Closed
Bug 843373
Opened 11 years ago
Closed 11 years ago
Please Enable CTP for all released versions of Java
Categories
(Toolkit :: Blocklist Policy Requests, defect)
Toolkit
Blocklist Policy Requests
Tracking
()
VERIFIED
FIXED
People
(Reporter: ygjb, Unassigned)
References
()
Details
(Whiteboard: [plugin])
Attachments
(1 obsolete file)
+++ This bug was initially created as a clone of Bug #803152 +++ <mcoates> can someone file a bug to extend CTP for all versions of Java again. Please mention in the bug that manual blocking by version is an intermediate process until the reamining changes for CTP are implemented (per blog post)
Reporter | ||
Updated•11 years ago
|
Updated•11 years ago
|
Summary: Please CTP block all versions of Java → Please Enable CTP for all versions of Java
Assigning myself as QA Contact. I'll coordinate testing once staged.
QA Contact: anthony.s.hughes
Comment 2•11 years ago
|
||
Background: 1) Active zero day exploits against Java: http://arstechnica.com/security/2013/02/facebook-computers-compromised-by-zero-day-java-exploit/ http://thenextweb.com/apple/2013/02/19/facebook-apple-employees-visited-iphonedevsdk-where-their-computers-were-compromised-by-java-exploit/ 2) Apple is removing Java plugin by default from Safari. http://support.apple.com/kb/HT5651 We've previously applied CTP for the Java plugin, up to and including, the current version. Per our blog post plan to soon CTP all versions of Java. During this interim there is a small window where new versions of Java will only have CTP if we specifically enable it. Based upon items 1 and 2 above we should continue applying CTP to Java at this time.
Comment 3•11 years ago
|
||
(In reply to Michael Coates [:mcoates] from comment #2) > We've previously applied CTP for the Java plugin, up to and including, the > current version. Per our blog post plan to soon CTP all versions of Java. > During this interim there is a small window where new versions of Java will > only have CTP if we specifically enable it. Based upon items 1 and 2 above > we should continue applying CTP to Java at this time. Sounds good to me. Sounds like we'll file a separate bug for when we want to block Java versions *.*.
Summary: Please Enable CTP for all versions of Java → Please Enable CTP for all released versions of Java
Comment 4•11 years ago
|
||
Why wouldn't we change the blocklist to *.* now rather than this per-version updating? It seems more likely that we'll keep blocking until something changes than that we'll want to keep evaluating each version as it comes out.
(In reply to Daniel Veditz [:dveditz] from comment #4) > Why wouldn't we change the blocklist to *.* now rather than this per-version > updating? It seems more likely that we'll keep blocking until something > changes than that we'll want to keep evaluating each version as it comes out. I endorse this approach if it is possible. It seems to be costing a lot more resources to constantly do these blocks than it would if we blocked everything and unblocked known good versions.
Comment 6•11 years ago
|
||
It's definitely possible, and it would save us lots of time in the long run.
Comment 7•11 years ago
|
||
We decided a couple releases ago only to deploy the java blocks when a vulnerability was credible, and wait for the better UI to turn CtP on by default. But showing users the scary "your plugin is insecure" UI without actually being able to point to a vulnerability is IMO not a good choice. If we believe that Java is so far gone that it cannot be secure, we should go ahead and say that publicly and block all versions with a pointer to our statement.
Comment 8•11 years ago
|
||
The blocks for all current versions (not *.*) are now staged: https://addons-dev.allizom.org/en-US/firefox/blocked/p283 https://addons-dev.allizom.org/en-US/firefox/blocked/p285 https://addons-dev.allizom.org/en-US/firefox/blocked/p287 https://addons-dev.allizom.org/en-US/firefox/blocked/p289 https://addons-dev.allizom.org/en-US/firefox/blocked/p291 https://addons-dev.allizom.org/en-US/firefox/blocked/p293
Keywords: qawanted
(In reply to Jorge Villalobos [:jorgev] from comment #8) > The blocks for all current versions (not *.*) are now staged: > > https://addons-dev.allizom.org/en-US/firefox/blocked/p283 > https://addons-dev.allizom.org/en-US/firefox/blocked/p285 > https://addons-dev.allizom.org/en-US/firefox/blocked/p287 > https://addons-dev.allizom.org/en-US/firefox/blocked/p289 > https://addons-dev.allizom.org/en-US/firefox/blocked/p291 > https://addons-dev.allizom.org/en-US/firefox/blocked/p293 Which versions do these specifically correspond to? Aside, can we get this information up front in the future?
