X
Tap here to go to the mobile version of the site.
Your Firefox is out of date and may contain a security risk! Upgrade Firefox

Support Forum

Java Deployment Toolkit 7.0.250.17 plug-in is blocked. I now cannot view media on certain pages. Is there a fix?

Posted

Java Deployment Toolkit 7.0.250.17 plug-in is blocked. It is still enabled, but FF is blocking it all the same. I now cannot view media on certain pages. Is there a fix? Are you going to offer a secure replacement?

Additional System Details

Installed Plug-ins

  • Next Generation Java Plug-in 10.25.2 for Mozilla browsers
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • Google Update
  • Shockwave Flash 11.8 r800
  • Adobe Shockwave for Director Netscape plug-in, version 12.0.3.133
  • 5.1.20513.0
  • Adobe PDF Plug-In For Firefox and Netscape 11.0.03
  • Unity Player 4.1.3f3
  • GEPlugin
  • The plug-in allows you to open and edit files using Microsoft Office applications
  • Office Authorization plug-in for NPAPI browsers

Application

  • Firefox 22.0
  • User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0
  • Support URL: http://support.mozilla.org/1/firefox/22.0/WINNT/en-US/

Extensions

  • 4chan Extension 0.4.5.18 (extension@4chan.org)
  • Adblock Plus 2.3.2 ({d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d})
  • Adblock Plus Pop-up Addon 0.8 (adblockpopups@jessehakanen.net)
  • Advanced SystemCare Surfing Protection 1.0 (ascsurfingprotection@iobit.com)
  • Cleanest Addon Manager 7.0 (cam@sdrocking.com)
  • Click&Clean 4.1 (clickclean@hotcleaner.com)
  • Facebook Phishing Protector 4.4.2 ({023e9ca0-63f3-47b1-bcb2-9badf9d9ef28})
  • Full Screen Image Viewer 5.0 (imageviewer@toptip.ca)
  • Google Translator for Firefox 2.1.0.3 (translator@zoli.bod)
  • JavaScript Debugger 0.9.89 ({f13b157f-b174-47e7-a34d-4815ddfdfeb8})
  • JS Deminifier 1.0.8 (jsdeminifier@murphy.ben.name)
  • klout 1.6 (kwtr-for-firefox@klout.com)
  • Long URL Please 0.5.1 (longurlplease@darragh.curran)
  • QuickJava 1.8.0 ({E6C1199F-E687-42da-8C24-E7770CC3AE66})
  • Think Context 0.93 (jid0-TgUunRgcCYuVnWCzbw3bV96wGAI@jetpack)
  • Thumbnail Zoom 1.4.3 ({E10A6337-382E-4FE6-96DE-936ADC34DD04})
  • Troubleshooter 1.1a (troubleshooter@mozilla.org)
  • Updated Ad Blocker for Firefox 11+ 0.7.7 ({4DC70064-89E2-4a55-8FC6-E8CDEAE3618C})

Javascript

  • incrementalGCEnabled: True

Graphics

  • adapterDescription: Intel(R) G33/G31 Express Chipset Family
  • adapterDescription2:
  • adapterDeviceID: 0x29c2
  • adapterDeviceID2:
  • adapterDrivers: igdumd64 igdumdx32
  • adapterDrivers2:
  • adapterRAM: Unknown
  • adapterRAM2:
  • adapterVendorID: 0x8086
  • adapterVendorID2:
  • direct2DEnabled: False
  • direct2DEnabledMessage: [u'blockedDriver']
  • directWriteEnabled: False
  • directWriteVersion: 6.2.9200.16571
  • driverDate: 9-23-2009
  • driverDate2:
  • driverVersion: 8.15.10.1930
  • driverVersion2:
  • info: {u'AzureCanvasBackend': u'skia', u'AzureFallbackCanvasBackend': u'cairo', u'AzureContentBackend': u'none'}
  • isGPU2Active: False
  • numAcceleratedWindows: 0
  • numAcceleratedWindowsMessage: [u'']
  • numTotalWindows: 1
  • webglRenderer: Google Inc. -- ANGLE (Intel(R) G33/G31 Express Chipset Family)
  • windowLayerManagerType: Basic

