×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Mozilla Blocks Vulnerable Java Versions In Firefox

timothy posted about 2 years ago | from the some-people-like-their-coffee-filtered dept.

Firefox 205

Trailrunner7 writes with this excerpt from Threatpost: "Mozilla has made a change in Firefox that will block all of the older versions of Java that contain a critical vulnerability that's being actively exploited. The decision to add these vulnerable versions of Java to the browser's blocklist is designed to protect users who may not be aware of the flaw and attacks. 'This vulnerability — present in the older versions of the JDK and JRE — is actively being exploited, and is a potential risk to users. To mitigate this risk, we have added affected versions of the Java plugin for Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and below) to Firefox's blocklist. A blocklist entry for the Java plugin on OS X may be added at a future date. Mozilla strongly encourages anyone who requires the JDK and JRE to update to the current version as soon as possible on all platforms,' Mozilla's Kev Needham said."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

205 comments

Soo (0)

Anonymous Coward | about 2 years ago | (#39559535)

Does this mean the Java plugin will refuse to install now? They should do the same thing for Flash.

Re:Soo (2)

poetmatt (793785) | about 2 years ago | (#39559905)

Also makes me wonder what happens to bad legacy apps which rely on the older versions of java?

Re:Soo (1)

Bigbutt (65939) | about 2 years ago | (#39560447)

That's my problem. I have older Dell hardware that requires a specific version of Java or we can't get console access. I have an old laptop that I use to maintain the older versions so I can still get that access.

[John]

Re:Soo (0)

Anonymous Coward | about 2 years ago | (#39560961)

those apps should die anyway. I have an array of Virtual machines on my workstation just to keep that kind of crap happy.

This is really a PITA.

Re:Soo (-1)

Anonymous Coward | about 2 years ago | (#39560487)

Google Chrome actually does block Java by default.

It also blocks Quicktime - another legacy plugin which is mostly used for malware now.

And there was me believing managed code was safe (-1, Flamebait)

Viol8 (599362) | about 2 years ago | (#39559561)

After all, there are no pointers, buffer overruns arn't possible without an exception being thrown as managed code evangelists keep telling us old school C++ guys , so how can there possibly be an exploit?

Oh wait, whats that? If the VM has a bug you're screwed? Oh dear, that doesn't sound good. Still, I'm sure it can't be true. VMs are the answer to everything arn't they?

Re:And there was me believing managed code was saf (2)

subanark (937286) | about 2 years ago | (#39559657)

The codespace where an exploit can occur is limited to only a subsection of VM's code. It is not perfect, but it offers better protection than running C code, and more flexibility than non-scripting HTML does. The same concept is used when running code as non-root even if you do have sudo access.

Re:And there was me believing managed code was saf (4, Insightful)

rudy_wayne (414635) | about 2 years ago | (#39560277)

that will block all of the older versions of Java that contain a critical vulnerability that's being actively exploited.

No software is perfect. No software will ever be perfect. Any non-trivial code will contain some bugs, but there's something seriously wrong here.

Software like Java, Flash and Acrobat Reader aren't weekend projects thrown together in a few hours by a highschool student. They have been around a long time and are produced by large companies with lots of resources. The fact that these programs still have to constantly be patched to fix gaping security holes, is beyond absurd.

It would be funny if it wasn't so stupid.

Re:And there was me believing managed code was saf (2, Insightful)

TheRaven64 (641858) | about 2 years ago | (#39560433)

Every so often, someone says to themselves 'software is complex, and therefore prone to bugs. Some of these are exploitable, giving security holes. I bet we can fix that by adding another layer of complex software.' The most surprising thing is that people actually believe them.

Java dying? (4, Insightful)

Compaqt (1758360) | about 2 years ago | (#39559575)

So sad what has become of Java.

I know a large part of Slashdot hates Java, but:

-Java passed C/C++ on Sourceforge a while back
-Java was the first language of a lot of people because a lot of colleges adopted it
-Java was the first real and powerful language for a lot of people
-Java held out the promise of developing programs not beholden to M$, thereby making a lot of platforms viable
-Java was supposed to make things easier for the small developer (ISV) by allowing write-once, run anywhere.

So that's why a lot of people have good feelings for Java. Unfortunately, it's dying of a thousand cuts.

Re:Java dying? (4, Interesting)

jellomizer (103300) | about 2 years ago | (#39559653)

I think Java is just maturing not dying.

Java found it niche. JavaEE is still big, as it is a great platform for Web Services. However Java Applications have never gotten popular because they always end up looking a bit out of date (although it has greatly improved) compared to what the other platforms offer.

Slashdot hates Java because they hate anything that isn't Pure GNU open source.

Re:Java dying? (4, Insightful)

afidel (530433) | about 2 years ago | (#39559749)

Maybe java applications never got popular with end users but they're pretty much the standard for advanced GUI management interfaces on enterprise equipment. I hope for the sake of people who need older java versions to access the management interface on their switches, storage arrays, etc that there is an advanced preference to turn this feature off (if not globally then on a per-domain basis).

Re:Java dying? (-1)

Anonymous Coward | about 2 years ago | (#39559861)

JavaEE is still big, as it is a great platform for Web Services.

