Last Comment Bug 843373 - Please Enable CTP for all released versions of Java
: Please Enable CTP for all released versions of Java
Status: VERIFIED FIXED
[plugin]
:
Product: Toolkit
Classification: Components
Component: Blocklisting (show other bugs)
: unspecified
: All All
: -- normal with 1 vote (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
: Paul Silaghi, QA [:pauly]
: Jorge Villalobos [:jorgev]
Mentors:
https://wiki.mozilla.org/Blocklisting...
: 846761 (view as bug list)
Depends on: 846366
Blocks:
  Show dependency treegraph
 
Reported: 2013-02-20 15:12 PST by Yvan Boily [:ygjb][:yvan]
Modified: 2016-03-07 15:30 PST (History)
38 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Enable CTP for all released versions of Java (895.90 KB, text/plain)
2013-02-27 05:57 PST, saeed
no flags Details

Description Yvan Boily [:ygjb][:yvan] 2013-02-20 15:12:33 PST
+++ This bug was initially created as a clone of Bug #803152 +++
<mcoates> can someone file a bug to extend CTP for all versions of Java again. Please mention in the bug that manual blocking by version is an intermediate process until the reamining changes for CTP are implemented (per blog post)
Comment 1 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2013-02-20 15:57:58 PST
Assigning myself as QA Contact. I'll coordinate testing once staged.
Comment 2 Michael Coates [:mcoates] (acct no longer active) 2013-02-21 10:24:09 PST
Background:

1) Active zero day exploits against Java:
http://arstechnica.com/security/2013/02/facebook-computers-compromised-by-zero-day-java-exploit/
http://thenextweb.com/apple/2013/02/19/facebook-apple-employees-visited-iphonedevsdk-where-their-computers-were-compromised-by-java-exploit/

2) Apple is removing Java plugin by default from Safari. 
http://support.apple.com/kb/HT5651


We've previously applied CTP for the Java plugin, up to and including, the current version. Per our blog post plan to soon CTP all versions of Java. During this interim there is a small window where new versions of Java will only have CTP if we specifically enable it. Based upon items 1 and 2 above we should continue applying CTP to Java at this time.
Comment 3 Alex Keybl [:akeybl] 2013-02-21 12:30:16 PST
(In reply to Michael Coates [:mcoates] from comment #2)
> We've previously applied CTP for the Java plugin, up to and including, the
> current version. Per our blog post plan to soon CTP all versions of Java.
> During this interim there is a small window where new versions of Java will
> only have CTP if we specifically enable it. Based upon items 1 and 2 above
> we should continue applying CTP to Java at this time.

Sounds good to me. Sounds like we'll file a separate bug for when we want to block Java versions *.*.
Comment 4 Daniel Veditz [:dveditz] 2013-02-21 14:11:30 PST
Why wouldn't we change the blocklist to *.* now rather than this per-version updating? It seems more likely that we'll keep blocking until something changes than that we'll want to keep evaluating each version as it comes out.
Comment 5 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2013-02-21 15:04:32 PST
(In reply to Daniel Veditz [:dveditz] from comment #4)
> Why wouldn't we change the blocklist to *.* now rather than this per-version
> updating? It seems more likely that we'll keep blocking until something
> changes than that we'll want to keep evaluating each version as it comes out.

I endorse this approach if it is possible. It seems to be costing a lot more resources to constantly do these blocks than it would if we blocked everything and unblocked known good versions.
Comment 6 Jorge Villalobos [:jorgev] 2013-02-21 15:09:01 PST
It's definitely possible, and it would save us lots of time in the long run.
Comment 7 Benjamin Smedberg [:bsmedberg] 2013-02-22 06:37:35 PST
We decided a couple releases ago only to deploy the java blocks when a vulnerability was credible, and wait for the better UI to turn CtP on by default. But showing users the scary "your plugin is insecure" UI without actually being able to point to a vulnerability is IMO not a good choice.