Modified Preferences

  • accessibility.browsewithcaret: True
  • accessibility.typeaheadfind.flashBar: 0
  • browser.cache.disk.capacity: 358400
  • browser.cache.disk.smart_size.first_run: False
  • browser.cache.disk.smart_size.use_old_max: False
  • browser.cache.disk.smart_size_cached_value: 358400
  • browser.cache.memory.capacity: 65536
  • browser.display.show_image_placeholders: True
  • browser.places.smartBookmarksVersion: 4
  • browser.privatebrowsing.autostart: True
  • browser.privatebrowsing.dont_prompt_on_enter: True
  • browser.search.param.yahoo-fr: chr-greentree_ff&ilc=12&type=198484
  • browser.startup.homepage: http://www.yahoo.com/
  • browser.startup.homepage_override.buildID: 20130618035212
  • browser.startup.homepage_override.mstone: 22.0
  • browser.startup.homepage_override_url: http://search.speedbit.com/?s=D1Pa
  • browser.urlbar.autocomplete.enabled: True
  • browser.urlbar.autofill: True
  • dom.max_script_run_time: 30
  • dom.mozApps.used: True
  • dom.w3c_touch_events.expose: False
  • extensions.lastAppVersion: 22.0
  • gfx.direct2d.disabled: True
  • layers.acceleration.disabled: True
  • network.cookie.prefsMigrated: True
  • network.http.max-connections: 32
  • network.http.max-connections-per-server: 8
  • network.http.max-persistent-connections-per-proxy: 8
  • network.http.max-persistent-connections-per-server: 4
  • network.http.pipelining: True
  • network.http.pipelining.maxrequests: 8
  • network.http.proxy.pipelining: True
  • network.http.request.max-start-delay: 0
  • places.database.lastMaintenance: 1375411601
  • places.history.expiration.transient_current_max_pages: 104858
  • plugin.disable_full_page_plugin_for_types: application/pdf
  • plugin.expose_full_path: True
  • plugin.importedState: True
  • plugin.state.flash: 2
  • plugin.state.java: 2
  • plugin.state.npdeployjava: 2
  • plugin.state.npovshelper: 0
  • plugin.state.nppl: 0
  • plugin.state.nprpjplug: 0
  • plugin.state.npvlc: 0
  • privacy.cpd.offlineApps: True
  • privacy.donottrackheader.enabled: True
  • privacy.sanitize.migrateFx3Prefs: True
  • privacy.sanitize.timeSpan: 0
  • security.csp.enable: False
  • security.OCSP.enabled: 0
  • security.warn_viewing_mixed: False
  • storage.vacuum.last.index: 1
  • storage.vacuum.last.places.sqlite: 1374111521

Misc

  • User JS: Yes
  • Accessibility: No
Waka_Flocka_Flame
  • Top 25 Contributor
529 solutions 5045 answers

Please check if all your plugins are up-to-date. To do this, go to the Mozilla Plugin Check site.

Once you're there, the site will check if all your plugins have the latest versions. If you see plugins in the list that have a yellow Update button or a red Update now button, please update these immediately.

To do so, please click each red or yellow button. Then you should see a site that allows you to download the latest version. Double-click the downloaded file to start the installation and follow the steps mentioned in the installation procedure.

Also refer to

TheOldFox 110 solutions 619 answers

What kind of media can you not view?

Please post a link to a page that does not require a login and describe the content on the page that you can not view. You can post a screenshot. After saving the screenshot to your hard drive, click the Browse button below the reply text box, navigate to the saved image and click it

Java Deployment Toolkit 7.0.250.17 is the most currently available version.

You should be able to view Java applets. The Deployment Toolkit is intended for those who edit Java applets or edit pages with Java applets.

Why it is being blocked (July 18, 2013) - https://addons.mozilla.org/en-US/firefox/blocked/p428

Also see:

Modified by TheOldFox

S1 5 solutions 54 answers

It shouldn't be a problem if its blocked. I think the issue is elsewhere, in particular - download the latest Flash player:

http://get.adobe.com/flashplayer/ (uncheck the box to get McAfee when downloading)

Good luck!

cor-el
  • Top 10 Contributor
  • Moderator
10760 solutions 96845 answers

If you use extensions (Firefox/Tools > Add-ons > Extensions) that can block content (e.g. Adblock Plus, NoScript, Flash Block, Ghostery) then make sure that such extensions aren't blocking content.

oceanclub 0 solutions 2 answers

I've installed the latest version of Java and FIrefox. I note the Java Deployment Kit 7.0.400.43 is both shown as (a) up to date in the plugincheck but (b) vulnerable in addons. Is this _always_ vulnerable and, if so, why is the add-on installed by default? (I just did a fresh install of Firefox after completely wiping it and it's still there.)

P.

the-edmeister
  • Top 10 Contributor
  • Moderator
3197 solutions 24404 answers

Yes, the Java Deployment Toolkit is always labeled as vulnerable, and is automatically set to Never Activate.

