Java now requires explicit permission to run in the latest version of Firefox, thanks to a patch that rolled out late last week.

 

Developers at Mozilla, the not-for-profit behind Firefox, are hoping that it will help protect end users from the notoriously unsafe browser plugin – but many have complained that the move has disrupted their businesses (and even the entire nation of Denmark).

 

Since January, the browser has already blocked out-of-date (and vulnerable) versions of Java. However, in the wake of a particularly nasty SSL-decrypting exploit, Firefox devs made the decision to prevent any version of Java from auto-running.

View the full article

The devs did take a chance with this one but it's really for the greater good. Java is so sloppy and insecure that this needed to be done. I'm glad to see that Mozilla decided to take those first steps and I hope others follow despite the negative feedback by those who don't realize just how bad Java is.

I don't know what all the complaints are about - they're not preventing anyone from using Java, just requiring one extra click to allow it. They're making sure that users are aware that Java is a major security risk, which everyone should know, but apparently many don't.

Exactly. It just shows how users need to be educated.

I don't know what all the complaints are about - they're not preventing anyone from using Java, just requiring one extra click to allow it.

 

Not true. It was actually block listed, as well as being Click-to-play (by Mozilla) as well as also being Click-to-play (by Oracle).

 

Being on the blocklist meant that if you did not normally have the Navigation toolbar showing, then there was no way to run Java at all.

 

The decision (now reverted) caused quite an argument both on the Mozilla Enterprise mailing list (that's the one for IT Admins who roll out the ESR version of Firefox over their networks) as well as on Bugzilla.

It's no excuse for poor/lazy network admins. What Mozilla did was a necessary thing and it's sad to hear that they reverted due to pressure from people that need to be better educated in this and better handling/securing their networks.

-snip-

 

Being on the blocklist meant that if you did not normally have the Navigation toolbar showing, then there was no way to run Java at all.

 

-snip-

 

They could always open the Nav bar - inconvenient, but not a stopper. I don't think a very large percentage of users hide the Nav bar, anyway, but I can see why those who do would be unhappy. Leaving the clueless majority of users vulnerable to avoid inconveniencing a small number of power users doesn't seem sensible, though.

It's no excuse for poor/lazy network admins. What Mozilla did was a necessary thing and it's sad to hear that they reverted due to pressure from people that need to be better educated in this and better handling/securing their networks.

 

Ouch!

 

Actually, it was the diligent network admins who have a custom/premium support contract with Oracle (giving them access to java 6 update 65, for example, which is not available to the general public) who were complaining. They were faced with a custom version of java runtime on thousands, or tens of thousands of computers, necessary for internal LoB applications, which wouldn't run.

Yeah, I know it's harsh but it's a sad truth. I see it often and have even had to work at a college campus that was behind on updating software that needed updates to fix critical vulnerabilities and exploits. Debian actually handles this in a very good manner. While it may use old versions I believe they also issue patches to fix the issues with backporting.

 

I hope this was a wakeup call for network and sysadmins both. They really need to migrate away from Java as it's a very old, obsolete in my opinion. I honestly run my computers without Java and I rarely ever find a website that needs Java. It's slow, insecure, and a window for numerous exploits and malicious software. The web would be better off without it. Especially with interactive things available like HTML5, Flash, etc.