Skip to main content

Mozilla Blocks Firefox From Running Unpatched Java Plugins

The Mozilla Foundation has had to block older versions of the Java plugin (opens in new tab) from running in Firefox. In February, vulnerability in the security of both Java Development Kit (JDK) and the Java Runtime Environment (JRE) were patched, however this issue still provides a significant risk to the browser's users. Mozilla has therefore had to add these plugins to the Firefox blocklist, meaning these no longer load in the browser.

This issue was addressed in the Mozilla blog (opens in new tab): "This vulnerability - present in the older versions of the JDK and JRE - is actively being exploited, and is a potential risk to users. To mitigate this risk, we have added affected versions of the Java plugin for Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and below) to Firefox's blocklist. A blocklist entry for the Java plugin on OS X may be added at a future date."

The blog went on to recommend that "anyone who requires the JDK and JRE to update to the current version as soon as possible on all platforms".

The vulnerability allowed an attacker to circumnavigate the Java 'sandbox' in order to execute code on the machine's system that was being compromised. The vulnerability was discovered by Oracle, but the patch released by the former to close the exposure has not been installed by the vast majority of users.