Oracle still needs to fix the vulnerabilities with that plugin.
That plugin is mainly needed by Java Developers. Average users shouldn't need that plugin for anything on the web, but some private or institutional intranets may need that plugin for certain applications. In those cases the user can select Ask to activate in the Add-ons Manager > Plugins tab

Hyncharas 0 solutions 21 answers

In all fairness, Java is the most annoying, piece-of-shit software on the entire internet. 99% of programs for web and filesharing need it, but it's so full of holes that swiss cheese would probably be more secure... worse, nobody wants the hassle of inventing something better.

Java is a total disgrace.

SilentMobius 0 solutions 1 answers

Helpful Reply

I understand the the FF team want users to be secure-by-default but I need to use this plugin and hence need this set this to always enable (As the ask to enable setting breaks JDT auto-detection)

Surely there is some way but bypass this advisory.

EDIT: Found it (Though all the help on this topic is misleading)

Click on the lock (if an SSL enabled site) icon click "more information", select the permissions tab and finally tick "Java deployment toolkit" in the "Activate plugins" section

Modified by SilentMobius

warp-9.9 0 solutions 5 answers

Helpful Reply

Thanks SilentMobius for an answer that works! One note: you can go to Tools -> Page Info -> Permissions, you do not need to click a lock on a secure site, and then More Information. That just brings up the Page Info box on the Security tab. Hopefully Mozilla FF won't decide to remove "bad" things from that permission list entirely, to prevent enabling.

pittore 0 solutions 3 answers

I have done all these things suggested and Java runtime environment is still blocked. The options in ADD-On manager are two: ask to activate or never activate. I selected "ask to activate" but it made no difference. Also what is strange about Add-on manager and other Firfox management oages is there is no apply button. So I assume just moving to another page records the selection? Anyway I have gone to permissions and checked allow for Java Deployment and Java JRE but when I go to Java's test page all I get is the java log with the dots going round and round and it just stays that way...the java verify version page is the same. I am a developer and need to use java rte and jdk. Any suggestions?

pittore 0 solutions 3 answers

BTW: I have done the java JRE uninstall and reinstall many times. I even did the deep uninstall using Revo Uninstaller and then the Void Tools Search utility to make sure all remnants of java were uninstalled. Then I installed the 32-bit version of the JRE. When I go to the command line and type java -version it correctly shows java is installed (the current version) and the Java Control Panel confirms the correct path. In Microsoft IE10 browser I go to the advanced security and it shows java greyed out and indicates a check mark in front of Mozilla as the default browser for java. OK, then why doesn't Firefox run the dang thing? I have enabled the plug-in. Something is blocking it but what? Shouldn't Mozilla work with Oracle to figure this out? I have two weeks nw working in this with no solution in sight.

tacmas 0 solutions 1 answers

I'm also experiencing this problem. There are a number of very popular vendors of enterprise server, storage, and networking hardware (Dell, EMC, etc.) that use the Java Deployment Toolkit for their appliances' web interface.

Modified by tacmas

pittore 0 solutions 3 answers

I am puzzled why Mozilla and Oracle executives cannot sit down together and put a team together to cooperatively close the security problems in java and blocking tactics of Firefox so the cyber world can get on with its business of hassle-free computing without being blocked at every turn in the road when wanting to run significant software. The CEO of Oracle seems obsessed with his boat but what is the excuse of the CEO of Mozilla? Is this another symptom of our blocked society like the US Congress and the President? You know, all it takes is a phone call from someone minding the store.

the-edmeister
  • Top 10 Contributor
  • Moderator
3197 solutions 24404 answers

... what is the excuse of the CEO of Mozilla?

She's out wrangling lizards.

vijey 0 solutions 1 answers

Java Deployment Toolkit (click-to-play) has been blocked for your protection.

Why was it blocked?

   The Java Deployment Toolkit plugin is known to be insecure and is unnecessary in most cases. Users should keep it disabled unless strictly necessary.

Who is affected?

   All Firefox users who have this plugin installed.

What does this mean?

   The problematic add-on or plugin will be automatically disabled and no longer usable.
   When Mozilla becomes aware of add-ons, plugins, or other third-party software that seriously compromises Firefox security, stability, or performance and meets certain criteria, the software may be blocked from general use. For more information, please read this support article.
warp-9.9 0 solutions 5 answers

@vijey

That is merely copy and pasted from the URL mentioned above.


On that page is a link to see a copy of the request to block filed in Bugzilla. However, the bug is forbidden to view by the general public, so there is no real explanation with proof available to anyone.

I think that only adds to the confusion. If there is a huge vulnerability, I think it should be demonstrated, explained clearly to the users (who in this case are likely developers who could understand such things), and they should decide for themselves if it's a use-case they need to be concerned with.