Comment 10•11 years ago
|
||
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #9) > Which versions do these specifically correspond to? The title in the block pages should be self-explanatory. > Aside, can we get this information up front in the future? Sure. > https://addons-dev.allizom.org/en-US/firefox/blocked/p283 Java Plugin 7 update 12 to 15 (click-to-play), Mac OS X > https://addons-dev.allizom.org/en-US/firefox/blocked/p285 Java Plugin 7 update 12 to 15 (click-to-play), Windows > https://addons-dev.allizom.org/en-US/firefox/blocked/p287 Java Plugin 7 update 12 to 15 (click-to-play), Linux > https://addons-dev.allizom.org/en-US/firefox/blocked/p289 Java Plugin 6 updates 39 to 41 (click-to-play), Mac OS X > https://addons-dev.allizom.org/en-US/firefox/blocked/p291 Java Plugin 6 updates 39 to 41 (click-to-play), Windows > https://addons-dev.allizom.org/en-US/firefox/blocked/p293 Java Plugin 6 updates 39 to 41 (click-to-play), Linux
Comment 11•11 years ago
|
||
Sorry for the delay but just for clarification which Firefox versions should these apply to?
Comment 12•11 years ago
|
||
17 and above.
Comment 13•11 years ago
|
||
Do to issues related to Aurora l10n, I will not be able to test this until Monday at the earliest. Setting QA Contact to Paul. Paul, can you test these staged CTP blocks overnight Sunday? Thanks.
QA Contact: anthony.s.hughes → paul.silaghi
Comment 14•11 years ago
|
||
Verified CTP blocked on staging: j6u39, j6u41, j7u13, j7u15 on FF 17.0.1, 18.0.2, 19, 20b1, 21.0a2 (2013-02-24), 22.0a1 (2013-02-24) on Win 7 and Ubuntu 12.04 On Mac OS X 10.8.2 j7u13, j7u15 are NOT blocked. Wasn't able to test with java 6, didn't find the installation kit.
Comment 15•11 years ago
|
||
Also, are you aware of the java 7 default notifications? http://img705.imageshack.us/img705/6550/javanotifications.png first one - with j7u13 second one - j7u15 (latest)
Comment 16•11 years ago
|
||
Based on Paul's results... The following blocks appear to be working as expected: > Java Plugin 7 update 12 to 15 (click-to-play), Windows > Java Plugin 7 update 12 to 15 (click-to-play), Linux > Java Plugin 6 updates 39 to 41 (click-to-play), Windows > Java Plugin 6 updates 39 to 41 (click-to-play), Linux The following are not testable: > Java Plugin 6 updates 39 to 41 (click-to-play), Mac OS X The following appear to be broken: > Java Plugin 7 update 12 to 15 (click-to-play), Mac OS X I'll have to double check Java 7u{12-15} on Mac before signing off for push to production.
Comment 17•11 years ago
|
||
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #16) > The following appear to be broken: > > Java Plugin 7 update 12 to 15 (click-to-play), Mac OS X > > I'll have to double check Java 7u{12-15} on Mac before signing off for push > to production. I confirm this block is not working as expected. > Already installed Java 7u13 1. Start Firefox with a new profile 2. Change addons.mozilla.org to addons-dev.allizom.org in extensions.blocklist.url 3. Change extensions.blocklist.interval to 10 4. Restart Firefox 5. Force a blocklist ping by evaluating the following code in Error Console > Components.classes["@mozilla.org/extensions/blocklist;1"].getService(Components.interfaces.nsITimerCallback).notify(null); 6. Load some of the Java demos from here > http://neuron.eng.wayne.edu/software.html Result: A Java window appears asking for my permission to execute the app. Checking "I accept..." and clicking "Run" loads the app. Given these results my recommendation would be to push the remaining blocks live and figure out what's going on here in a follow-up bug.
Comment 18•11 years ago
|
||
The problem is server-side. I noticed this when staging the blocks, but I thought it was a temporary caching problem. If you go to the staging blocklist page (https://addons-dev.allizom.org/en-US/firefox/blocked/), the Mac OS block (283) is not listed, and the Windows block (285) is listed twice. The same is happening in the downloaded blocklist.xml. I'll file a bug this, and create a new Mac OS block so we can test it.