If we believe that Java is so far gone that it cannot be secure, we should go ahead and say that publicly and block all versions with a pointer to our statement.
Comment 9 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2013-02-22 13:17:52 PST
(In reply to Jorge Villalobos [:jorgev] from comment #8)
> The blocks for all current versions (not *.*) are now staged:
> 
> https://addons-dev.allizom.org/en-US/firefox/blocked/p283
> https://addons-dev.allizom.org/en-US/firefox/blocked/p285
> https://addons-dev.allizom.org/en-US/firefox/blocked/p287
> https://addons-dev.allizom.org/en-US/firefox/blocked/p289
> https://addons-dev.allizom.org/en-US/firefox/blocked/p291
> https://addons-dev.allizom.org/en-US/firefox/blocked/p293

Which versions do these specifically correspond to? Aside, can we get this information up front in the future?
Comment 10 Jorge Villalobos [:jorgev] 2013-02-22 13:29:34 PST
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #9)
> Which versions do these specifically correspond to?

The title in the block pages should be self-explanatory.

> Aside, can we get this information up front in the future?

Sure.

> https://addons-dev.allizom.org/en-US/firefox/blocked/p283
Java Plugin 7 update 12 to 15 (click-to-play), Mac OS X

> https://addons-dev.allizom.org/en-US/firefox/blocked/p285
Java Plugin 7 update 12 to 15 (click-to-play), Windows

> https://addons-dev.allizom.org/en-US/firefox/blocked/p287
Java Plugin 7 update 12 to 15 (click-to-play), Linux

> https://addons-dev.allizom.org/en-US/firefox/blocked/p289
Java Plugin 6 updates 39 to 41 (click-to-play), Mac OS X

> https://addons-dev.allizom.org/en-US/firefox/blocked/p291
Java Plugin 6 updates 39 to 41 (click-to-play), Windows

> https://addons-dev.allizom.org/en-US/firefox/blocked/p293
Java Plugin 6 updates 39 to 41 (click-to-play), Linux
Comment 11 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2013-02-22 14:21:30 PST
Sorry for the delay but just for clarification which Firefox versions should these apply to?
Comment 12 Jorge Villalobos [:jorgev] 2013-02-22 14:57:02 PST
17 and above.
Comment 13 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2013-02-22 16:39:08 PST
Do to issues related to Aurora l10n, I will not be able to test this until Monday at the earliest. Setting QA Contact to Paul.

Paul, can you test these staged CTP blocks overnight Sunday? Thanks.
Comment 14 Paul Silaghi, QA [:pauly] 2013-02-25 08:35:05 PST
Verified CTP blocked on staging:
j6u39, j6u41, j7u13, j7u15 on FF 17.0.1, 18.0.2, 19, 20b1, 21.0a2 (2013-02-24), 22.0a1 (2013-02-24) on Win 7 and Ubuntu 12.04

On Mac OS X 10.8.2 j7u13, j7u15 are NOT blocked. Wasn't able to test with java 6, didn't find the installation kit.
Comment 15 Paul Silaghi, QA [:pauly] 2013-02-25 08:48:01 PST
Also, are you aware of the java 7 default notifications?
http://img705.imageshack.us/img705/6550/javanotifications.png
first one - with j7u13
second one - j7u15 (latest)
Comment 16 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2013-02-25 09:27:11 PST
Based on Paul's results...

The following blocks appear to be working as expected:
> Java Plugin 7 update 12 to 15 (click-to-play), Windows
> Java Plugin 7 update 12 to 15 (click-to-play), Linux
> Java Plugin 6 updates 39 to 41 (click-to-play), Windows
> Java Plugin 6 updates 39 to 41 (click-to-play), Linux

The following are not testable:
> Java Plugin 6 updates 39 to 41 (click-to-play), Mac OS X

The following appear to be broken:
> Java Plugin 7 update 12 to 15 (click-to-play), Mac OS X

I'll have to double check Java 7u{12-15} on Mac before signing off for push to production.
Comment 17 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2013-02-25 09:39:41 PST
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #16)
> The following appear to be broken:
> > Java Plugin 7 update 12 to 15 (click-to-play), Mac OS X
> 
> I'll have to double check Java 7u{12-15} on Mac before signing off for push
> to production.

I confirm this block is not working as expected.