Java EE is a bloated piece of crap.

Re:Java dying? (0)

Anonymous Coward | about 2 years ago | (#39559985)

Maybe Slashdot hates Java in part because its evolution as a language has become stunted and, after you've used other, better languages (C# being the obvious comparison), it's painful to go back.

Re:Java dying? (1)

Anonymous Coward | about 2 years ago | (#39560111)

after you've used other, better languages (C# being the obvious comparison),

LOL. C# is Java with the kitchen sink thrown in. 80% of the "features" added to C# lead to shitty, unmaintainable code.

The other 20% I'd like to see in Java XD

If you wanted to pick a "better" language you'd have done better with F#, Haskell, or Clojure.

Re:Java dying? (5, Funny)

Anonymous Coward | about 2 years ago | (#39560233)

More like Slashdot hates Java because they flunked their intro CompSci course at the community college and now "develop" by tweaking PHP blogging software.

Re:Java dying? (3, Interesting)

CubicleZombie (2590497) | about 2 years ago | (#39560209)

However Java Applications have never gotten popular because they always end up looking a bit out of date

The Windows look-and-feel should have been enabled by default. Then Java wouldn't look like a 15 year old version of Solaris.

Re:Java dying? (1)

Windwraith (932426) | about 2 years ago | (#39560251)

"Slashdot hates Java because they hate anything that isn't Pure GNU open source."
So how do you explain the massive influx of Apple lovers?

Re:Java dying? (1)

Bill_the_Engineer (772575) | about 2 years ago | (#39560945)

So how do you explain the massive influx of Apple lovers?

Because being fond of Apple products and being fond of GNU open source isn't absolutely mutually exclusive.

Re:Java dying? (1)

gstoddart (321705) | about 2 years ago | (#39561071)

Because being fond of Apple products and being fond of GNU open source isn't absolutely mutually exclusive.

With all of the hate directed at Apple, I actually have a hard time believing that.

Re:Java dying? (1)

Bill_the_Engineer (772575) | about 2 years ago | (#39561319)

With all of the hate directed at Apple, I actually have a hard time believing that.

How does hate being directed at Apple apply?

If we are talking about a group of people who like Apple stuff then why would someone's, who is outside of that group, opinion of Apple affect the Apple group's affinity towards GNU open source?

Re:Java dying? (4, Informative)

TheRaven64 (641858) | about 2 years ago | (#39560687)

Slashdot hates Java because they hate anything that isn't Pure GNU open source.

No, there are a lot of legitimate reasons to hate Java, mainly because it promised things it couldn't deliver. It promised to be portable, but running it on anything that isn't one of under half a dozen blessed platforms is painful. That new MIPS server? Sorry, no Java for you! For a long time, even Java on *BSD on x86 was painful due to onerous licensing requirements (binaries weren't redistributable, so you needed to download the source - manually so you could agree to the license agreement - download the Linux version, use the Linux version to compile the BSD version).

Then there's performance. Java performance is on a par with StrongTalk or Self, yet it's a much lower-level language. Performance is usually okay, but again Java promised C-like performance and then shows misleading benchmarks to demonstrate it.

Next there's the pain of interfacing Java with other languages. If I have a C library, I can trivially call it from most scripting languages, from Objective-C, from C++, from D, from Pascal, from Lisp, and so on. If I have a Java library, it's difficult to use it from anything that's not Java. Conversely, it's difficult to use existing libraries from Java - JNI is a whole world of pain. This means that Java often involves reinventing the wheel, while other languages just provide thin (and often automatically generated) wrappers around libraries written in other languages where appropriate.

Then there's the incompatibilities between versions. Once you've got your write-once-run-anywhere program working on your customer's machine, he installs a new version of the JRE and it stops working. Meanwhile, the statically compiled, statically linked, program in another language works just fine...

And then there's the library system. Some rookie mistakes, like making String final. More importantly there's the design patterns fetishism that's so prevalent. There's a reason for all of those JavaProgramFactoryFactoryFactory jokes...

Re:Java dying? (3, Informative)

TheRaven64 (641858) | about 2 years ago | (#39560789)

Oh, and I forgot to mention the UI problem. Java UIs look and feel wrong on every platform, although they look and feel least wrong on Windows. Java promoted the idea that you should use the same UI on every platform (ignoring the fact that different user interface guidelines are one of the main differences between platforms, from a user's perspective). They intentionally made it difficult to use the target platform's user interface APIs with Java code (although Apple fixed that on OS X in 10.0, before deprecating it around 10.4) to push the idea that you'd run the same code everywhere. Good cross-platform GUI apps are MVC, using native views and slightly different controllers on each platform, but the same model code. Doing this in Java is much harder than it should be.

Re:Java dying? (2)

Compaqt (1758360) | about 2 years ago | (#39561033)

>Some rookie mistakes, like making String final.

Well, the way the father of Java (Gosling) explained it, I think he said something like if you could subclass String, then you could send a MyString to a someplace that expected a String, and possibly hack into something rather (password, etc.).

Re:Java dying? (2, Interesting)

Bill_the_Engineer (772575) | about 2 years ago | (#39561201)

I'm just going to respond to a few of your points:

No, there are a lot of legitimate reasons to hate Java, mainly because it promised things it couldn't deliver.