Comment 19•11 years ago
|
||
The new block is now staged. Please give it an hour or so before testing.
Comment 20•11 years ago
|
||
All blocks are now working as expected on staging. Feel free to push live at your earliest convenience.
Comment 21•11 years ago
|
||
Done. https://addons.mozilla.org/en-US/firefox/blocked/p292 Java Plugin 7 update 12 to 15 (click-to-play), Mac OS X https://addons.mozilla.org/en-US/firefox/blocked/p294 Java Plugin 7 update 12 to 15 (click-to-play), Windows https://addons.mozilla.org/en-US/firefox/blocked/p296 Java Plugin 7 update 12 to 15 (click-to-play), Linux https://addons.mozilla.org/en-US/firefox/blocked/p298 Java Plugin 6 updates 39 to 41 (click-to-play), Mac OS X https://addons.mozilla.org/en-US/firefox/blocked/p300 Java Plugin 6 updates 39 to 41 (click-to-play), Windows https://addons.mozilla.org/en-US/firefox/blocked/p302 Java Plugin 6 updates 39 to 41 (click-to-play), Linux
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Comment 22•11 years ago
|
||
I've confirmed these blocks are working as expected in production.
Status: RESOLVED → VERIFIED
Keywords: qawanted
Comment 23•11 years ago
|
||
Why is my Java (TM)Platform SE 7 U15 being blocked? I need Java to print out coupons and it can't when it's being blocked. Please help me fix this problem! Thanks
Comment 24•11 years ago
|
||
(In reply to melliethek from comment #23) > Please help me fix this problem! See https://support.mozilla.org/kb/how-to-use-java-if-its-been-blocked
Comment 26•11 years ago
|
||
tibor, read commment 24 and see also https://bugzilla.mozilla.org/page.cgi?id=etiquette.html
Comment 27•11 years ago
|
||
(In reply to tibor from comment #25) Tibor - your comment has been removed. Please read https://bugzilla.mozilla.org/page.cgi?id=etiquette.html before posting again. The response provided in comment 24 will address your concerns.
Comment 28•11 years ago
|
||
my java dont works :(( ...plese help me step by step ( http://img687.imageshack.us/img687/9450/95951630.png )
Comment 29•11 years ago
|
||
What do you mean by "don't work" ? You just have to click on the plugin screen and the java content should be displayed. That message in Addons Manager only warns you to use with caution, java is very vulnerable lately.
Comment 30•11 years ago
|
||
(In reply to Paul Silaghi [QA] from comment #29) > What do you mean by "don't work" ? > You just have to click on the plugin screen and the java content should be > displayed. That message in Addons Manager only warns you to use with > caution, java is very vulnerable lately. pls cant how me in pictures?? dont speak very good english
Comment 31•11 years ago
|
||
btw Paul u are romanian? if u are pls send a mail at J_Kwon_Ro@Yahoo.Com to help me to solve this problem. thanks
Comment 32•11 years ago
|
||
BoGdaN, see https://support.mozilla.org/kb/how-to-use-java-if-its-been-blocked
Comment 33•11 years ago
|
||
Problem solved in private. It wasn't a CTP bug, not even a Firefox one.
Comment 34•11 years ago
|
||
(In reply to Jorge Villalobos [:jorgev] from comment #21) > Done. > > https://addons.mozilla.org/en-US/firefox/blocked/p292 > Java Plugin 7 update 12 to 15 (click-to-play), Mac OS X > > https://addons.mozilla.org/en-US/firefox/blocked/p294 > Java Plugin 7 update 12 to 15 (click-to-play), Windows > > https://addons.mozilla.org/en-US/firefox/blocked/p296 > Java Plugin 7 update 12 to 15 (click-to-play), Linux > > https://addons.mozilla.org/en-US/firefox/blocked/p298 > Java Plugin 6 updates 39 to 41 (click-to-play), Mac OS X > > https://addons.mozilla.org/en-US/firefox/blocked/p300 > Java Plugin 6 updates 39 to 41 (click-to-play), Windows > > https://addons.mozilla.org/en-US/firefox/blocked/p302 > Java Plugin 6 updates 39 to 41 (click-to-play), Linux
Comment 35•11 years ago
|
||
Updated•11 years ago
|
Attachment #718964 -
Attachment is obsolete: true
Attachment #718964 -
Attachment is patch: false
Comment 36•11 years ago
|
||
Would this be a reason for Mozilla Firefox to crash???