> Already installed Java 7u13
1. Start Firefox with a new profile
2. Change addons.mozilla.org to addons-dev.allizom.org in extensions.blocklist.url 
3. Change extensions.blocklist.interval to 10
4. Restart Firefox
5. Force a blocklist ping by evaluating the following code in Error Console
>  Components.classes["@mozilla.org/extensions/blocklist;1"].getService(Components.interfaces.nsITimerCallback).notify(null);
6. Load some of the Java demos from here
> http://neuron.eng.wayne.edu/software.html

Result:
A Java window appears asking for my permission to execute the app. Checking "I accept..." and clicking "Run" loads the app. 

Given these results my recommendation would be to push the remaining blocks live and figure out what's going on here in a follow-up bug.
Comment 18 Jorge Villalobos [:jorgev] 2013-02-25 09:55:33 PST
The problem is server-side. I noticed this when staging the blocks, but I thought it was a temporary caching problem. If you go to the staging blocklist page (https://addons-dev.allizom.org/en-US/firefox/blocked/), the Mac OS block (283) is not listed, and the Windows block (285) is listed twice. The same is happening in the downloaded blocklist.xml.

I'll file a bug this, and create a new Mac OS block so we can test it.
Comment 19 Jorge Villalobos [:jorgev] 2013-02-25 09:59:38 PST
The new block is now staged. Please give it an hour or so before testing.
Comment 20 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2013-02-25 12:25:50 PST
All blocks are now working as expected on staging. Feel free to push live at your earliest convenience.
Comment 21 Jorge Villalobos [:jorgev] 2013-02-25 12:46:01 PST
Done.

https://addons.mozilla.org/en-US/firefox/blocked/p292
Java Plugin 7 update 12 to 15 (click-to-play), Mac OS X

https://addons.mozilla.org/en-US/firefox/blocked/p294
Java Plugin 7 update 12 to 15 (click-to-play), Windows

https://addons.mozilla.org/en-US/firefox/blocked/p296
Java Plugin 7 update 12 to 15 (click-to-play), Linux

https://addons.mozilla.org/en-US/firefox/blocked/p298
Java Plugin 6 updates 39 to 41 (click-to-play), Mac OS X

https://addons.mozilla.org/en-US/firefox/blocked/p300
Java Plugin 6 updates 39 to 41 (click-to-play), Windows

https://addons.mozilla.org/en-US/firefox/blocked/p302
Java Plugin 6 updates 39 to 41 (click-to-play), Linux
Comment 22 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2013-02-25 14:06:55 PST
I've confirmed these blocks are working as expected in production.
Comment 23 melliethek 2013-02-26 00:08:20 PST
Why is my Java (TM)Platform SE 7 U15 being blocked? I need Java to print out coupons and it can't when it's being blocked. Please help me fix this problem! Thanks
Comment 24 Scoobidiver (away) 2013-02-26 00:47:06 PST
(In reply to melliethek from comment #23)
> Please help me fix this problem!
See https://support.mozilla.org/kb/how-to-use-java-if-its-been-blocked
Comment 26 Scoobidiver (away) 2013-02-26 09:57:36 PST
tibor, read commment 24 and see also https://bugzilla.mozilla.org/page.cgi?id=etiquette.html
Comment 27 Michael Coates [:mcoates] (acct no longer active) 2013-02-26 10:48:59 PST
(In reply to tibor from comment #25)
Tibor - your comment has been removed. Please read https://bugzilla.mozilla.org/page.cgi?id=etiquette.html before posting again.

The response provided in comment 24 will address your concerns.
Comment 28 BoGdaN 2013-02-27 00:55:49 PST
my java dont works :(( ...plese help me step by step ( http://img687.imageshack.us/img687/9450/95951630.png )
Comment 29 Paul Silaghi, QA [:pauly] 2013-02-27 01:03:22 PST
What do you mean by "don't work" ?
You just have to click on the plugin screen and the java content should be displayed. That message in Addons Manager only warns you to use with caution, java is very vulnerable lately.
Comment 30 BoGdaN 2013-02-27 01:18:50 PST
(In reply to Paul Silaghi [QA] from comment #29)
> What do you mean by "don't work" ?
> You just have to click on the plugin screen and the java content should be
> displayed. That message in Addons Manager only warns you to use with
> caution, java is very vulnerable lately.

