c92130103 - Copy1/2/201311:08 PM

    
    

    
  
Corey, please file a new bug describing your steps to reproduce and with only the last crash IDs formatted like bp-28a5b291-55ff-400c-a2b4-35cfb2130228.

    
    

    
  
Submitted Crash Reports

  
    
      
        Report ID
        Date Submitted
      
    
    
    14c88954-aeaf-4dfa-84b7-87097afb8c1b-flash22/28/20131:29 AM14c88954-aeaf-4dfa-84b7-87097afb8c1b-flash12/28/20131:29 AM14c88954-aeaf-4dfa-84b7-87097afb8c1b-browser2/28/20131:29 AM14c88954-aeaf-4dfa-84b7-87097afb8c1b2/28/20131:29 AMbp-2e419da2-2e13-4e30-a514-f0a7721302282/28/20131:21 AM

    
    

    
  
There is something I don't catch here.

We were used to quite secure versions of Java, from time to time an issue was discovered and fixed.

My Java was obsolete on an old system of mine that I do not use often, my Firefox blocked it so I went to Oracle's site and installed JRE 7. It was JRE 7.10.

I restarted Firefox and the Java plugin was OK (no warning of being vulnerable, not blocked). But I still got a warning that my Java was not the latest version (!). Strange, I just installed the latest available runtime (as far as I knew).

Anyway I clicked on the update button, it downloaded the whole Java stuff and it was Java 7 Update 15.

Ok.

Now I restart Firefox, and guess what, "Java 7.15 is known to be vulnerable" (this is the object of this thread).

Thus:
- JRE 7.10 is OK and not blocked BUT not the latest version
- JRE 7.15 is the latest version BUT should be blocked

What I do not understand is, why does the plugin system advise people to upgrade from 7.10 to 7.15 if it breaks the security ?

    
    

    
  
j7u10 is properly blocked, just tested on FF 19.
You would have probably seen the blocking notification if you had waited a little longer. The block is not happening instantly.

    
    

    
  
My experience is the exact same as Michael Smith's in comment number 41.  I'll ask the same question that he does "why does the plugin system advise people to upgrade from 7.10 to 7.15 if it breaks the security ?"

    
    

    
  
Java SE7 U15 has less vulnerabilities than SE7 U10 so it makes sense to advice to upgrade.

    
    

    
  
@ Michael Smith, mine gives me one of those messages as well, so me not knowing and seeing that amongst all these crashes, disabled it myself mine was version Platform SE 7 U15, well now that I look it does say something about a new version 10.15.2, Maybe that'll do the trick....

    
  
Depends on: 846366

    
    

    
  
Also, I wanna add, I keep getting a grey box that keeps coming up about Shockwave being unresponsive

    
    

    
  
Corey, for each issue, file a new bug.

    
    

    
  
For the most part it's working fairly decent today so far, don't wanna jinx things though, but yea, there's been a few times of that Shockwave message, and several times I would get Script Error's not related to Shockwave (I guess), BUT I am running all my computer scans right now also, don't know if it's helping or if it really doesn't matter about it, I just checked my plugin's and they finally say they are up to date now, so maybe....

    
    

    
  
So I wonder, when do guys start blocking flash and adobe reader plugin automatically?

I don't understand why java should be handled differently than e.g. flash, which receives emerency updates all the time, too.

    
    

    
  
(In reply to Clemens Eisserer from comment #49)
> So I wonder, when do guys start blocking flash and adobe reader plugin
> automatically?
Those are also blocked, but only some older versions.
https://wiki.mozilla.org/Blocklisting/PluginBlocks

> I don't understand why java should be handled differently than e.g. flash,
> which receives emerency updates all the time, too.
Because even the latest version of java proved to vulnerable. You can find more articles about java vulnerabilities on google.
URL: https://wiki.mozilla.org/Blocklisting...

    
    

    
  
(In reply to Clemens Eisserer from comment #49)
> I don't understand why java should be handled differently than e.g. flash,
> which receives emerency updates all the time, too.
First because there are no Flash vulnerabilities known to be exploited in the wild.
Then because Flash blocking will be considered as a war declaration for websites that live with ads. An experiment of ad blocking by a French provider (intending to get paid by Google for huge pipes required by YouTube) was received like that.

    
    

    
  
> First because there are no Flash vulnerabilities known to be exploited in the wild.

The new vulnerability found in u15 isn't exploited. A company reported it to Oracle, the same happends at Adobe frquently, too.

> Then because Flash blocking will be considered as a war 
> declaration for websites that live with ads.

So flash isn't blocked because it is used for adds. The few java-applets left that actually do useful stuff are.