Comment 37•11 years ago
|
||
I'm not aware of any crash related to Click To Play so far. Please go to about:crashes and post here the link of the crash for investigation.
Comment 38•11 years ago
|
||
Here's the whole thing: Submitted Crash Reports Report ID Date Submitted 428a3baf-7e26-4477-8a45-f5bda7b0ba752/27/201311:15 PMbp-28a5b291-55ff-400c-a2b4-35cfb21302282/27/201311:14 PMbp-b942f0ef-d4da-4573-ab3f-740d621302282/27/201311:12 PMbp-aba00d8a-6bca-4ff4-9992-7d0d521302282/27/201311:10 PMbp-19323b63-d469-48e1-a13f-4c7ac21302282/27/201311:09 PMbp-e14bf51b-132a-4adb-960d-e49fd21302282/27/201311:07 PMbp-51e2c8a4-c114-4a6a-b3c3-c3d1921302282/27/20139:41 PMbp-13bfaa6c-eac2-444b-87df-3883b21302282/27/20138:45 PMbp-d2f32060-4331-4b18-bbe5-d780921302282/27/20136:14 PMbp-8c2ce5fa-fdc6-4fab-bbbb-50b1e21302272/27/20133:06 PMbp-d06f15cc-0df1-42a8-992d-1563621302272/27/20131:00 PMbp-4d2218cc-8bb6-4d0e-850e-b5ea821302272/27/201312:59 PMbp-81fac4fd-ccd8-42b5-ba65-11a6d21302272/27/201312:54 PMbp-3967c61c-3be1-4e6d-a218-ca40a21302272/27/201312:41 PMbp-ef6dd135-e423-484b-93a4-60d0021302272/27/201312:30 PMbp-8ba7b91b-8f22-4710-a41b-7b6b721302272/27/201312:28 PMbp-cacefeeb-1dd8-4a7e-adb3-0b38421302272/27/201311:40 AMbp-1c2bcbcc-b233-492a-8c10-d9e5421302262/26/201312:42 PMbp-1c2bcbcc-b233-492a-8c10-d9e542130226 - Copy2/26/201312:42 PMbp-633c5fc8-36b8-4ef6-b3eb-ba59921302262/26/201312:41 PMbp-633c5fc8-36b8-4ef6-b3eb-ba5992130226 - Copy2/26/201312:41 PMbp-a54bd951-2aa2-4801-a3b6-ff63721302262/26/201312:34 PMbp-a54bd951-2aa2-4801-a3b6-ff6372130226 - Copy2/26/201312:34 PMbp-f65910a1-e5e9-4fa8-9896-dc21e21302262/26/201312:29 PMbp-f65910a1-e5e9-4fa8-9896-dc21e2130226 - Copy2/26/201312:29 PMbp-3b446179-c020-4120-aefd-da56321302262/26/201312:26 PMbp-3b446179-c020-4120-aefd-da5632130226 - Copy2/26/201312:26 PMbp-3c4a5c0a-dcb8-487e-8d19-7a2ff21302262/26/201310:20 AMbp-3c4a5c0a-dcb8-487e-8d19-7a2ff2130226 - Copy2/26/201310:20 AMbp-d04b9542-cc2c-4db5-8501-0d77621302262/25/20138:39 PMbp-d04b9542-cc2c-4db5-8501-0d7762130226 - Copy2/25/20138:39 PMbp-7e8bfd15-802e-4f2d-8238-e6d1621302262/25/20138:38 PMbp-7e8bfd15-802e-4f2d-8238-e6d162130226 - Copy2/25/20138:38 PMbp-b4e61458-a3ac-4ce1-a71e-6904a21302262/25/20138:35 PMbp-b4e61458-a3ac-4ce1-a71e-6904a2130226 - Copy2/25/20138:35 