This discussion is archived
2 Replies Latest reply: Jan 14, 2013 6:53 AM by lake RSS

mozilla requiring click to run jre 6 or  7 currently

lake Journeyer
Currently Being Moderated
https://blog.mozilla.org/security/2013/01/11/protecting-users-against-java-vulnerability/

"Mozilla is aware of a security vulnerability in the current version of Java (Java 7 Update 10) that is being actively exploited and affects any browser using the Java plugin."
....
"There is no patch currently available for this issue from Oracle. To protect Firefox users we have enabled Click To Play for recent versions of Java on all platforms (Java 7u9, 7u10, 6u37, 6u38). Firefox users with older versions of Java are already protected by existing plugin blocking or Click To Play defenses."

Well I don't see why they are requiring click to play with the jre 6 but they are. Thing is there are a lot of ways to
call IE such as via MS Office as discussed here:
http://www.kb.cert.org/vuls/id/625617

So next month will be the last month that jre 6 users will get free updates and then we have to get jre updates
from oracle support, right? Unfortunately the jre 7 is just not maturing properly. We need the jre 6 to continue!
  • 1. Re: mozilla requiring click to run jre 6 or 7 currently
    729548 Newbie
    Currently Being Moderated
    I totally support that. Java RE is under fire, this is something that keep us thinking to move away from Oracle. It's totally unacceptable that Oracle lets this critical bug open for so long. All JRE around the world are vulnerable.

    Regards
    JR
  • 2. Re: mozilla requiring click to run jre 6 or  7 currently
    lake Journeyer
    Currently Being Moderated
    Note that oracle has released the jre 7u11 to patch the version 7 problems:
    http://www.oracle.com/technetwork/java/javase/downloads/index.html

    BTW I don't think the vendor took very long to fix this particular bug, it's just that there is a succession of them that has unfortunately greatly weakened the credibility of the 7 lineage. If only we could get some control over some aspects of this! Running forms as applets in browsers has too many points of failure. The browser can at any time suddenly decide to block or partly block launching applets, like mozilla click blocking 6u38 just because maybe the version 7 bug was more widespread as they said here:
    https://blog.mozilla.org/security/2013/01/11/protecting-users-against-java-vulnerability/
    "Why are you blocking the jre 6u38? I thought only 7 was vulnerable to these problems."
    "We are being extra cautious to ensure all users are protected in the event the scope of the vulnerability is larger than the initial reports have indicated. We are erring on the side of caution."

    Most browsers now autoupdate on their own so there is no telling what they may decide to do at any time. Mozilla has consistently for months refused to recognize the jre 6 lineage as valid and tries to get the users to upgrade to 7 which doesn't work with our forms due to the vendor having changed the vendor name in the jre.
    As you can see here Mozilla will not recognize 6u38 as a valid version of java and it has not even hit the end of life yet:
    https://www.mozilla.org/en-US/plugincheck/

    After february 2013 I fear firefox will totally block the jre 6 even if we keep getting up updated via oracle support. I don't know any browser that will accept more than one jre plugin at a time so it's not possible to run jre 6 requiring applets and jre 7 requiring applets. One would wish the vendor was working with the browser providers and solving some of these problems!

    Edited by: lake on Jan 14, 2013 8:51 AM