pls cant how me in pictures?? dont speak very good english
Comment 31 BoGdaN 2013-02-27 01:21:09 PST
btw Paul u are romanian? if u are pls send a mail at J_Kwon_Ro@Yahoo.Com to help me to solve this problem. thanks
Comment 32 Scoobidiver (away) 2013-02-27 01:26:54 PST
BoGdaN, see https://support.mozilla.org/kb/how-to-use-java-if-its-been-blocked
Comment 33 Paul Silaghi, QA [:pauly] 2013-02-27 02:24:52 PST
Problem solved in private. It wasn't a CTP bug, not even a Firefox one.
Comment 34 saeed 2013-02-27 05:11:22 PST
(In reply to Jorge Villalobos [:jorgev] from comment #21)
> Done.
> 
> https://addons.mozilla.org/en-US/firefox/blocked/p292
> Java Plugin 7 update 12 to 15 (click-to-play), Mac OS X
> 
> https://addons.mozilla.org/en-US/firefox/blocked/p294
> Java Plugin 7 update 12 to 15 (click-to-play), Windows
> 
> https://addons.mozilla.org/en-US/firefox/blocked/p296
> Java Plugin 7 update 12 to 15 (click-to-play), Linux
> 
> https://addons.mozilla.org/en-US/firefox/blocked/p298
> Java Plugin 6 updates 39 to 41 (click-to-play), Mac OS X
> 
> https://addons.mozilla.org/en-US/firefox/blocked/p300
> Java Plugin 6 updates 39 to 41 (click-to-play), Windows
> 
> https://addons.mozilla.org/en-US/firefox/blocked/p302
> Java Plugin 6 updates 39 to 41 (click-to-play), Linux
Comment 35 saeed 2013-02-27 05:57:35 PST
Created attachment 718964 [details]
Enable CTP for all released versions of Java
Comment 36 Corey Guthrie 2013-02-27 20:16:01 PST
Would this be a reason for Mozilla Firefox to crash???
Comment 37 Paul Silaghi, QA [:pauly] 2013-02-27 23:01:31 PST
I'm not aware of any crash related to Click To Play so far. Please go to about:crashes and post here the link of the crash for investigation.
Comment 38 Corey Guthrie 2013-02-27 23:07:54 PST
Here's the whole thing:


Submitted Crash Reports

  
    
      
        Report ID
        Date Submitted
      
    
    
