Mozilla blacklisted unpatched versions of the Java plug-in from Firefox on Windows in order to protect users from attacks that exploit known vulnerabilities in those versions.
Mozilla can add extensions or plug-ins to the Firefox add-on blocklist if they cause significant security or performance issues. Firefox installations automatically query the blocklist and notify users before disabling the targeted add-ons.
“The February 2012 update to the Java Development Kit (JDK) and Java Runtime Environment (JRE) included a patch to correct a critical vulnerability that can permit the loading of arbitrary code on an end-user’s computer,” said Mozilla’s channel manager Kev Needham.
“This vulnerability — present in the older versions of the JDK and JRE — is actively being exploited, and is a potential risk to users,” Needham said. “To mitigate this risk, we have added affected versions of the Java plugin for Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and below) to Firefox’s blocklist.”
Needham did not specify the exploited vulnerability, but security companies warned during the past couple of weeks that exploits for the CVE-2010-0507 Java vulnerability were in widespread attacks and incorporated into the popular Blackhole exploit toolkit.
Unlike Google’s Chrome browser, which has a feature specifically aimed at disabling outdated plug-ins, Firefox relies on Mozilla developers deciding which plug-ins pose a risk to users. However, users retain the choice of disabling those plug-ins.
In October 2009, Mozilla added Microsoft’s Windows Presentation Foundation (WPF) plug-in to the Firefox blocklist after Microsoft revealed that it had a vulnerability.
“Mozilla strongly encourages anyone who requires the JDK and JRE to update to the current version as soon as possible on all platforms,” Needham said. The latest versions of Java for Windows are Java 6 Update 31 and Java 7 Update 3.