Mozilla touts 'Click to Play' in defense against Java vulnerability

Mozilla has chimed in with its own tips and resources amidst the brewing Java vulnerability scare.

zdnet-mozilla-ctp-in-action1-600x478

As worries about the Java 7 Update 10 vulnerabilities continue to escalate, Mozilla has addressed the issue in reference to how this concerns Firefox.

Michael Coates, director of Security Assurance at Mozilla, wrote in a blog post on Friday afternoon that Firefox users could be vulnerable if they have the current version of the Java plugin installed on their browsers.

More about Java on ZDNet:

In case you're not aware, another zero day vulnerability related to Java was discovered to be actively being exploited in the wild, according to a number of security researchers and reports on Friday .

This particular Java 7 weakness is said to be so detrimental that the U.S. Department of Homeland Security has warned users to disable or uninstall Java software on their computers altogether.

At this point in time, Oracle (the owner of Java) hasn't released a security update or patch to remedy the issues.

Coates explained that in fairly clear terms what could happen here:

An attacker could exploit this vulnerability to execute malicious software on a victim’s machine. This vulnerability is being actively used in attacks and the malicious exploit code is also available in common exploit kits.

For Firefox users, Coates touted the "Click to Play" security feature, which is basically used to halt loading plugins before they're clicked -- or block them altogether.

In reference to Java, this means the plugin won't load until the user clicks on the permission pop-up to do so. Thus, until a patch is rolled out, don't give permission.

Coates added that Firefox users with older versions of Java should be already protected by existing plugin blocking or Click To Play defenses.

Screenshot via Mozilla Security Blog

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All
See All