Mozilla disables older versions of Java plug-in in Firefox
According to security expert Brian Krebs, Mozilla has started disabling the older versions of the Java Deployment Toolkit plug-in in its Firefox web browser. In a post on his blog, Krebs says that Mozilla is likely just attempting to "block attacks against a newly-discovered Java security hole that attackers have been exploiting of late to install malicious code."
Last week, Oracle released Java 6 Update 20 to patch critical vulnerabilities in the Java Deployment Toolkit and in the new Java Plug-in – both of which were already being exploited in the wild. By default, installing Java automatically installs the Java Deployment Toolkit plug-in into Microsoft's Internet Explorer and Mozilla's browsers, such as Firefox and the SeaMonkey "all-in-one internet application suite". However, one issue that remains is the fact that Java updates often leave older, vulnerable versions of the plug-in installed in Firefox. Even uninstalling Java itself can actually leave the plug-in behind. Version 6.0.200.2 of the plug-in reportedly addresses the vulnerability issues.
Users with older versions of the plug-in should automatically receive a prompt to disable the JDT plug-in. Alternatively, users can manually disable the Java Deployment Toolkit modules under Tools / Add-ons / Plug-ins. The latest stable release of Firefox is version 3.6.3 from the beginning of April.
See also:
- Java vulnerability - when lyric sites attack, a report from The H.
- Java exploit launches local Windows applications, a report from The H.
- Firefox 3.6.3 closes a critical hole, a report from The H.
(crve)