PMbp-90427d90-b7f3-4455-9e44-3956321302262/25/20138:16 PMbp-90427d90-b7f3-4455-9e44-395632130226 - Copy2/25/20138:16 PMbp-9db30a75-3431-474c-ad1b-2358921302262/25/20138:12 PMbp-9db30a75-3431-474c-ad1b-235892130226 - Copy2/25/20138:12 PMbp-eb15b504-98ec-48a2-878c-d0b7721302262/25/20138:06 PMbp-eb15b504-98ec-48a2-878c-d0b772130226 - Copy2/25/20138:06 PMbp-bd7677d6-cebb-4349-8ded-26d0a21302262/25/20137:30 PMbp-bd7677d6-cebb-4349-8ded-26d0a2130226 - Copy2/25/20137:30 PMbp-c345a227-05fa-4268-9d75-8982521302262/25/20137:29 PMbp-c345a227-05fa-4268-9d75-898252130226 - Copy2/25/20137:29 PMbp-0749ca16-40d1-4e39-bdd5-1edbb21302262/25/20137:16 PMbp-0749ca16-40d1-4e39-bdd5-1edbb2130226 - Copy2/25/20137:16 PMbp-c7eff306-ae7f-4e41-9ad2-8025e21302172/17/20134:29 AMbp-c7eff306-ae7f-4e41-9ad2-8025e2130217 - Copy2/17/20134:29 AMbp-9cb67d4b-1402-4b3c-a9ca-0b1a521302172/16/201311:19 PMbp-9cb67d4b-1402-4b3c-a9ca-0b1a52130217 - Copy2/16/201311:19 PMbp-1bb1012a-b4a1-4c54-a9b6-ebec621302082/8/201312:13 AMbp-1bb1012a-b4a1-4c54-a9b6-ebec62130208 - Copy2/8/201312:13 AMbp-97788858-9955-4031-9b73-cbc9a21302012/1/20136:02 PMbp-97788858-9955-4031-9b73-cbc9a2130201 - Copy2/1/20136:02 PMbp-9bd23d8d-c733-4a41-83b7-1862d21301271/26/20137:14 PMbp-9bd23d8d-c733-4a41-83b7-1862d2130127 - Copy1/26/20137:14 PMbp-b47bedeb-bfb4-49fc-ad57-f138121301261/25/201310:20 PMbp-b47bedeb-bfb4-49fc-ad57-f13812130126 - Copy1/25/201310:20 PMbp-c5691703-3731-4ba5-aa31-d2cc521301231/23/20135:54 PMbp-c5691703-3731-4ba5-aa31-d2cc52130123 - Copy1/23/20135:54 PMbp-84843281-6157-45eb-b882-8e4cb21301231/23/20134:33 PMbp-84843281-6157-45eb-b882-8e4cb2130123 - Copy1/23/20134:33 PMbp-955dbb98-3726-4b0c-946f-3532521301061/6/20132:05 AMbp-955dbb98-3726-4b0c-946f-353252130106 - Copy1/6/20132:05 AMbp-deaaa795-441e-446a-9dc9-a560721301061/5/201311:32 PMbp-deaaa795-441e-446a-9dc9-a56072130106 - Copy1/5/201311:32 PMbp-0889a1be-dc85-4f8b-832b-917b121301031/3/20133:30 AMbp-0889a1be-dc85-4f8b-832b-917b12130103 - Copy1/3/20133:30 AMbp-c32f8404-1fb1-423e-9f33-bf0c921301031/2/201311:08 PMbp-c32f8404-1fb1-423e-9f33-bf0c92130103 - Copy1/2/201311:08 PM
Comment 39•11 years ago
|
||
Corey, please file a new bug describing your steps to reproduce and with only the last crash IDs formatted like bp-28a5b291-55ff-400c-a2b4-35cfb2130228.