There are plenty of other languages that promises much and deliver few. I think a lot of language preference depends on what you learned first and who you choose to associate with. I know plenty of Perl programmers who swear Perl is the one true language, and the same with C++, Python, Ruby, etc. Each language has its strength and weaknesses, but none of them have anything that warrants the level of hate. Except for Perl it is perfectly fine to hate that one. :P

Then there's performance. Java performance is on a par with StrongTalk or Self, yet it's a much lower-level language. Performance is usually okay, but again Java promised C-like performance and then shows misleading benchmarks to demonstrate it.

I don't know where you get your information from but Java does pretty well on the performance front. It benefits greatly from its static typing system and doesn't suffer from the overhead that is associated with the dynamic languages like Perl, Ruby, and Python. Java is magnitudes faster than the current batch of young languages and is in close ranks with the big three (C, Fortran, and C++). The fact that it runs without recompile on multiple hardware platforms is a bonus.

Next there's the pain of interfacing Java with other languages. If I have a C library, I can trivially call it from most scripting languages, from Objective-C, from C++, from D, from Pascal, from Lisp, and so on.

To be fair, I'd hope it would be trivial to call a C library from within C++ and Objective-C otherwise something is seriously wrong since they are pretty much derived from C. As for "so on" I do know that there is usually a binding meta languages involved (Perl's comes to mind), so I don't think JNI is any less different than the others. Since the other languages tend to be *much* slower, binding to a C library is much more important for them.

Then there's the incompatibilities between versions. Once you've got your write-once-run-anywhere program working on your customer's machine, he installs a new version of the JRE and it stops working. Meanwhile, the statically compiled, statically linked, program in another language works just fine...

Not necessarily true. You can keep your older versions of the JRE installed. Of course your comparison is with a "statically compiled, statically linked program" and not the more compact and prevalent dynamically linked programs. Nothing prevents someone from continuing to use the older JRE with a Java application that has all of its dependencies included in the application JAR file.

And then there's the library system. Some rookie mistakes, like making String final. More importantly there's the design patterns fetishism that's so prevalent. There's a reason for all of those JavaProgramFactoryFactoryFactory jokes...

And this is unique to Java?

Re:Java dying? (1)

ruinevil (852677) | about 2 years ago | (#39559665)

Mainly... its often slower C/C++, so the simple presence of the Java icon makes both programmers and users exasperated and annoyed.

Secondly, people hate it the same reason colleges love it, it forces sane programming techniques, like Pascal did.

Thirdly, it is abstracted away from machine code, so you cannot understand what your algorithms do in assembly.

Yeah, if you run only one Java program (1)

tepples (727027) | about 2 years ago | (#39559943)

its often slower C/C++, so the simple presence of the Java icon makes both programmers and users exasperated and annoyed.

After recent improvements in the VM, the only time it's noticeably slower than C++ is if the VM has to be started for the first time. If you run more than one program written in Java, it's less noticeable.

Thirdly, it is abstracted away from machine code

So is C++. In fact, some critics [yosefk.com] believe that wading through a rat's nest of C++ templates is so abstracted that it's harder to know what's going on in a program than it would be in Java.

Re:Java dying? (1)

oh_my_080980980 (773867) | about 2 years ago | (#39559953)

"Thirdly, it is abstracted away from machine code, so you cannot understand what your algorithms do in assembly."

You're joking right? Who the hell knows machine code these days. That's the point about higher level languages, you program in near real language not assembly.

The java icon is not nearly as annoying as Flash.

Re:Java dying? (1)

Shavano (2541114) | about 2 years ago | (#39560485)

More to the point, being abstracted from the machine-code level is the point of writing in a higher-level programming language.

Imagine the horror of writing a simple dialog box to enter a string in machine code. Maybe one in a ten million programmers has ever actually done that.

You should only even consider opening up the assembler manual if you are about to do something that's machine-specific and not supported by whatever higher-level language you're using for the bulk of your project.

Perhaps ruinevil was considering that there's value in understanding what operations processors can do at the the machine level, and I agree that there is, but it's easily overstated. 99.9% of the time, I don't care what low-level operations have to happen to make my higher-level program compute and I certtainly don't want to waste time thinking about it when I don't have to.

Re:Java dying? (1)

Compaqt (1758360) | about 2 years ago | (#39561087)

Well, I can't speak to the crazy-insane complicated machine code of today's procs, but I think compsci students should at least have a basic intro (like 1 or 2 days) to assembly/machine language, like maybe in an 8086 emulator on Linux.

Just make it do something, like access the MS-DOS subroutines (in FreeDOS).

The point is just to have some sort of grounding in what actually happens in a computer.

Re:Java dying? (1)

mcgrew (92797) | about 2 years ago | (#39561221)

IMO if you don't know assemply (on at least one chip) you're not much of a programmer, because you really don't know what your code is doing.

You do realise that the CPU designers know machine code, right? And assembly was closer to human language that any of the high level languages. MOV A, B. Simple, elegant, easily understandable. If you know assembly, learning any other language is pretty easy.

