Mozilla touts 'Click to Play' in defense against Java vulnerability

Mozilla touts 'Click to Play' in defense against Java vulnerability

Summary: Mozilla has chimed in with its own tips and resources amidst the brewing Java vulnerability scare.

TOPICS: Security, Browser, Oracle

As worries about the Java 7 Update 10 vulnerabilities continue to escalate, Mozilla has addressed the issue in reference to how this concerns Firefox.

Michael Coates, director of Security Assurance at Mozilla, wrote in a blog post on Friday afternoon that Firefox users could be vulnerable if they have the current version of the Java plugin installed on their browsers.

More about Java on ZDNet:

In case you're not aware, another zero day vulnerability related to Java was discovered to be actively being exploited in the wild, according to a number of security researchers and reports on Friday.

This particular Java 7 weakness is said to be so detrimental that the U.S. Department of Homeland Security has warned users to disable or uninstall Java software on their computers altogether.

At this point in time, Oracle (the owner of Java) hasn't released a security update or patch to remedy the issues.

Coates explained that in fairly clear terms what could happen here:

An attacker could exploit this vulnerability to execute malicious software on a victim’s machine. This vulnerability is being actively used in attacks and the malicious exploit code is also available in common exploit kits.

For Firefox users, Coates touted the "Click to Play" security feature, which is basically used to halt loading plugins before they're clicked -- or block them altogether.

In reference to Java, this means the plugin won't load until the user clicks on the permission pop-up to do so. Thus, until a patch is rolled out, don't give permission.

Coates added that Firefox users with older versions of Java should be already protected by existing plugin blocking or Click To Play defenses.

Screenshot via Mozilla Security Blog

Topics: Security, Browser, Oracle

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Java disable

    Alternate method disables Java in all your browsers at once
    start/computer/control panel/open java applet/properties/ security tab/unchecke allow Java /apply/OK that's it .
    preferred user
    • don't see that setting in Windows 8 control panel

      The only setting I could find was in internet settings was just Java - went through all the screens and although there was one there saying that java runtime was enabled, it was impossible to untick it. There were various settings in the advanced tab - what I have done there is to change allow to prompt as I want to be able to see what is affected. Also I hope this doesn't mean that I am turning off javascript
      • dunno bout Windows 8 but...

        In "7" run javacpl.exe as administrator, click the “Advanced” tab, select “Microsoft Internet Explorer” in the “Default Java for browsers” section, and press the space bar to uncheck it. This will properly set the above registry value, despite the option being greyed out.
        • Win8 like Win7

          Go to Control Panel... Java (manager), in Advanced tab, "Default java for browsers" section, click "Microsoft Internet Explorer" to highlight it, then press spacebar... to uncheck it.
      • update java

        Be sure you are running the latest version of Java. It is the only version that has the one click disabling button. Just hit update to be sure.
  • Chrome also has this

    Chrome also has click to play, but it's disabled by default.
    • Chrome 24

      My version 24 of Chrome popped up a bar asking to allow Java to run (test java page).
      Not sure if I enabled that or not... but it is ;)
  • Disabling Java vs. Click to Play

    What is the difference between disabling Java on Firefox and turning on Click to Play? Or rather, which is preferable for someone who is not a computer expert? Thanks.
    • The difference

      Disabling it completely means it can't be used, period.

      "Click to play" means it's temporarily disabled on every page, but can be enabled by clicking on it.
  • oops

    A novice, after seeing the warning, I uninstalled Java and now seem to be having issues with seeing pictures on some websites. Not Zdnet however. Any suggestions?
  • enabling java in current firefox browsers for temporary use

    My wife came and got me when she noticed a pop up window come up on a crosswords puzzle game that she normally plays late at night. It was a simple window that she had not seen before when she tried to access the puzzle, and it simply stated that the current version of java was deemed to be a security risk, but that clicking on the box would enable java anyway in Firefox for current site usage. With a left click, java was enabled and the game proceeded as usual. An elegant solution by Mozilla in that instance was employed, and I went back to the same site later to verify that indeed the pop -up notice and enablement worked flawlessly again.

    So for simple and temporary usage of java, there is no need to globally disable it in Firefox right now. Thank you, Mozilla!