Comment 40•11 years ago
|
||
Submitted Crash Reports Report ID Date Submitted 14c88954-aeaf-4dfa-84b7-87097afb8c1b-flash22/28/20131:29 AM14c88954-aeaf-4dfa-84b7-87097afb8c1b-flash12/28/20131:29 AM14c88954-aeaf-4dfa-84b7-87097afb8c1b-browser2/28/20131:29 AM14c88954-aeaf-4dfa-84b7-87097afb8c1b2/28/20131:29 AMbp-2e419da2-2e13-4e30-a514-f0a7721302282/28/20131:21 AM
Comment 41•11 years ago
|
||
There is something I don't catch here. We were used to quite secure versions of Java, from time to time an issue was discovered and fixed. My Java was obsolete on an old system of mine that I do not use often, my Firefox blocked it so I went to Oracle's site and installed JRE 7. It was JRE 7.10. I restarted Firefox and the Java plugin was OK (no warning of being vulnerable, not blocked). But I still got a warning that my Java was not the latest version (!). Strange, I just installed the latest available runtime (as far as I knew). Anyway I clicked on the update button, it downloaded the whole Java stuff and it was Java 7 Update 15. Ok. Now I restart Firefox, and guess what, "Java 7.15 is known to be vulnerable" (this is the object of this thread). Thus: - JRE 7.10 is OK and not blocked BUT not the latest version - JRE 7.15 is the latest version BUT should be blocked What I do not understand is, why does the plugin system advise people to upgrade from 7.10 to 7.15 if it breaks the security ?
Comment 42•11 years ago
|
||
j7u10 is properly blocked, just tested on FF 19. You would have probably seen the blocking notification if you had waited a little longer. The block is not happening instantly.
Comment 43•11 years ago
|
||
My experience is the exact same as Michael Smith's in comment number 41. I'll ask the same question that he does "why does the plugin system advise people to upgrade from 7.10 to 7.15 if it breaks the security ?"
Comment 44•11 years ago
|
||
Java SE7 U15 has less vulnerabilities than SE7 U10 so it makes sense to advice to upgrade.
Comment 45•11 years ago
|
||
@ Michael Smith, mine gives me one of those messages as well, so me not knowing and seeing that amongst all these crashes, disabled it myself mine was version Platform SE 7 U15, well now that I look it does say something about a new version 10.15.2, Maybe that'll do the trick....
Comment 46•11 years ago
|
||
Also, I wanna add, I keep getting a grey box that keeps coming up about Shockwave being unresponsive
Comment 47•11 years ago
|
||
Corey, for each issue, file a new bug.
Comment 48•11 years ago
|
||
For the most part it's working fairly decent today so far, don't wanna jinx things though, but yea, there's been a few times of that Shockwave message, and several times I would get Script Error's not related to Shockwave (I guess), BUT I am running all my computer scans right now also, don't know if it's helping or if it really doesn't matter about it, I just checked my plugin's and they finally say they are up to date now, so maybe....
Comment 49•11 years ago
|
||
So I wonder, when do guys start blocking flash and adobe reader plugin automatically? I don't understand why java should be handled differently than e.g. flash, which receives emerency updates all the time, too.
Comment 50•11 years ago
|
||
(In reply to Clemens Eisserer from comment #49) > So I wonder, when do guys start blocking flash and adobe reader plugin > automatically? Those are also blocked, but only some older versions. https://wiki.mozilla.org/Blocklisting/PluginBlocks > I don't understand why java should be handled differently than e.g. flash, > which receives emerency updates all the time, too. Because even the latest version of java proved to vulnerable. You can find more articles about java vulnerabilities on google.
Comment 51•11 years ago
|
||
(In reply to Clemens Eisserer from comment #49) > I don't understand why java should be handled differently than e.g. flash, > which receives emerency updates all the time, too. First because there are no Flash vulnerabilities known to be exploited in the wild. Then because Flash blocking will be considered as a war declaration for websites that live with ads. An experiment of ad blocking by a French provider (intending to get paid by Google for huge pipes required by YouTube) was received like that.
Comment 52•11 years ago
|
||
> First because there are no Flash vulnerabilities known to be exploited in the wild. The new vulnerability found in u15 isn't exploited. A company reported it to Oracle, the same happends at Adobe frquently, too. > Then because Flash blocking will be considered as a war > declaration for websites that live with ads. So flash isn't blocked because it is used for adds. The few java-applets left that actually do useful stuff are. Anyway, who am I to complain.
Comment 54•11 years ago
|
||
We are working on rolling out Flash blocks. We currently block Flash 10.2 and lower on release, and old versions of 10.3 on Beta. Flash is more tricky because there are more users / websites which is why we are slowly rolling the blocks out. Eventually the blocks will grow to more and more versions of Flash.