Anyway, who am I to complain.

    
    

    
  
We are working on rolling out Flash blocks. We currently block Flash 10.2 and lower on release, and old versions of 10.3 on Beta. Flash is more tricky because there are more users / websites which is why we are slowly rolling the blocks out. Eventually the blocks will grow to more and more versions of Flash.

    
    

    
  
Regardless, this is a bug on Java blocks, so please keep the discussion to rolling out Java Blocks. If you have support issues around the blocks, please go to support.mozilla.org. (sorry for bug spam)

    
    

    
  
(In reply to Clemens Eisserer from comment #52)
> > First because there are no Flash vulnerabilities known to be exploited in the wild.
> 
> The new vulnerability found in u15 isn't exploited. A company reported it to
> Oracle, the same happends at Adobe frquently, too.
It *is* being exploited. See http://blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html for example.
> 
> > Then because Flash blocking will be considered as a war 
> > declaration for websites that live with ads.
> 
> So flash isn't blocked because it is used for adds. The few java-applets
> left that actually do useful stuff are.
> 
> Anyway, who am I to complain.
Current statistics on this web page indicate that Java is very seldomly used on the web (about 0.2%), whereas Flash is more widely used (mostly for videos, e.g. youtube). See http://w3techs.com/technologies/overview/client_side_language/all

    
    

    
  
(In reply to Clemens Eisserer from comment #52)
> The new vulnerability found in u15 isn't exploited. A company reported it to
> Oracle, the same happends at Adobe frquently, too.

Untrue, FireEye reported one in the wild yesterday:

http://blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html

    
    

    
  
... to which Oracle assigned a unique CVE number, meaning it's a different one than the one previously reported privately to Oracle.

    
    

    
  
There _is_ a major difference between Flash and Java: Flash was designed to be a browser plugin. If it has bugs you could compromise it and do bad stuff inside the process. In doing so you have to work around the Flash process sandbox as well as all the OS/Compiler memory protections (DEP/ASLR) designed to make such compromises hard.

Java was designed as a system application programming environment, within which they created an "applet" sandbox that limits capabilities to a browser-safe subset. You could still have the kinds of memory corruption bugs Flash sometimes has, but most exploits find ways to confuse Java and sneak past those "you are an applet" limits. Once you do that the exploit is 100% reliable because it's not depending on memory corruption, and even cross-platform should the malware authors attach platform-specific payloads.

    
    

    
  
Also, the more general blocks can only be made once we have done some further improvements to the click-to-play UI, which are in the works and currently planned for Firefox 22, AFAIK.

    
    

    
  
So all and all, "FF 19.0 and Java 7/U15 plugin block is valid"?

    
    

    
  
(In reply to Bill Martin from comment #61)
> So all and all, "FF 19.0 and Java 7/U15 plugin block is valid"?

Yes, all current versions of Java, including Java 7 U15 are click-to-play blocked in Firefox 17 and above.

    
    

    
  
My apologies for being a "cop" but this bug report is not the appropriate platform to have this discussion. If you are having problems related to plugin blocklisting please use support.mozilla.org. If you disagree or have feedback to share with regard to our current blocklisting policy please start a thread in the dev-security mailing list.

Thank you.

    
    

    
  
(In reply to Frederik Braun [:freddyb] from comment #56)
> It *is* being exploited. See
> http://blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.
> html for example.
This vulnerability is fixed in Java SE7 U17 and SE6 U43.

    
    

    
  
I need my java script to be enabled I use it to play my pogo games

    
    

    
  
(In reply to almck55 from comment #65)
> I need my java script to be enabled I use it to play my pogo games
JavaScript and Java are two unrelated things.
The latest Java version is not CTP-blocked so please update: http://java.com

    
    

    
  
Question on the Java CTP block, especially about the Java 7 U5 block on Windows: It is intentional that (at least) this plugin was blocked as PluginVulnerableNoUpdate (that's the Firefox UI string, means no update link appears in the click-to-play UI itself). Or should it rather be blocked as PluginVulnerableUpdatable (as there is an update available for Java 7)? If yes, then I'll file a new bug on this.

    
    

    
  
https://wiki.mozilla.org/Blocklisting/PluginBlocks
In Firefox 1-17, Java 7 U5 - Java 7 U6 is softblocked.
In Firefox 17-*, Java 7 U0 - Java 7 U11 is click to play blocked
So, what Firefox are you using ?

    
    

    
  
Current FF nightly, but that table/wiki page does not help in this case. Both PluginVulnerableNoUpdate and PluginVulnerableUpdatable are CTP blocks, they just display different CTP UI in FF.
Product: addons.mozilla.org → Toolkit

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: