Mozilla considers disabling Java in Firefox

I think what he means is that Java isn't going to run on any browser unless it's called, which usually happens when one visits a java using website. Therefore, if it's not going to run if it isn't needed, and a persona absolutely needs Java around, then blocking it isn't going to do a thing. The user will just re-enable it. As far as plugins, do you mean Flash and Java, or are you talking about extensions, which users for certain will have more than one of usually?

If it's extensions, Chrome is far worse off, as they do relatively no checking on them whatsoever, and Mozilla puts them through a pretty thorough checking process before allowing them in their add-ons store. By the way, security as a whole is based on reactive solutions. It's mostly about applying a bandage after something has happened, and it's been that way for far too long.

 

Disabling a plugin that can be reenabled does very little.

A user visits a site, they see the site needs Java to run (exploit or not) and they run the Java.

That's all I'm saying.

EDIT: DW got it.

 

Fair enough, but you're assuming that people are encountering sites with Java applets often. For myself, I've only noticed one page this whole year needing Java.

OTOH I've looked into far more legitimate sites that have been hacked to include obfuscated scripts for various exploit kits, all of which look to exploit Java.

 

I mean actual plugins, although IIRC the Java console is counted as an extension and has been force-disabled in the past due to vulnerabilities.

The majority of Firefox profiles I see have the trifecta: Sun Java, Adobe Flash, Adobe PDF reader - all of which are common targets for exploits, although Flash doesn't seem to be figuring in it nearly as often.

The reason all the Firefox browsers allowed infection in these examples were probably due to those three, less so Flash & mainly Java and PDF exploits:
http://www.m86security.com/newsImages/TRACE/ph2.png
http://labs.m86security.com/wp-content/uploads/2011/05/panel1.png
http://labs.m86security.com/wp-content/uploads/2011/06/Statistics.png
http://krebsonsecurity.com/wp-content/uploads/2010/09/blackholemain.jpg
http://krebsonsecurity.com/wp-content/uploads/2010/10/seosploit1.jpg
http://krebsonsecurity.com/wp-content/uploads/2010/10/seosploit3.jpg

Agreed on Chrome extensions, was just reading about it:
http://www.adrienneporterfelt.com/blog/?p=226

 

If they don't visit a site with Java having it disabled is irrelevant anyways. And if they encounter a hacked site that asks permission to run Java it's still irrelevant because users very often make the wrong choice - especially on a legitimate site.

 

PDF and Flash exploits are well known to be big issues. Personally, with all this talk of Java exploits lately, I've heard about and certainly have seen much less of them, compared to the other "big two". PDF exploits are an easy fix, simply don't open them up in your browser, and turn scripting off in your PDF reader. Flash is Flash, it's popular and it'll be a target regardless.

 

I've seen plenty of Java exploits. I found quite a lot when testing Comodo's sandbox against them.

I feel much less secure without a Java sandbox.

 

I don't test malware, so my exposure to it is a lot less than some of you guys

 

Well, take my word for it =p they exist. And they and OS exploits are the two biggest attack vectors for me (my opinion.)

 

Lol, I know they exist. I'm far more worried about tracking and other privacy issues these days than I am about getting "pwned". Malware writers are targeting the social crowd more, which I'm not a part of, and, soon, they'll be hooking on to mobile, which I don't use. Meanwhile, more and more reports come out every day about data being misused and companies wanting to watch you do all but take a crap on the toilet.

 

Oh I could care less about privacy. lol

 

One day you will, friend, one day you will

 

I doubt it. I have nothing to hide and if I do I don't put it anywhere a tracking service would find it anyways.

 

I feel like the cat's out of the bag with privacy - realistically, any multinational company that wants my name and address could source it from multiple databases, and match it in multiple ways to my online activities...

 

Wouldn't miss Java for a minute. I removed it months ago except for a short trial of v7, which came back off after a couple of days. Don't need it, don't want the security risk.

 

I just did a series of browser tests to demonstrate that disabling a vulnerable plugin does in fact prevent an exploit in Firefox.

I used an older version of Java (6, update 21), and tested against a Blackhole Exploit Kit.

When both Java plugins are disabled, the exploit kit does not detect the presence of Java - and as such, doesn't even attempt any Java exploits:


When the Java Deployment Kit plugin was enabled (apparently not itself targeted by the exploit kit?), the exploit kit detects the presence of Java and sends out the malicious applets one by one:


Because the Java runtime itself was disabled, these were not able to run and so the exploit failed.

Since most exploit kits actually run in a hidden iframe from a legitimate page, users with the strange combination of JDK enabled and JRE disabled wouldn't actually see 'plugin for this content has been disabled', and so wouldn't have any reason to enable Java.

Opera worked pretty much the same as Firefox in this regard, while IE9 was quite exploitable and (same as Rmus found) ran the Java exploit despite disabling or removing the Java runtime BHO.

 

That's because you need to go into the addons if you want to disable Java in IE, same as Firefox. Unticking it in advanced is not how you disable it.

 

Actually I disabled the Java runtime plugin in Tools > Manage add-ons.

The problem as already discussed elsewhere is that the Java Development Kit is not visible in this view. MrBrian pointed out that disabling the JDK is more involved:
http://www.kb.cert.org/vuls/id/886582

There are two Java plugins, and only one can be easily disabled in Internet Explorer. While the JDK is enabled, IE is vulnerable to Java exploits no matter what you disable in 'Manage add-ons'. There is no such issue in Firefox or Opera.

 

I can disable both easily by selecting "All Addons" in the addon manager, what issue are you experiencing?

 

I stand corrected, I hadn't done the extra step of selecting 'all add-ons' and had assumed it would all be listed under the main view like other browsers.

Just installed the latest Java runtime in a sandbox to check, and looked in Manage add-ons: the other Java plugins don't show by default in the default view of 'currently loaded add-ons'.

Clicking 'All addons' shows three extra plugins that were hidden in the default view, including the JDK. They are only shown in that view and 'downloaded controls'.

Shows both my inexperience with IE, as well as the unhelpful design of IE9.

 

It's helpful for people that have many addons, navigating the entire Firefox list can be quite annoying

edit: This lets me see exactly what addons are loaded when I load the browser, as well as fine grain control over which can run whenever they feel like. Categorizing by developer and showing load time too is also a plus, it's quite simply the best addon manager around.

 

Okay, this is even stranger than I thought.

First I disabled all the Java entries:


Yet the exploit kit still tried to load Java to exploit it, and a new Java entry was found in the 'currently loaded add-ons' view, enabled without permission:


After disabling that add-on, I retried the exploit kit which once again attempted a Java exploit, and that time yet another Java component was added, also enabled without my permission:


So I disabled all the visible Java plugins as shown here:


yet somehow the exploit kit still tries to exploit Java.

 

Do you have a link to this kit? I'd like to try it myself. PM me it if it's actually harmful.

 

From Oracle patches Java flaw exploited in SSL BEAST attack: