Mozilla Disables Java Plugin in Firefox for Security Reasons

The vulnerabilities have been fixed in the latest Java update

By on April 20th, 2010 14:54 GMT
Mozilla has taken a bold step in dealing with security vulnerabilities in third-party plugins, which have been the bane of any browser maker for quite some time. The open-source foundation has decided to disable older versions of a Java plugin, specifically the Java Deployment Toolkit, which are known to be vulnerable to attacks. The move is not unprecedented, but it is still managing to create a splash.

The vulnerabilities affect all older Java Deployment Toolkit plugins, but Oracle, the new owner of Java, released an out-of-cycle patch, Java 6 Update 20, last week, which supposedly plugs the vulnerabilities. Still, the exposed vulnerabilities were considered a serious-enough threat by the Mozilla developers for them to decide to blacklist all but the very latest version.

The decision was made before Oracle issued the patch and was enforced after that as well, as it wasn’t completely sure that all of the problems had been fixed. Some users also report that the older plugin version is left behind in Firefox even after they installed Update 20. Still, there should be no problem if you get and install the latest update available from the download link below or from Oracle.

Mozilla has been known to blacklist plugins that have serious or known-to-be-exploited vulnerabilities. It did this last autumn with the blocking of Microsoft’s Windows Presentation Foundation and the .NET Framework Assistant plugins and the move was not without its critics. The same is happening now, as some users are not entirely happy about Mozilla disabling the plugin automatically and remotely.

Mozilla is in a very tight spot in this type of situations. On the one hand, it has to think about users’ security, most people rarely update their software, not to mention stay up-to-date with the latest security risks. On the other hand, the move is pretty drastic and users don’t like having their browser messed with, even if it’s for their own good.

Java Runtime Environment (JRE) Version 6 Update 20 is available for download here.
Java SE Development Kit (JDK) Version 6 Update 20 is available for download here.

Comments