Industry News

Firefox Disables Vulnerable Java; Still More Effective than Oracle Patch

Firefox developer Mozilla has introduced a plugin-checking mechanism that verifies the version of the Java add-on installed locally and automatically disables it if vulnerable. The mechanism went live today in response to incidents triggered by old, unpatched Java and Flash plugins, especially in light of the recently discovered vulnerability known as CVE-2012-4681.

Even if Oracle has issued a patch, users are rarely installing security updates by themselves. This becomes particularly problematic as Java (like Flash or Adobe Reader) is available directly from the browser as a plugin, and exploits based on CVE-2012-4681 have already been integrated in the most famous hacking toolkits such as Neosploit (not related to Metasploit) and BlackHole.

“We have enabled an update notification that will show up every time a user visits a site with a Java applet using a vulnerable Java plugin. The notification points to our Plugin Check page, which should assist users in getting Java up to date,” Mozilla announced.

Although the Windows release is prioritized, the Firefox developer plans to deploy it on Firefox releases for other operating systems as well.

“This block will be initially applied to Windows users and Linux users who have the Oracle version of the Java RE, but we expect to extend it to Mac OS X (where the majority of users are unaffected) and the IcedTea plugin on Linux,” Mozilla stated.

via Softpedia

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.

1 Comment

Click here to post a comment