    428a3baf-7e26-4477-8a45-f5bda7b0ba752/27/201311:15 PMbp-28a5b291-55ff-400c-a2b4-35cfb21302282/27/201311:14 PMbp-b942f0ef-d4da-4573-ab3f-740d621302282/27/201311:12 PMbp-aba00d8a-6bca-4ff4-9992-7d0d521302282/27/201311:10 PMbp-19323b63-d469-48e1-a13f-4c7ac21302282/27/201311:09 PMbp-e14bf51b-132a-4adb-960d-e49fd21302282/27/201311:07 PMbp-51e2c8a4-c114-4a6a-b3c3-c3d1921302282/27/20139:41 PMbp-13bfaa6c-eac2-444b-87df-3883b21302282/27/20138:45 PMbp-d2f32060-4331-4b18-bbe5-d780921302282/27/20136:14 PMbp-8c2ce5fa-fdc6-4fab-bbbb-50b1e21302272/27/20133:06 PMbp-d06f15cc-0df1-42a8-992d-1563621302272/27/20131:00 PMbp-4d2218cc-8bb6-4d0e-850e-b5ea821302272/27/201312:59 PMbp-81fac4fd-ccd8-42b5-ba65-11a6d21302272/27/201312:54 PMbp-3967c61c-3be1-4e6d-a218-ca40a21302272/27/201312:41 PMbp-ef6dd135-e423-484b-93a4-60d0021302272/27/201312:30 PMbp-8ba7b91b-8f22-4710-a41b-7b6b721302272/27/201312:28 PMbp-cacefeeb-1dd8-4a7e-adb3-0b38421302272/27/201311:40 AMbp-1c2bcbcc-b233-492a-8c10-d9e5421302262/26/201312:42 PMbp-1c2bcbcc-b233-492a-8c10-d9e542130226 - Copy2/26/201312:42 PMbp-633c5fc8-36b8-4ef6-b3eb-ba59921302262/26/201312:41 PMbp-633c5fc8-36b8-4ef6-b3eb-ba5992130226 - Copy2/26/201312:41 PMbp-a54bd951-2aa2-4801-a3b6-ff63721302262/26/201312:34 PMbp-a54bd951-2aa2-4801-a3b6-ff6372130226 - Copy2/26/201312:34 PMbp-f65910a1-e5e9-4fa8-9896-dc21e21302262/26/201312:29 PMbp-f65910a1-e5e9-4fa8-9896-dc21e2130226 - Copy2/26/201312:29 PMbp-3b446179-c020-4120-aefd-da56321302262/26/201312:26 PMbp-3b446179-c020-4120-aefd-da5632130226 - Copy2/26/201312:26 PMbp-3c4a5c0a-dcb8-487e-8d19-7a2ff21302262/26/201310:20 AMbp-3c4a5c0a-dcb8-487e-8d19-7a2ff2130226 - Copy2/26/201310:20 AMbp-d04b9542-cc2c-4db5-8501-0d77621302262/25/20138:39 PMbp-d04b9542-cc2c-4db5-8501-0d7762130226 - Copy2/25/20138:39 PMbp-7e8bfd15-802e-4f2d-8238-e6d1621302262/25/20138:38 PMbp-7e8bfd15-802e-4f2d-8238-e6d162130226 - Copy2/25/20138:38 PMbp-b4e61458-a3ac-4ce1-a71e-6904a21302262/25/20138:35 PMbp-b4e61458-a3ac-4ce1-a71e-6904a2130226 - Copy2/25/20138:35 PMbp-90427d90-b7f3-4455-9e44-3956321302262/25/20138:16 PMbp-90427d90-b7f3-4455-9e44-395632130226 - Copy2/25/20138:16 PMbp-9db30a75-3431-474c-ad1b-2358921302262/25/20138:12 PMbp-9db30a75-3431-474c-ad1b-235892130226 - Copy2/25/20138:12 PMbp-eb15b504-98ec-48a2-878c-d0b7721302262/25/20138:06 PMbp-eb15b504-98ec-48a2-878c-d0b772130226 - Copy2/25/20138:06 PMbp-bd7677d6-cebb-4349-8ded-26d0a21302262/25/20137:30 PMbp-bd7677d6-cebb-4349-8ded-26d0a2130226 - Copy2/25/20137:30 PMbp-c345a227-05fa-4268-9d75-8982521302262/25/20137:29 PMbp-c345a227-05fa-4268-9d75-898252130226 - Copy2/25/20137:29 PMbp-0749ca16-40d1-4e39-bdd5-1edbb21302262/25/20137:16 PMbp-0749ca16-40d1-4e39-bdd5-1edbb2130226 - Copy2/25/20137:16 PMbp-c7eff306-ae7f-4e41-9ad2-8025e21302172/17/20134:29 AMbp-c7eff306-ae7f-4e41-9ad2-8025e2130217 - Copy2/17/20134:29 AMbp-9cb67d4b-1402-4b3c-a9ca-0b1a521302172/16/201311:19 PMbp-9cb67d4b-1402-4b3c-a9ca-0b1a52130217 - Copy2/16/201311:19 PMbp-1bb1012a-b4a1-4c54-a9b6-ebec621302082/8/201312:13 AMbp-1bb1012a-b4a1-4c54-a9b6-ebec62130208 - Copy2/8/201312:13 AMbp-97788858-9955-4031-9b73-cbc9a21302012/1/20136:02 PMbp-97788858-9955-4031-9b73-cbc9a2130201 - Copy2/1/20136:02 PMbp-9bd23d8d-c733-4a41-83b7-1862d21301271/26/20137:14 PMbp-9bd23d8d-c733-4a41-83b7-1862d2130127 - Copy1/26/20137:14 PMbp-b47bedeb-bfb4-49fc-ad57-f138121301261/25/201310:20 PMbp-b47bedeb-bfb4-49fc-ad57-f13812130126 - Copy1/25/201310:20 PMbp-c5691703-3731-4ba5-aa31-d2cc521301231/23/20135:54 PMbp-c5691703-3731-4ba5-aa31-d2cc52130123 - Copy1/23/20135:54 PMbp-84843281-6157-45eb-b882-8e4cb21301231/23/20134:33 PMbp-84843281-6157-45eb-b882-8e4cb2130123 - Copy1/23/20134:33 PMbp-955dbb98-3726-4b0c-946f-3532521301061/6/20132:05 AMbp-955dbb98-3726-4b0c-946f-353252130106 - Copy1/6/20132:05 AMbp-deaaa795-441e-446a-9dc9-a560721301061/5/201311:32 PMbp-deaaa795-441e-446a-9dc9-a56072130106 - Copy1/5/201311:32 PMbp-0889a1be-dc85-4f8b-832b-917b121301031/3/20133:30 AMbp-0889a1be-dc85-4f8b-832b-917b12130103 - Copy1/3/20133:30 AMbp-c32f8404-1fb1-423e-9f33-bf0c921301031/2/201311:08 PMbp-c32f8404-1fb1-423e-9f33-bf0c92130103 - Copy1/2/201311:08 PM
Comment 39 Scoobidiver (away) 2013-02-27 23:54:10 PST
Corey, please file a new bug describing your steps to reproduce and with only the last crash IDs formatted like bp-28a5b291-55ff-400c-a2b4-35cfb2130228.
Comment 40 Corey Guthrie 2013-02-28 00:16:32 PST
Submitted Crash Reports

