Mozilla this week began blocking outdated versions of a Java plug-in in Firefox for some Mac users after calling the threat posed by the Flashback malware “evident and imminent.”
The move came two weeks after Mozilla disabled unpatched versions of Oracle’s software on Firefox for Windows.
Although Mozilla said on April 2 that it might add the Java plug-in to Firefox for Mac’s blocklist – a list it maintains of add-ons and plug-ins that the company disables because they’re infected with malware or have been targeted by attackers.
In a post to the company’s Add-Ons blog, Mozilla said the delay was due to the uptake of the patched plug-in Apple.
As Mozilla noted, cleanup efforts have made headway on the number of Macs infected with the Flashback malware. While more than 600,000 Macs were infested with Flashback as recently as two weeks ago, that number fell by 60 percent last week.
Another reason for Mozilla’s pause between blocklisting Java on Windows and Mac: Firefox has a bug. “There’s a bug in Firefox that prevents it from reloading plug-in metadata after an update,” acknowledged Mozilla. “This means that even if someone updates Java on Mac, Firefox will continue to say an old and vulnerable version is installed.”
Mozilla has fixed the bug and will roll the patch into Firefox 12, which is set for release on April 24.For those reasons, Mozilla instituted only a partial block of the Java plug-in, limiting it to copies of Firefox running on Macs powered by OS X 10.5 or earlier. OS X 10.5 is better known as Leopard.
While Apple no longer packages Oracle’s Java with OS X – it stopped that practice with Lion in July 2011 – it continues to issue Java security updates to people running Lion as well as 2009’s Snow Leopard or OS X 10.6. Java may be on some Lion systems: Users are prompted to install the software the first time they try to run a Java applet.
Because Apple no longer supports OS X 10.5 or Leopard, its predecessor Tiger or any older operating system, it doesn’t ship patches for Java to those users.
“People who are using Mac OS X 10.5 and older won’t get the Java update, which means they will remain vulnerable unless they update their operating system or upgrade their hardware,” noted Mozilla. “For these users there’s no point in waiting, so we have blocked the Java plug-in for them.”
Firefox users running OS X 10.5 or earlier, will have JRE 1.6.0_31 and earlier or JRE versions 1.7.0 through 1.7.0_2 disabled.
Mozilla called its move a “soft block,” which means users are notified that the plug-in has been disabled, but they can continue using it at their own risk by clearing the “Disable” box in the notification dialogue. Users can also later enable the plug-in from the Plug-ins section of Add-ons Manager by selecting “Add-ons” from the Tools menu.
Firefox users running OS X 10.6 and later will have outdated Java plug-ins disabled next week if they upgrade to version 12 of the browser.