Re:Java dying? (1)

Myopic (18616) | about 2 years ago | (#39560035)

The presence of a Java icon doesn't make programmers exasperated, it makes us thankful to have a tool which manages memory for us. Memory management is hard, and this tool makes it easier. All programming languages are tools, tools which do some things better than others, and memory management is one of the most important features of a programming language as a tool.

Re:Java dying? (0)

Anonymous Coward | about 2 years ago | (#39560105)

Your so-called x86 "machine code" is reinterpreted by the processor into RISC-like microcode that only vaguely resembles your binary. It's been like this since the Pentium II.

Re:Java dying? (1)

Shavano (2541114) | about 2 years ago | (#39560713)

The X86 instruction code is the lowest level that's accessible. You can only cause actions to happen at the core level by executing machine instructions.

Re:Java dying? (1)

Korin43 (881732) | about 2 years ago | (#39560161)

I think being abstracted away from the operating system is more important than assembly output or execution speed differences. I suspect a lot of Java programs feel slow because they're not using the power of their OS as well (virtual memory and various kinds of notifications, plus the fact that NIO isn't promoted very heavily).

Re:Java dying? (0)

Anonymous Coward | about 2 years ago | (#39560469)

Don't forget that whoracle began bungling crap with java updates like Mcafee trials.

Re:Java dying? (5, Insightful)

Necroman (61604) | about 2 years ago | (#39559699)

Java's server-side is still very strong and won't be going anywhere anytime soon.

Java as a language for UIs, not so much. The built in UI widgets and windowing (Swing) is weak at best. While it has many of the basic widget types, it hasn't really evolved much as time has moved forward. Plus it always felt just enough different from native applications to stop developers from using it.

Java applets, I feel, have been dead for a long time. Applet initialization time was just too long or would break during loading to discourage people from using it. Though, I've seen Java Web Start work pretty well for deploying Java applications.

Re:Java dying? (2, Informative)

CubicleZombie (2590497) | about 2 years ago | (#39560437)

The built in UI widgets and windowing (Swing) is weak at best. While it has many of the basic widget types, it hasn't really evolved much as time has moved forward.

Hasn't evolved, compared to what? Its big competitor for the rich-client is .NET, which is basically just a wrapper over same old Win32 controls we were using with MFC in the 90's. I can do anything with Swing.

Java applets, I feel, have been dead for a long time. Applet initialization time was just too long or would break during loading to discourage people from using it. Though, I've seen Java Web Start work pretty well for deploying Java applications.

The worst thing to ever happen to Java was Netscape 3.x and the Hotspot VM. Everybody remembers the "Starting Java..." message on the task bar - for several minutes - and then the inevitable browser crash. That sealed Java's fate on the client.

Re:Java dying? (2)

eternaldoctorwho (2563923) | about 2 years ago | (#39559809)

According to the language rankings by TIOBE [tiobe.com] , Java is still very much in the lead, with only C as a "competitor" (although I think the practical usages of both languages are disjoint enough to not worry about competition). Everything else is training behind by a fair margin.

Re:Java dying? (1)

Shavano (2541114) | about 2 years ago | (#39560795)

But they base their rankings on web searches, which is pitiably lame. The fact that a language showed up in a web search is subject to variation based on press releases and manipulation.

If you want high-quality information, survey professional and amateur programmers and ask them what languages they have used in the last month.

Re:Java dying? (3, Insightful)

The MAZZTer (911996) | about 2 years ago | (#39559819)

Minecraft runs on Java, so it'll stick around for a bit longer whether we like it or not.

Re:Java dying? (1)

antdude (79039) | about 2 years ago | (#39560669)

Why was Minecraft designed for Java anyways? I find that annoying. I can't get rid of Java just yet. Can't it use something else? OK, Flash sucks... Silverlight, ugh. :(

Re:Java dying? (0)

Anonymous Coward | about 2 years ago | (#39561199)

Sure. Just rewrite it yourself in your favourite language du-jour you lazy fuck. Sorry, what should the World (which clearly revolves around you) do to alleviate the pain you must feel having Java installed on your machine?

Seriously, if you're an independent game developer Java is hard to beat because you get Mac, Linux and Windows support almost for free.

Re:Java dying? (4, Insightful)

rudy_wayne (414635) | about 2 years ago | (#39559931)

-Java held out the promise of developing programs not beholden to M$

So now you can make programs that are beholden to Oracle, who are just as bad, or worse.

Re:Java dying? (2)

Myopic (18616) | about 2 years ago | (#39559977)

Java definitely isn't dying. I thought it was over the hump about five years ago, and started using other languages. Since then, Android dev has exploded, and now I spend my time using Cassandra database (Java) and Storm topology runner (Java).

In the past we used Java to make web pages a little more interesting. Today, web pages can do enough with HTML and JavaScript, so we don't need Java applets anymore -- and good riddance, at that. But that hardly means Java is dying. It isn't. Not at all.

Re:Java dying? (0)

Anonymous Coward | about 2 years ago | (#39560049)

Unfortunately, it's dying of a thousand cuts.

It is, even as someone whose never been a fan, I can recognize it has so much damn potential. As an observer, the idea of Java Web Start seemed to be a decent alternative to the square peg we've been pounding into a round hole for the last decade of jamming applications into webpages. Of course I knew it wouldn't get any traction, but it seemed like a solid idea.