  
    
      
        Report ID
        Date Submitted
      
    
    
    14c88954-aeaf-4dfa-84b7-87097afb8c1b-flash22/28/20131:29 AM14c88954-aeaf-4dfa-84b7-87097afb8c1b-flash12/28/20131:29 AM14c88954-aeaf-4dfa-84b7-87097afb8c1b-browser2/28/20131:29 AM14c88954-aeaf-4dfa-84b7-87097afb8c1b2/28/20131:29 AMbp-2e419da2-2e13-4e30-a514-f0a7721302282/28/20131:21 AM
Comment 41 Michael Smith 2013-02-28 00:32:59 PST
There is something I don't catch here.

We were used to quite secure versions of Java, from time to time an issue was discovered and fixed.

My Java was obsolete on an old system of mine that I do not use often, my Firefox blocked it so I went to Oracle's site and installed JRE 7. It was JRE 7.10.

I restarted Firefox and the Java plugin was OK (no warning of being vulnerable, not blocked). But I still got a warning that my Java was not the latest version (!). Strange, I just installed the latest available runtime (as far as I knew).

Anyway I clicked on the update button, it downloaded the whole Java stuff and it was Java 7 Update 15.

Ok.

Now I restart Firefox, and guess what, "Java 7.15 is known to be vulnerable" (this is the object of this thread).

Thus:
- JRE 7.10 is OK and not blocked BUT not the latest version
- JRE 7.15 is the latest version BUT should be blocked

What I do not understand is, why does the plugin system advise people to upgrade from 7.10 to 7.15 if it breaks the security ?
Comment 42 Paul Silaghi, QA [:pauly] 2013-02-28 01:23:39 PST
j7u10 is properly blocked, just tested on FF 19.
You would have probably seen the blocking notification if you had waited a little longer. The block is not happening instantly.
Comment 43 aauummm 2013-02-28 08:10:17 PST
My experience is the exact same as Michael Smith's in comment number 41.  I'll ask the same question that he does "why does the plugin system advise people to upgrade from 7.10 to 7.15 if it breaks the security ?"
Comment 44 Scoobidiver (away) 2013-02-28 08:31:10 PST
Java SE7 U15 has less vulnerabilities than SE7 U10 so it makes sense to advice to upgrade.
Comment 45 Corey Guthrie 2013-02-28 09:57:29 PST
@ Michael Smith, mine gives me one of those messages as well, so me not knowing and seeing that amongst all these crashes, disabled it myself mine was version Platform SE 7 U15, well now that I look it does say something about a new version 10.15.2, Maybe that'll do the trick....
Comment 46 Corey Guthrie 2013-02-28 10:19:03 PST
Also, I wanna add, I keep getting a grey box that keeps coming up about Shockwave being unresponsive
Comment 47 Scoobidiver (away) 2013-02-28 12:24:27 PST
Corey, for each issue, file a new bug.
Comment 48 Corey Guthrie 2013-02-28 13:01:07 PST
For the most part it's working fairly decent today so far, don't wanna jinx things though, but yea, there's been a few times of that Shockwave message, and several times I would get Script Error's not related to Shockwave (I guess), BUT I am running all my computer scans right now also, don't know if it's helping or if it really doesn't matter about it, I just checked my plugin's and they finally say they are up to date now, so maybe....
Comment 49 Clemens Eisserer 2013-03-01 00:05:52 PST
So I wonder, when do guys start blocking flash and adobe reader plugin automatically?

