Mozilla is disabling older versions of the Java Deployment Toolkit plugin for Firefox users, in a bid to block attacks against a newly-discovered Java security hole that attackers have been exploiting of late to install malicious code.
On April 15, Oracle Corp. pushed out an update to its Java software to fix a dangerous security flaw in the program. The patch came just a day after it became clear that criminals were using the flaw to break into vulnerable systems.
Java installs a Java Deployment Toolkit plugin into Internet Explorer and Mozilla browsers. According to comments in the Firefox bug database entry for this issue, Mozilla developers began discussing the forced removal of the plugin days before Oracle pushed the Java update. Even after the Java patch shipped, the developers apparently were concerned that the Oracle update didn’t fix the exploit for all Firefox users. An advisory from the U.S. Computer Emergency Readiness Team supported that finding (US-CERT says the fixed version of the plugin is 6.0.200.2).
There was another problem: Oracle’s patch, which brings the software to Java 6 Update 20, in some cases leaves behind older, vulnerable versions of the Firefox plugin (the Java update application seems to have updated the associated plugin for Internet Explorer just fine).
Indeed, even if you took my advice and uninstalled Java from your computer, this stubborn add-on may still be hanging around in Firefox. And you’ll probably at some point see a prompt like the one above, if you haven’t already. If you want to disable it manually, go to Tools, Add-ons, click the Plugins icon, select the Toolkit and hit the “Disable” button.
Not everyone is happy with Mozilla’s decision to kill this add-on, at least judging from comments #31 and 33 in the Mozilla bug database.
The damn thing is the websites that use Java, and you have to have it operating to get to the good stuff. Well, just forget about the website. Java’s just too dangerous.
Strange thing is, I don’t see this entry in blocklist.xml in either of the two Firefox profiles I am using (I don’t have Java installed so it doesn’t matter). Supposedly, both of them were updated yesterday – yet the block for Java Deployment Toolkit was added several days ago. I just checked by going to the blocklist URL manually, the entry is there (with severity=”1″). I wonder whether it was temporarily removed and reinstated now.
PS: blocklist.xml just got updated – now the entry for npdeploytk.dll is there.
IMO Mozilla has disabled responsibly; no matter how sophisticated the arguments made by #33.
So that’s why i prompted a while ago. Good choice Mozilla?
I applaud their efforts to protect the community. You’d be surprised how many general users have no clue of the dangers the Intenet holds. At a minimum it helps educate users that they need to update their version of Java.
I’ve never been a fan of how you can have multiple versions of Java on the same machine and updating Java usually just installs a new version and never removes the old version.
I had a look at those comments on the bug list and I’d bet anyone those same folks would be the first to blame Mozilla for not blocking the Java plug-in if their machine was hacked as a result. Their elequent use of the English language really made a solid arguement. 🙂
Cheers!
At least multiple versions of the Java runtime on the same machine are supposed to be a thing of the past, updates now replace the existing installation. Then again, only yesterday somebody complained in my blog that he can see four (!) different versions of the Java plugin in Firefox. No idea how that came to be…
Good article except it’s a Java Deployment toolkit not Java Development Toolkit.
D’oh! Tx Matt. I’ve corrected that.
np 😉
I had 9 older versions of Java on Mozilla along with the 6.0.20 update. Had to restart Mozilla upon each removal.
I had uninstalled Java prior to that message from Firefox popping up. My question is, why didn’t uninstalling Java remove that add-on, and how can I uninstall it entirely so it doesn’t even show up in Firefox anymore, even if it is disabled?
I used the unsophisticated method of going into the Mozilla Firefox fold under Program files, looking in the plug-in and extensions folders, and deleting anything with “Java” in it.
@ LT, there’s a program called javara that’s supposed to allow you to remove all old versions of java at once. Look at raproducts.org/javara.html for more information.
David Chasey: Java was not disabled, the ‘Java Deployment Toolkit’ is a separate plugin entirely.
Phoenix: Your method probably missed most pieces of Java which are installed elsewhere. Sun long ago stopped putting the plugin directly into the Firefox install directory.
Instead, follow Brian’s advice at the end of the post and disable them from the Add-ons dialog available on the Tools menu.
Excuse me, but my response is to LT’s query as to how to get rid of the Java add-ons after they are disabled, and my response is basically, and perhaps crudely, hunt them down and kill them.
I wonder if they will do something similar with outdated Flash players?
They certainly will if these start getting exploited. The urgency with this Java update were the attacks going on, Mozilla doesn’t want to blocklist anything just to get users to update (that’s what update notifications are for).