Re:Java dying? (1)

Mongo T. Oaf (2600419) | about 2 years ago | (#39560787)

I think some people don't understand the difference between java and java script. After learning python, I realize how much fun java can be. They're both interesting. Very relate-able. From C, C++. Both languages are very powerful languages. More fun than plain old C.

Re:Java dying? (1)

Hentes (2461350) | about 2 years ago | (#39560957)

Many people like Java and it's not going anywhere in the foreseeable future. But Java applets are a different story, they will die a well-deserved death.

Re:Java dying? (1)

CosaNostra Pizza Inc (1299163) | about 2 years ago | (#39561025)

Java is alive and well in enterprise server environments and mobile devices. Any tablet or smartphone that runs Android is using java for the majority of its apps. Also, as some other posters pointed out, Java is continually maturing.

Re:Java dying? (1)

tlhIngan (30335) | about 2 years ago | (#39561107)

Java's pretty big in the consumer market - every blu-ray player uses it, most cellphones (vast majority) have a JVM, and Android uses it as a development language (though the bytecode used by Android isn't Java bytecode).

It's become the embedded language - used everywhere but few people noticing.

Mozilla gives middle finger to enterprise again (4, Insightful)

jellomizer (103300) | about 2 years ago | (#39559587)

I don't know why all the fuss is about breaking our version scheme so the Enterprise has a harder time planning appropriate upgrades to their work stations. And now we decided to break compatibility with your legacy Java systems.

So now we have to be sure that we upgrade our Java first then Firefox... However we had planned to do Fire Fox this week and Java next month, after you know we test our applications that we need to run our business with the new Java version.

The enterprise doesn't stick with IE because they think it is a good browser they know how much it sucks. They stick with it because it can be maintained and managed properly in an enterprise environment.

Re:Mozilla gives middle finger to enterprise again (5, Insightful)

i kan reed (749298) | about 2 years ago | (#39559619)

If you have to choose between clearly dangerous infection vector and updating ancient and fragile legacy java applets, I'd say Mozilla is the least of your problems.

Re:Mozilla gives middle finger to enterprise again (1, Insightful)

jellomizer (103300) | about 2 years ago | (#39559759)

A lot of enterprises would love to give Firefox or Chrome as their standard browser. Much better use of the standards and faster and predictable running of modern stuff. So if you want to move away from your Legacy Java Applets to a new System Mozilla is a good choice for an enterprise technically to standardize on. However the Mozilla foundations are being a bunch of Elitists Richards, and seemed hell bent to make sure that Mozilla isn't incorporated in an Enterprise environment. And Enterprises need to make a policy of saying we do not support this product. So as we migrate away from those old legacy Java Applets, which can take years to do. We are replacing them with Apps specialized and optimized for IE because we don't have any other logical choice. Because IE is the only browser that will allow the Enterprise run its own way.

Re:Mozilla gives middle finger to enterprise again (0)

Anonymous Coward | about 2 years ago | (#39559873)

Who gives a shit what these money-laundering enterprises do or don't do?

Re:Mozilla gives middle finger to enterprise again (2)

kwrzesien (1263426) | about 2 years ago | (#39560615)

So there is EXACTLY ONE version of Java that is usable: 7u3. There is NO PATCHED version of jre6 or jdk6 that is available for our 80,000+ workstations managed by Tivoli that have jre6 installed. Upgrading to 7 requires going through Field Certification of months of application compatibility checking.

Not to mention the servers that have jdk6 installed to a specific path, jdk7 would go in a different path and require changes to configuration files and regression testing. This is a 2-3 month process usually rolled into other development processes and doesn't just drop on the datacenter in one day. I think at least five departments would be involved in getting this change implemented.

No, Mozilla should be forcing this on Oracle to release a patched and updated 6u31 that can be automatically pushed to all machines, then wait two weeks and drop the hammer on anyone left behind.

Re:Mozilla gives middle finger to enterprise again (1)

kwrzesien (1263426) | about 2 years ago | (#39560955)

I'd like to correct myself, 6u31 has been made available - it just isn't updating automatically yet. We might be testing it internally before beginning the workstation push. Either way I think Mozilla jumped the gun a little bit, this update must have just come out.

Re:Mozilla gives middle finger to enterprise again (1)

archen (447353) | about 2 years ago | (#39561177)

Either way I think Mozilla jumped the gun a little bit, this update must have just come out.

Try late Febuary.

Re:Mozilla gives middle finger to enterprise again (0)

Anonymous Coward | about 2 years ago | (#39561171)

Don't know if I'm missing something obvious but jre6u31 has been released, in fact it was released a couple of weeks ago. It's also the jre6 enterprise baseline version.

Re:Mozilla gives middle finger to enterprise again (1)

Shavano (2541114) | about 2 years ago | (#39561049)

I think anything that forces my enterprise to update its clay tablets is a good thing. But this is not that thing. IT will just say, "You could just use Internet Explorer." And they'd be right. Who has the time to go on a project of updating enterprise apps every time a browser changes?

