Closed Bug 833364 Opened 11 years ago Closed 11 years ago

Mozilla blocklisting policy ignored when blocking java 6u38

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 829111

People

(Reporter: bns_robson, Unassigned)

Details

I use Java version 6u38 and have just updated from Firefox 10.0.12esr to 17.0.2esr

I went to the "Add-ons Manager" and see it states that
"Java(TM) Platform SE 6 U38 is known to cause security or stability issues."

I am unaware of any reported security issues for 6u38 (although I am aware
that security issues have been reported for 7u11).

I have found the Mozilla security blog and, in the comments, when "skeptic"
asks about blocking of 6u38, "mcoates" indicates that Mozilla know of no
reported security issues with 6u38 (the post reads "We are being extra cautious to ensure all users are protected in the event the scope of the vulnerability is larger than the initial reports have indicated. We are erring on the side of caution.").
See https://blog.mozilla.org/security/2013/01/11/protecting-users-against-java-vulnerability/

I also found Mozilla's blocklisting policy. Blocklisting reasons include
"Critical security vulnerabilities". However the policy also states "Blocking
third-party software is a sensitive issue that must be carefully considered
in every case. We must be certain that the issue at hand is so great that it
outweighs the user's choice to install the software, the utility it provides,
and the vendor's freedom to distribute and control their software."
See https://wiki.mozilla.org/Blocklisting

As Mozilla are not certain 6u38 has a security issue, blocking it is against
Mozilla's blocklisting policy.

I also think blocking 6u38 without there being a known security issue is a
BAD idea. Having researched the reason for blocking 6u38, I've added a
permanent exception for 6u38 and I expect other people have or will do
the same. The means that if a security issue is later actually found in
6u38, Mozilla can't warn us by added a block when the security issue is found.
See Aesop's Fable "The Boy Who Cried Wolf" http://en.wikipedia.org/wiki/The_Boy_Who_Cried_Wolf
We have taken the action to block all Java versions behind the click-to-play protections built into Firefox per bug 829111, per https://bugzilla.mozilla.org/show_bug.cgi?id=829111#c29 we are being extra cautious here as information is still developing. If you have further questions or concerns please comment in bug 829111 as to keep all information in one central bug.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.