Mozilla touts 'Click to Play' in defense against Java vulnerability

[nsane.forums]

Mozilla has chimed in with its own tips and resources amidst the brewing Java vulnerability scare.

As worries about the Java 7 Update 10 vulnerabilities continue to escalate, Mozilla has addressed the issue in reference to how this concerns Firefox.

Michael Coates, director of Security Assurance at Mozilla, wrote in a blog post on Friday afternoon that Firefox users could be vulnerable if they have the current version of the Java plugin installed on their browsers.

In case you're not aware, another zero day vulnerability related to Java was discovered to be actively being exploited in the wild, according to a number of security researchers and reports on Friday.

This particular Java 7 weakness is said to be so detrimental that the U.S. Department of Homeland Security has warned users to disable or uninstall Java software on their computers altogether.

At this point in time, Oracle (the owner of Java) hasn't released a security update or patch to remedy the issues.

Coates explained that in fairly clear terms what could happen here:

An attacker could exploit this vulnerability to execute malicious software on a victim’s machine. This vulnerability is being actively used in attacks and the malicious exploit code is also available in common exploit kits.

For Firefox users, Coates touted the "Click to Play" security feature, which is basically used to halt loading plugins before they're clicked -- or block them altogether.

In reference to Java, this means the plugin won't load until the user clicks on the permission pop-up to do so. Thus, until a patch is rolled out, don't give permission.

Coates added that Firefox users with older versions of Java should be already protected by existing plugin blocking or Click To Play defenses.

View: Original Article

[Avitar]

Ok, so how do I activate this feature in my firefox?

[Avitar]

You can force all plugins to be Click to Play by going to about:config and changing the preference plugins.click_to_play to true.

From the Click to Play UI (the drop-down shown in the picture above, or by clicking the blue-block icon in the address bar) you can block or allow plugins for the site you’re on.

We have not yet exposed a way to block or allow specific plugins on specific sites, that is, you can’t block Java but allow Flash; right now it’s all or nothing on a per-site basis. You can permanently disable any plugin for all sites from the Add-on manager dialog, but then you can’t use Click to Play to enable it.

>"Click to Play UI"

:rofl:

IKR, they call that a UI. Well I guess it's better than nothing.

Your method quoted here works like a charm. However I'm running 64 bit CyberFox and the plugins seem to not load at all on the same test page aforementioned by the picture. Am I missing a plugin? And if so, how can I get it installed in my CyberFox?

[x3r0]

Is this different method than Opera's "Enables plugins only on demand"? Opera block any plugins, such as Adobe Flash and Java. Unless the users click on it, it wont be loaded by Opera.

[ande]

Is this different method than Opera's "Enables plugins only on demand"? Opera block any plugins, such as Adobe Flash and Java. Unless the users click on it, it wont be loaded by Opera.

Same is with Chrome.

or you can add one by one manually as in Chrome:

[edwardecl]

Would be great if Java run in some sort of sandbox along with other plugin such as flash. The are all potential security holes waiting to happen.

But the best defense is never to run java apps from suspect websites. I thought Java always asked before it run anything if you trust the site and to add it to some sort of whitelist first anyway?

If it gets around that, then that's retarded.