I use Internet Explorer exclusively now (when at work) because the current version works adequately with everything else I use. Firefox used to, but then they updated it and it didn't work right with some of our enterprise apps. I could get it to work by loading the right plugins. Then it mysteriously stopped working. Then it started working. Now it doesn't work.

It ain't worth the trouble. The next time I consider switching browsers it will be because IE has stopped working for some enterprise app that I must use to do my job. The only way I'll end up using two browsers in the same week is if one of them works right for one of my enterprise apps and the other works right for another indispensible app.

How about a huge blinky warning instead? (3, Insightful)

khasim (1285) | about 2 years ago | (#39559645)

Instead of Mozilla just fucking DISABLING it, how about adding a huge blinky warning to it?

"Oh, wow. I should upgrade as soon as I get the opportunity."
vs
"Fuck, it broke!"

Re:How about a huge blinky warning instead? (1)

leuk_he (194174) | about 2 years ago | (#39559771)

THe java updater should have done that. Why didn't it? It flashes so often it's annoying. maybe it is not doing its job?

Re:How about a huge blinky warning instead? (0)

Anonymous Coward | about 2 years ago | (#39559999)

Most of the operating systems I use don't have a "java updater". On windows, I hate updating java because it doesn't UNINSTALL the old version. Instead they just put another copy into a new directory. I have to remove java and then reinstall it. Plus the java updater tends to focus on JRE updates, but i have to go through crap to update a JDK including futzing with my IDE sometimes. It's a fail.

My problem with this plan is that Mozilla already makes it a nightmare to manage their browser on supported platforms, but now they're going to complain about java versions too. Think about this from a OS project standpoint. They have to release new java binaries BEFORE updating firefox now. It's going to suck for Linux distros and be even worse for *BSD. When Java is part of your OS like Mac OS or Solaris, what do you do then?

Re:How about a huge blinky warning instead? (1)

PlusFiveTroll (754249) | about 2 years ago | (#39560295)

I do believe somewhere around Java 6r16 they started removing the previous version when you ran the update, that said it doesn't remove any older secondary copies that were still around, but for most people your complaint has been addressed.

On the second part, why can't the distros deal with this themselves, since they do have the source they can have this check behave how ever they want... that said, I DO NOT WANT your broken distribution spreading AIDS on the internet. Enterprises, power users, and the uninformed still need to know that they are like a whore with syphilis when the browser they are using will gladly catch an infection from the first site that manages to ram it in. Google learned a lot about this not too long back.

Re:How about a huge blinky warning instead? (0)

Anonymous Coward | about 2 years ago | (#39561153)

Except if you're like me, you don't allow the damn updater to connect automatically. Hell if I need a new version of Java, I'll grab it myself and install it after I uninstall the existing version for security/safety reasons. Personally, if it wasn't for a single Java App, It wouldn't be installed on my system at all because the damn thing is a damn cpu hog.

Re:How about a huge blinky warning instead? (1)

afidel (530433) | about 2 years ago | (#39559801)

Better would be to add whitelist support, like say a trusted zone? Yeah, it's one thing I love about IE, I can lock down the default configuration and allow all sorts of known bad configuration changes to the trusted sites zone to allow for legacy compatibility. It's exactly why IE's marketshare in the enterprise isn't going away.

Re:How about a huge blinky warning instead? (1)

khasim (1285) | about 2 years ago | (#39559949)

Something like NoScript but with more granularity and that can be pushed to each workstation?

Sounds good. And 100% better than the course Mozilla did choose.

Re:How about a huge blinky warning instead? (2)

Windwraith (932426) | about 2 years ago | (#39559951)

Do you realize that a warning is for average users to ignore? "Oh, wow. I should upgrade as soon as I get the opportunity" only works for people like us. Most people will do "CANCEL CANCEL CANCEL".

Re:How about a huge blinky warning instead? (0)

Anonymous Coward | about 2 years ago | (#39560047)

Enterprise customers have no money to spend.

Enterprise customers have no expertise in their IT departments they can use.

Enterprise customers developed software ONCE back in 1973 and expect said software to work without any maintenance at all and expect it to work with all the latest and greatest software out there. Nevermind that their "software development" was never intended to be more than a quick hack to fix a problem 10 years ago. Never mind the fact that the quick hack depends on a fucking bug that really should be fixed. Never mind the fact that the deep pocket enterprise customers should have migrated to a better more robust solution at probably 9 years ago.

Are enterprise customers really worth satisfying? It just seems that the small shallow pockets of the long tail are easier to please and it's more productive to do so.

Re:WINDOWS AGAIN (0)

Anonymous Coward | about 2 years ago | (#39560163)

from TFA:

we have added affected versions of the Java plugin for Windows

Re:How about a huge blinky warning instead? (1)

nashv (1479253) | about 2 years ago | (#39560369)

This is a philosophical decision. Any setting that compromises security should be OPT-IN by design, not the default.

IT Professionals of minimal competency will read complete release notes before rolling out a new version of any software. So if you have a "Fuck it Broke" situation, blame it on your IT guys.

Re:Mozilla gives middle finger to enterprise again (0)

Anonymous Coward | about 2 years ago | (#39559739)

That's fine, the enterprise can simply be left behind.

