14 DAY TRIAL // A Java security vulnerability that is actively being exploited in the wild has Mozilla worried. When the vulnerability was first discovered, a few days ago, Mozilla urged users to disable the Java plugin to stay safe.
With no patch for the vulnerability as of yet, the advice holds and Mozilla now plans to disable the plugin automatically for all users. Obviously, this affects Windows Firefox users only.
However, in order to allow users to still run Java when they need it, they will be notified that the plugin has been disabled and will see the message on any site that requires Java.
"We’ve been closely monitoring the recent Java security vulnerability and evaluating different options to best protect our users," Mozilla wrote in an update to the first warning.
"Our goal is to provide protection to Firefox users against this actively exploited vulnerability in Java while also leaving the user in control so they can choose to allow Java on important sites that they trust," it said.
Mozilla hasn't figured out the details just yet and it isn't updating the blocklist until it does, so, for now, the advice remains to disable the Java plugin entirely. To do this go to the Add-on Manager, from the Tools menu button, select the Plugins panel, select the Java plugin and click Disable.
Mozilla occasionally blocks plugins that are vulnerable by disabling the plugin remotely and notifying users of the security risk, offering them the option to leave the plugin enabled, if they so desire. But this is normally done for older versions of a plugin to encourage users to update to the newer, safer ones.
In this case, there is no safe version as Oracle hasn't issued a patch yet. So Mozilla will have to be more careful when disabling the plugin. To make sure that users aren't too annoyed, there will be a notification in Firefox, after the plugin is disabled, on any page that requires Java.
An alternative to all of this is the click-to-play plugins feature. It's available in Firefox 15, the latest stable release, but it's disabled by default and users have to manually enable it by using about:config.