Mozilla is disabling older versions of the Java Deployment Toolkit plugin for Firefox users, in a bid to block attacks against a newly-discovered Java security hole that attackers have been exploiting of late to install malicious code.
On April 15, Oracle Corp. pushed out an update to its Java software to fix a dangerous security flaw in the program. The patch came just a day after it became clear that criminals were using the flaw to break into vulnerable systems.
Java installs a Java Deployment Toolkit plugin into Internet Explorer and Mozilla browsers. According to comments in the Firefox bug database entry for this issue, Mozilla developers began discussing the forced removal of the plugin days before Oracle pushed the Java update. Even after the Java patch shipped, the developers apparently were concerned that the Oracle update didn’t fix the exploit for all Firefox users. An advisory from the U.S. Computer Emergency Readiness Team supported that finding (US-CERT says the fixed version of the plugin is 18.104.22.168).
There was another problem: Oracle’s patch, which brings the software to Java 6 Update 20, in some cases leaves behind older, vulnerable versions of the Firefox plugin (the Java update application seems to have updated the associated plugin for Internet Explorer just fine).
Indeed, even if you took my advice and uninstalled Java from your computer, this stubborn add-on may still be hanging around in Firefox. And you’ll probably at some point see a prompt like the one above, if you haven’t already. If you want to disable it manually, go to Tools, Add-ons, click the Plugins icon, select the Toolkit and hit the “Disable” button.