Pretty soon their ie6 wont even work on non internal websites

Re:Mozilla gives middle finger to enterprise again (1)

oh_my_080980980 (773867) | about 2 years ago | (#39559975)

BFD. Business don't want their employees surfing the web for non business related business.

Re:Mozilla gives middle finger to enterprise again (1)

PlusFiveTroll (754249) | about 2 years ago | (#39560379)

Just wait till their internal website gets pwnt by a disgruntled employee and the network goes up like the Triangle Shirtwaist Factory.

Running exploitable software is Russian Roulette, one day the trigger is going to get pulled and it's going to blow your head off.

Re:Mozilla gives middle finger to enterprise again (4, Informative)

Anonymous Coward | about 2 years ago | (#39559793)

From the article:

Affected versions of the Java plugin will be disabled unless a user makes an explicit choice to keep it enabled at the time they are notified of the block being applied.

The block isn't compulsory. Undo the block and keep working in the mean time.

Re:Mozilla gives middle finger to enterprise again (0)

Anonymous Coward | about 2 years ago | (#39560125)

Chrome has a better solution. It blocks ALL java applets by default (user can whitelist per site). The average user will likely NEVER see an applet unless it is malware.

Re:Mozilla gives middle finger to enterprise again (3, Insightful)

nashv (1479253) | about 2 years ago | (#39559897)

And you would deserve it. If you maintain an insecure system, you are a threat not just to yourself, but to the entire internet.

You foster malicious code that can be used to pit your system against others. Everyone is connected on the Internet, and if you chose to be a weak link, you are everyone's problem.

I am usually sympathetic to upgrade issues, but if you are going to be in the wild of the internet, fix your software. You are on an internal closed network, no one is forcing you to upgrade Firefox. Maintain your legacy setup.

Think about that for a bit. (1)

khasim (1285) | about 2 years ago | (#39560165)

Which is easier for the average corporation?

a. Fixing the crap code that they've accumulated over the years?

b. Sticking with IE because it allows them to run the crap code from a?

Mozilla may have chosen the moral course in this but they won't achieve anything except to further marginalize themselves in corporations.

Fixing code costs money. Sticking with IE is free.

Re:Think about that for a bit. (1)

sg_oneill (159032) | about 2 years ago | (#39560341)

If the IT department in your enterprise is forcing you to use insecure software, make an apointment with the head of IT, punch him in the head, and fuck his wife. Its a win-win scenario.

Re:Think about that for a bit. (1)

mounthood (993037) | about 2 years ago | (#39560477)

Fixing code costs money. Sticking with IE is free.

Not fixing anything is cheaper then fixing it (in terms of immediate cash expense). Doesn't mean sticking with IE is the right decision, or a reasonable decision, or even that someone made a decision instead of ignoring the problem.

What should Mozilla do? Clearly they should focus on security. What should your "average corporation" do? Also care about security! But if they aren't going to and they want their software to stay static and unchanging, there are any number of solutions including: Go to "about:config" and change "app.update.auto" to false.

I don't like the all or nothing approach. (1)

khasim (1285) | about 2 years ago | (#39560625)

Not fixing anything is cheaper then fixing it (in terms of immediate cash expense).

Yep. That's the core problem with computer security. It is always cheaper to not do anything (right up until you lose critical data to a cracker) as long as it runs "good enough".

Doesn't mean sticking with IE is the right decision, or a reasonable decision, or even that someone made a decision instead of ignoring the problem.

Even the decision to ignore the problem is a decision. Again, as long as it runs "good enough" there will be problems getting it changed.

But if they aren't going to and they want their software to stay static and unchanging, there are any number of solutions including: Go to "about:config" and change "app.update.auto" to false.

I don't like the all or nothing approach.

How about white lists instead? Recognize that there will be instances where X is not safe for use on the Internet but you still need X for your corporate apps.

So X is whitelisted only for specific apps / servers / IP ranges / whatever and blocked for everything else.

NoScript already does a pretty good job on most of that. But it needs more granularity.

Re:Mozilla gives middle finger to enterprise again (4, Insightful)

Kagato (116051) | about 2 years ago | (#39559947)

Enterprise customers don't just roll out browsers. They do testing, they tweak the configuration and then they roll it out. Having to take the extra step to configuring some settings doesn't sound like a deal breaker. If anything, it sounds like a feature enterprise could really use. If your organization is whining about this, they likely aren't following due diligence in testing the browsers in the first place.

Re:Mozilla gives middle finger to enterprise again (1)

mounthood (993037) | about 2 years ago | (#39560227)

I don't know why all the fuss is about breaking our version scheme so the Enterprise has a harder time planning appropriate upgrades to their work stations. And now we decided to break compatibility with your legacy Java systems. ... The enterprise doesn't stick with IE because they think it is a good browser they know how much it sucks. They stick with it because it can be maintained and managed properly in an enterprise environment.

Large/Enterprise organizations value version stability more than security? That's poor judgment. What does "maintained and managed properly" mean if it doesn't include security? It means two things: IT can cover their asses and blame problems on Microsoft, and IT can keep using vulnerable software rather then upgrading when there's security issues. Using vulnerable software is convenient for IT, but a poor solution to keeping production running.

