Firefox Disables Vulnerable Java; Still More Effective than Oracle Patch
Firefox developer Mozilla has introduced a plugin-checking mechanism that verifies the version of the Java add-on installed locally and automatically disables it if vulnerable. The mechanism went live today in response to incidents triggered by old, unpatched Java and Flash plugins, especially in light of the recently discovered vulnerability known as CVE-2012-4681.
Even if Oracle has issued a patch, users are rarely installing security updates by themselves. This becomes particularly problematic as Java (like Flash or Adobe Reader) is available directly from the browser as a plugin, and exploits based on CVE-2012-4681 have already been integrated in the most famous hacking toolkits such as Neosploit (not related to Metasploit) and BlackHole.
“We have enabled an update notification that will show up every time a user visits a site with a Java applet using a vulnerable Java plugin. The notification points to our Plugin Check page, which should assist users in getting Java up to date,” Mozilla announced.
Although the Windows release is prioritized, the Firefox developer plans to deploy it on Firefox releases for other operating systems as well.
“This block will be initially applied to Windows users and Linux users who have the Oracle version of the Java RE, but we expect to extend it to Mac OS X (where the majority of users are unaffected) and the IcedTea plugin on Linux,” Mozilla stated.