I don't understand why java should be handled differently than e.g. flash, which receives emerency updates all the time, too.
Comment 50 Paul Silaghi, QA [:pauly] 2013-03-01 00:11:37 PST
(In reply to Clemens Eisserer from comment #49)
> So I wonder, when do guys start blocking flash and adobe reader plugin
> automatically?
Those are also blocked, but only some older versions.
https://wiki.mozilla.org/Blocklisting/PluginBlocks

> I don't understand why java should be handled differently than e.g. flash,
> which receives emerency updates all the time, too.
Because even the latest version of java proved to vulnerable. You can find more articles about java vulnerabilities on google.
Comment 51 Scoobidiver (away) 2013-03-01 00:17:38 PST
(In reply to Clemens Eisserer from comment #49)
> I don't understand why java should be handled differently than e.g. flash,
> which receives emerency updates all the time, too.
First because there are no Flash vulnerabilities known to be exploited in the wild.
Then because Flash blocking will be considered as a war declaration for websites that live with ads. An experiment of ad blocking by a French provider (intending to get paid by Google for huge pipes required by YouTube) was received like that.
Comment 52 Clemens Eisserer 2013-03-01 00:58:15 PST
> First because there are no Flash vulnerabilities known to be exploited in the wild.

The new vulnerability found in u15 isn't exploited. A company reported it to Oracle, the same happends at Adobe frquently, too.

> Then because Flash blocking will be considered as a war 
> declaration for websites that live with ads.

So flash isn't blocked because it is used for adds. The few java-applets left that actually do useful stuff are.

Anyway, who am I to complain.
Comment 53 Tyler Downer [:Tyler] 2013-03-01 07:21:27 PST
*** Bug 846761 has been marked as a duplicate of this bug. ***
Comment 54 Tyler Downer [:Tyler] 2013-03-01 07:24:25 PST
We are working on rolling out Flash blocks. We currently block Flash 10.2 and lower on release, and old versions of 10.3 on Beta. Flash is more tricky because there are more users / websites which is why we are slowly rolling the blocks out. Eventually the blocks will grow to more and more versions of Flash.
Comment 55 Tyler Downer [:Tyler] 2013-03-01 07:25:39 PST
Regardless, this is a bug on Java blocks, so please keep the discussion to rolling out Java Blocks. If you have support issues around the blocks, please go to support.mozilla.org. (sorry for bug spam)
Comment 56 Frederik Braun [:freddyb] 2013-03-01 07:33:01 PST
(In reply to Clemens Eisserer from comment #52)
> > First because there are no Flash vulnerabilities known to be exploited in the wild.
> 
> The new vulnerability found in u15 isn't exploited. A company reported it to
> Oracle, the same happends at Adobe frquently, too.
It *is* being exploited. See http://blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html for example.
> 
> > Then because Flash blocking will be considered as a war 
> > declaration for websites that live with ads.
> 
> So flash isn't blocked because it is used for adds. The few java-applets
> left that actually do useful stuff are.
> 
> Anyway, who am I to complain.
Current statistics on this web page indicate that Java is very seldomly used on the web (about 0.2%), whereas Flash is more widely used (mostly for videos, e.g. youtube). See http://w3techs.com/technologies/overview/client_side_language/all
Comment 57 Daniel Veditz [:dveditz] 2013-03-01 08:36:44 PST
(In reply to Clemens Eisserer from comment #52)
> The new vulnerability found in u15 isn't exploited. A company reported it to
> Oracle, the same happends at Adobe frquently, too.