You theorize that IE is used because it's broke but version stable. I think it's dumb inertia combined with sentiments like 'nobody ever got fired for buying Microsoft' and 'you touch it, you own it', rather then a considered and reasoned decision to use IE. Your post echoes complaints about upgrades that many others have made, but they always sound like IT complaining about having to do their job, and I can tell you from experience that the upgrade cycle never ends, and the desktop issues are nothing compared to server-side systems. IT needs to get over it and fix the problem in a way that's either (relatively) long term or easy to replicate.

Finally, here are two alternatives to IE: They could use Mozilla Firefox Extended Support Release [mozilla.org] and get both security and stability. Or they could disable Java in the browser and use Java Web Start [oracle.com] for their important Java apps.

Re:Mozilla gives middle finger to enterprise again (2)

supremebob (574732) | about 2 years ago | (#39560407)

I hear ya.... I needed to scramble this morning to disable this warning message on two dozen kiosk systems, even though I configured Firefox to never check for plug-in updates.

Thank you once again for screwing up my production environments without any warning, Mozilla. I'm switching my kiosks over the Chrome, where the option for disabling plug-in checks actually works as promised.

Sounds good to me (1)

omfglearntoplay (1163771) | about 2 years ago | (#39559643)

I assume you have to be on the most recent release to get this Firefox update. That should be clarified in the article somewhere obvious.

It's not always easy to get time to deal with all the rogue computers we have floating around, and the damned Java vulnerabilities are killing us. We go to all the trouble to make users actual users and not admins despite a huge backlash, then next thing you know they are getting viruses as regular users mostly due to Java problems. WTF? Middle sized businesses can't keep up at least from what I've seen.

I think this is a nice idea from Firefox to help protect users. I hope it works. I guess IT depts still have to deal with getting everyone up to date on Firefox to do it though... it never ends. Maybe it is time to go virtual desktop for 90% of users.

disable? (2)

X0563511 (793323) | about 2 years ago | (#39559713)

I can't find any means to disable this in about:config.

I -HAVE- to have older versions of java installed on my workstation to replicate problems with old releases of our software.

Re:disable? (5, Informative)

Anonymous Coward | about 2 years ago | (#39559779)

https://wiki.mozilla.org/Extension_Blocklisting:User_Interface

Preferences for controlling the blocklist
The common user should not be allowed to override the automatic updating and application of the blocklist, but there are valid use cases for doing so.

The following preferences should be created to govern this behaviour:
        * extensions.blocklist.enable (boolean), toggles blocklist enabled on/off

Other applications or distributions may want to provide their own backlist update url which will be controlled by the following pref:
        * extensions.blocklist.url (string), url to the blocklist file

The interval in which the blocklist runs will be defined by the following pref:
        * extensions.blocklist.interval (integer), the interval in which to download a new blocklist file

These preferences should be documented on developer.mozilla.org and any announcements for developers about the blocklist functionality.

Re:disable? (1)

oneandoneis2 (777721) | about 2 years ago | (#39559895)

So keep an older version of Firefox installed to run older versions of Java with. Why would you want a cutting-edge browser to replicate legacy problems?

Re:disable? (2)

supremebob (574732) | about 2 years ago | (#39560435)

This plug-in block warning doesn't seem to be version specific. I've seen it happen on versions of Firefox as old as version 3.6.

Re:disable? (0)

Anonymous Coward | about 2 years ago | (#39561333)

Hi, I'm from mozilla.

We don't care. Go away.

OSX (0)

Anonymous Coward | about 2 years ago | (#39559731)

I thought that Java for OSX was still dicated by Apple... If they add a blocklist for OSX, won't that mean that sometimes there will be no option to upgrade to?

Got bit yesterday (0)

ArhcAngel (247594) | about 2 years ago | (#39559871)

Don't know what site was infected but I saw the JAVA icon pop up in the system tray on my windows 7 pc and the next thing I know there are a hundred popup windows telling me my HDD had failed and one window for S.M.A.R.T. HDD [bleepingcomputer.com] telling me I needed to purchase the full version to remove viruses. I spent all morning and much of the afternoon cleaning that crap up...

Re:Got bit yesterday (2)

ifrag (984323) | about 2 years ago | (#39560587)

I spent all morning and much of the afternoon cleaning that crap up...

Usually it's faster to just use a system restore point. Typically these drive by mass attacks are not going to be smart enough to infect system backups. Although perhaps once enough of it starts running other pieces of malware start getting retrieved as well. I'd also immediately pull the ethernet cable if that nonsense starts up, then boot to safe mode.

what i would like to see in a downloader (1)

RobertLTux (260313) | about 2 years ago | (#39559939)

Personally i hate this trend of A bundling other "stuff" with a download B having the direct link to the payload TOP SECRET BURN BEFORE READING

All i ask for is a link to the complete actual program no "smart downloader" no bundled C4 and let me save the file so i can use it on another computer.

mold up (-1)

Anonymous Coward | about 2 years ago | (#39559979)

To d3cline f0r

it's about time! (1)

tommeke100 (755660) | about 2 years ago | (#39560649)

I'm getting a bit fed up paying a 100 euro fine because the Bundespolizei tells me they found illegal stuff on my computer!
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...