Sign up or login to join the discussions!

Sean Gallagher - Apr 3, 2012 7:53 pm UTC

Security vulnerabilities in the Java Development Kit and Java Runtime Environment that were patched in a February release pose such a security risk to browser users that the Mozilla Foundation has added older versions of the Java plugin to Firefox’s blocklist, disabling them from running within the browser.

In a post to Mozilla’s Firefox Add-Ons blog, Mozilla channel manager Kev Needham said the vulnerability “is actively being exploited, and is a potential risk to users.” Currently, the blocklist includes only out-of-date versions of the Java 6 and Java 7 plugins for Windows, but Needham said that an entry for the Mac OS X Java plugin “may be added at a future date.”

The vulnerabilities, revealed by Oracle on February 14, allow an attacker to bypass the Java “sandbox” and execute code on the system being attacked. Malicious websites using the vulnerability have already been found by researchers at Microsoft’s Malware Protection Center. And according to security blogger Brian Krebs, tools that automate configuration of sites to take advantage of the vulnerability are already being distributed as “exploit packs” for BlackHole, a tool used to create malicious websites that can infect PCs with botnets and other malware.

But the patch posted by Oracle to close the vulnerability remains widely uninstalled. Marcus Carey, a security researcher at Rapid7, said that he estimates 60 to 80 percent of computers running Java are still vulnerable to the attack. “Looking long term, upwards of 60 percent of Java installations are never up to the current patch level,” he said in an e-mail to Ars.

You must login or create an account to comment.

Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox.

CNMN Collection WIRED Media Group © 2022 Condé Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1/20) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy. Your California Privacy Rights | Do Not Sell My Personal Information The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad Choices