Comment 55•11 years ago
|
||
Regardless, this is a bug on Java blocks, so please keep the discussion to rolling out Java Blocks. If you have support issues around the blocks, please go to support.mozilla.org. (sorry for bug spam)
Comment 56•11 years ago
|
||
(In reply to Clemens Eisserer from comment #52) > > First because there are no Flash vulnerabilities known to be exploited in the wild. > > The new vulnerability found in u15 isn't exploited. A company reported it to > Oracle, the same happends at Adobe frquently, too. It *is* being exploited. See http://blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html for example. > > > Then because Flash blocking will be considered as a war > > declaration for websites that live with ads. > > So flash isn't blocked because it is used for adds. The few java-applets > left that actually do useful stuff are. > > Anyway, who am I to complain. Current statistics on this web page indicate that Java is very seldomly used on the web (about 0.2%), whereas Flash is more widely used (mostly for videos, e.g. youtube). See http://w3techs.com/technologies/overview/client_side_language/all
Comment 57•11 years ago
|
||
(In reply to Clemens Eisserer from comment #52) > The new vulnerability found in u15 isn't exploited. A company reported it to > Oracle, the same happends at Adobe frquently, too. Untrue, FireEye reported one in the wild yesterday: http://blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html
Comment 58•11 years ago
|
||
... to which Oracle assigned a unique CVE number, meaning it's a different one than the one previously reported privately to Oracle.
Comment 59•11 years ago
|
||
There _is_ a major difference between Flash and Java: Flash was designed to be a browser plugin. If it has bugs you could compromise it and do bad stuff inside the process. In doing so you have to work around the Flash process sandbox as well as all the OS/Compiler memory protections (DEP/ASLR) designed to make such compromises hard. Java was designed as a system application programming environment, within which they created an "applet" sandbox that limits capabilities to a browser-safe subset. You could still have the kinds of memory corruption bugs Flash sometimes has, but most exploits find ways to confuse Java and sneak past those "you are an applet" limits. Once you do that the exploit is 100% reliable because it's not depending on memory corruption, and even cross-platform should the malware authors attach platform-specific payloads.
Comment 60•11 years ago
|
||
Also, the more general blocks can only be made once we have done some further improvements to the click-to-play UI, which are in the works and currently planned for Firefox 22, AFAIK.
Comment 61•11 years ago
|
||
So all and all, "FF 19.0 and Java 7/U15 plugin block is valid"?
Comment 62•11 years ago
|
||
(In reply to Bill Martin from comment #61) > So all and all, "FF 19.0 and Java 7/U15 plugin block is valid"? Yes, all current versions of Java, including Java 7 U15 are click-to-play blocked in Firefox 17 and above.
Comment 63•11 years ago
|
||
My apologies for being a "cop" but this bug report is not the appropriate platform to have this discussion. If you are having problems related to plugin blocklisting please use support.mozilla.org. If you disagree or have feedback to share with regard to our current blocklisting policy please start a thread in the dev-security mailing list. Thank you.
Comment 64•11 years ago
|
||
(In reply to Frederik Braun [:freddyb] from comment #56) > It *is* being exploited. See > http://blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2. > html for example. This vulnerability is fixed in Java SE7 U17 and SE6 U43.
Comment 65•11 years ago
|
||
I need my java script to be enabled I use it to play my pogo games
Comment 66•11 years ago
|
||
(In reply to almck55 from comment #65) > I need my java script to be enabled I use it to play my pogo games JavaScript and Java are two unrelated things. The latest Java version is not CTP-blocked so please update: http://java.com
Comment 67•11 years ago
|
||
Question on the Java CTP block, especially about the Java 7 U5 block on Windows: It is intentional that (at least) this plugin was blocked as PluginVulnerableNoUpdate (that's the Firefox UI string, means no update link appears in the click-to-play UI itself). Or should it rather be blocked as PluginVulnerableUpdatable (as there is an update available for Java 7)? If yes, then I'll file a new bug on this.
Comment 68•11 years ago
|
||
https://wiki.mozilla.org/Blocklisting/PluginBlocks In Firefox 1-17, Java 7 U5 - Java 7 U6 is softblocked. In Firefox 17-*, Java 7 U0 - Java 7 U11 is click to play blocked So, what Firefox are you using ?
Comment 69•11 years ago
|
||
Current FF nightly, but that table/wiki page does not help in this case. Both PluginVulnerableNoUpdate and PluginVulnerableUpdatable are CTP blocks, they just display different CTP UI in FF.
Assignee | ||
Updated•8 years ago
|
Product: addons.mozilla.org → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•