CTP-blocklist Java SE7 U25




5 years ago
3 years ago


(Reporter: kenang.ebotz, Unassigned, NeedInfo)


Firefox Tracking Flags

(Not tracked)


Comment hidden (empty)

Comment 1

5 years ago
Please describe your issue with Java.
Flags: needinfo?(kenang.ebotz)

Comment 2

5 years ago
Btw. new vulnerability found in current Java version 7.25:
Hopefully not yet exploited.
Next update scheduled by Oracle: October 15th.


5 years ago
Ever confirmed: true
Summary: java → CTP-blocklist Java SE7 U25
Clearing needinfo for sec issue from comment 2, we should really get Java blocked again.
I don't see any mention of this being limited to Windows.
Flags: needinfo?(kenang.ebotz)
OS: Windows 7 → All
Hardware: x86 → All
Is this vulnerability exploitable through the Java plugin?
The provided exploit [1] uses a Java applet.

[1] http://www.security-explorations.com/materials/se-2012-01-61.zip
Sorry, never mind, that was for a previously reported vulnerability.


5 years ago
Flags: needinfo?(mcoates)
Flags: needinfo?(dveditz)
Benjamin: what information do you need from me?

The security team in general thinks we need to get to the point we can make all versions of Java click to play. This announcement without a public exploit doesn't really increase the known risk to users much -- the most recent Pwn2Own contest elicited four independent working exploits for a fully-patched Java. If we're not ready to make all Java CtP all the time without even a whiff of a public exploit then this announcement may not be a triggering event. But it may encourage more people to dig in the areas mentioned and we can probably expect independent rediscovery and publication in the next couple of weeks.

Blocking now would be safer, but depending on what's driving the decision to leave Java unblocked we could continue at that level of risk and keep an eye out for the inevitable exploit.
Flags: needinfo?(dveditz)
The question (at least mine) is whether this particular block is urgent or not. I'm in favor of blocking all of Java, but in the meantime I need to spend lots of time updating the Java block for pretty much every new version that comes up. If this is not urgent I'd rather wait until there are more versions to block, or something urgent comes up.
Flags: needinfo?(dveditz)

Comment 9

5 years ago
The final plan is to continue to update the block when every new version comes out, so that the non-latest versions are blocked with "update available" and the latest version is just blocked.

That said, I'm still waiting on feedback for the precise wording we want in the product, and this does not appear to be more urgent than any time in the past.
It's more concerning than "you have Java installed" levels of worry, but since we're not ready to block all Java yet I'd call this a "Yellow Alert" -- be ready to throw up the shields at a moment's notice but they don't have to be up right now.

How long does it take to get a blocklist update out when the other shoe inevitably drops? If there's a lot of work to be done you may want to prep and test the files ahead of time so they're ready to go.
Flags: needinfo?(dveditz)
This would just be an extension of the previous block, so it can be staged on a moment's notice. Then it might take a couple of days for QA to test it and then moving it to production is also quick. However, it does consume at least a few hours for me and for QA, so I'd rather only do it when strictly necessary.
Closing this since it doesn't appear to be needed anymore (due to CTP by default).
Last Resolved: 4 years ago
Resolution: --- → WONTFIX


3 years ago
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.