14 DAY TRIAL // Mozilla has announced that it's blocklisting older versions of the Java runtime environment in Firefox. These older versions of the Java plugin contain a vulnerability that is being actively exploited in the wild. As such, Mozilla deemed it a high enough risk to block all but the most recent versions of Java, which have patched the bug responsible for the vulnerability.
"This vulnerability—present in the older versions of the JDK and JRE—is actively being exploited, and is a potential risk to users," Mozilla's Kev Needham explains.
"To mitigate this risk, we have added affected versions of the Java plugin for Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and below) to Firefox’s blocklist. A blocklist entry for the Java plugin on OS X may be added at a future date," he announced.
What this means is that older versions of the Java plugin will be disabled on user machines in Firefox, removing the risk of an attack but also leaving without the Java runtime.
Granted, the Java plugin is hardly a requirement for the vast majority of websites today. Still, users can choose not to disable the vulnerable plugins if they so desire. A much better option would be to update to the latest Java of course, which is what Mozilla is encouraging.
That's an option for Windows and Linux users but not for Mac OS X ones. Java is not installed by default in Mac OS X, but is offered by Apple. Apple is also responsible for the updates and has, as usual, fallen behind on the latest patch.
While the Windows and Linux versions were patched in February, a patch for Mac OS X is nowhere in sight. That's an even bigger problem since the vulnerability is now used by the Flashback trojan.
Since Mac users don't have a patched Java to upgrade to, Mozilla will not be disabling the plugin for them.