Untrue, FireEye reported one in the wild yesterday:

http://blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html
Comment 58 Daniel Veditz [:dveditz] 2013-03-01 08:38:02 PST
... to which Oracle assigned a unique CVE number, meaning it's a different one than the one previously reported privately to Oracle.
Comment 59 Daniel Veditz [:dveditz] 2013-03-01 08:52:44 PST
There _is_ a major difference between Flash and Java: Flash was designed to be a browser plugin. If it has bugs you could compromise it and do bad stuff inside the process. In doing so you have to work around the Flash process sandbox as well as all the OS/Compiler memory protections (DEP/ASLR) designed to make such compromises hard.

Java was designed as a system application programming environment, within which they created an "applet" sandbox that limits capabilities to a browser-safe subset. You could still have the kinds of memory corruption bugs Flash sometimes has, but most exploits find ways to confuse Java and sneak past those "you are an applet" limits. Once you do that the exploit is 100% reliable because it's not depending on memory corruption, and even cross-platform should the malware authors attach platform-specific payloads.
Comment 60 Robert Kaiser 2013-03-01 09:00:37 PST
Also, the more general blocks can only be made once we have done some further improvements to the click-to-play UI, which are in the works and currently planned for Firefox 22, AFAIK.
Comment 61 Bill Martin 2013-03-01 10:07:18 PST
So all and all, "FF 19.0 and Java 7/U15 plugin block is valid"?
Comment 62 Jorge Villalobos [:jorgev] 2013-03-01 10:31:13 PST
(In reply to Bill Martin from comment #61)
> So all and all, "FF 19.0 and Java 7/U15 plugin block is valid"?

Yes, all current versions of Java, including Java 7 U15 are click-to-play blocked in Firefox 17 and above.
Comment 63 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2013-03-01 10:55:44 PST
My apologies for being a "cop" but this bug report is not the appropriate platform to have this discussion. If you are having problems related to plugin blocklisting please use support.mozilla.org. If you disagree or have feedback to share with regard to our current blocklisting policy please start a thread in the dev-security mailing list.

Thank you.
Comment 64 Scoobidiver (away) 2013-03-06 09:05:54 PST
(In reply to Frederik Braun [:freddyb] from comment #56)
> It *is* being exploited. See
> http://blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.
> html for example.
This vulnerability is fixed in Java SE7 U17 and SE6 U43.
Comment 65 almck55 2013-03-24 13:02:42 PDT
I need my java script to be enabled I use it to play my pogo games
Comment 66 Scoobidiver (away) 2013-03-25 00:24:26 PDT
(In reply to almck55 from comment #65)
> I need my java script to be enabled I use it to play my pogo games
JavaScript and Java are two unrelated things.
The latest Java version is not CTP-blocked so please update: http://java.com
Comment 67 Frank Wein [:mcsmurf] 2013-05-16 23:51:09 PDT
Question on the Java CTP block, especially about the Java 7 U5 block on Windows: It is intentional that (at least) this plugin was blocked as PluginVulnerableNoUpdate (that's the Firefox UI string, means no update link appears in the click-to-play UI itself). Or should it rather be blocked as PluginVulnerableUpdatable (as there is an update available for Java 7)? If yes, then I'll file a new bug on this.
Comment 68 Paul Silaghi, QA [:pauly] 2013-05-17 01:51:30 PDT
https://wiki.mozilla.org/Blocklisting/PluginBlocks
In Firefox 1-17, Java 7 U5 - Java 7 U6 is softblocked.
In Firefox 17-*, Java 7 U0 - Java 7 U11 is click to play blocked
So, what Firefox are you using ?
Comment 69 Frank Wein [:mcsmurf] 2013-05-17 12:08:04 PDT
Current FF nightly, but that table/wiki page does not help in this case. Both PluginVulnerableNoUpdate and PluginVulnerableUpdatable are CTP blocks, they just display different CTP UI in FF.

Note You need to log in before you can comment on or make changes to this bug.