If they use this feature only on a local area network, or only on the intranet, to run a business, then automatically disrupting functionality by default may cause more problems than a use case which they will not likely encounter. Then perhaps the filtering of the vulnerability from external sources would simply be an exercise for their security administrators.

warp-9.9 0 solutions 5 answers

After a little searching, I found this posting, which seems to be the first encounter of this bug, and resolution?

https://nealpoole.com/blog/2011/10/java-deployment-toolkit-plugin-does-not-validate-installer-executable/

Apparently, you can "trivially" download and run an arbitrary program with full Administrator privileges. You can use JavaScript to trigger a Java auto update, which will pull a JRE install from the official site. You can "trivially" spoof this site by messing with the DNS system (or other address resolution mechanisms).

There's a specific tool to "easily" allow someone to do these things to you, from other computers on your LAN. It is unclear to me if they need Administrator rights to run this tool, or if they must be on a specific proximity to your computer i.e. your LAN or intranet or even the ISP? The most vulnerable, I think, would be corporate users (anyone with a large network, regardless if a university, non-profit, small business, or enterprise level, etc).

What is clear from this tool's README file is that the vulnerability is not limited to Firefox or Oracle's JDK. In fact, almost every commonly installed application is vulnerable. Some of the more familiar names on the list include:

CCleaner, Notepad++, Java JRE, aMSN (IM app), AppleUpdate (Safari, iTunes, QuickTime), Mirc, Windows Update, WinSCP, ClamWin, AppTapp Installer (iPhone, iTunes), getjar (facebook.com), Google Analytics (JavaScript Injection), WinAmp, Nokia Software Firmware Update, Nokia Firmware, BSplayer, Apt (Debian, Ubuntu), Blackberry Facebook & Twitter, CPAN (Comprehensive Perl Archive Network), VirtualBox, Filezilla, Flashget, Miranda (IM app), Panda Antirootkit, Skype, Trillian (IM app), VMware, and more...

So the problem is much bigger than Firefox or Java JDK. It is in fact a common failure of developers to design a secure update process. As such, I think blocking JDK in Firefox is pretty pointless. It's like using a fire extinguisher on a cigarette in the middle of a forest fire, for fear of preventing a forest fire. Just because Firefox blocked this, there's probably still a dozen or more ways for this to occur on your computer.

It's a problem developers worldwide are too lazy or stupid to address. However, saying NO to developers in a high visibility app like Firefox is definitely a powerful way to raise awareness, and force another highly visible developer's hand (Oracle) to implement update verification mechanisms.

It's too bad that Mozilla simultaneously decided to unilaterally block the application and try to hide the bug. Like an ostrich burying its head in the sand. They missed the opportunity to raise awareness of a critical issue that is larger than either Firefox or Oracle combined. It's a software design practice that needs to be updated. That can only occur by raising awareness. What is even more unforgivable, is Oracle, even after being aware for almost 3 years now, has still failed to implement and push to release (not beta), a fix.

Hopefully this post is clear, removes confusion of the issue, and is not censored by Mozilla.

the-edmeister
  • Top 10 Contributor
  • Moderator
3197 solutions 24404 answers

With respect to Mozilla "hiding" or making specific security-related Bug reports confidential, see this:
http://www.mozilla.org/en-US/about/governance/policies/security-group/bugs/

warp-9.9 0 solutions 5 answers

@the-edmeister: Thanks for the URL.

Security through obscurity, really? It is my opinion that hard or soft disabling this addon gives a false sense of security, while selectively enabling it so you can work on known sites for which you are the developer poses a minimal risk.

Citing the same document:

Disclosure of security vulnerabilities

  • "The security module owner, peers, and other members of the Mozilla security bug group will not be asked to sign formal nondisclosure agreements or other legal paperwork. However we do expect members of the group"

I am not part of that group. I am neither legally nor ethically nor morally bound to remain silent. The "super-secret" information is readily available on the internet within a matter of seconds.

  • "Please try not to keep bugs in the security-sensitive category for an unreasonably long amount of time."

3 years is unreasonably long in my opinion.

  • "Please try to be understanding and accommodating if a Mozilla distributor has a legitimate need to keep a bug in the security-sensitive category for some reasonable additional time period, e.g., to get a new release distributed to users."

Security through obscurity is not a legitimate need. 3 years is not a reasonable amount of time. There seems to be no plan on behalf of Oracle to address this, or it would have done so YEARS ago. As a result, a release does not seem likely in the foreseeable future.

  • "Changing this policy

This policy is not set in stone. It is our hope that any disputes that arise over membership, disclosure, or any other issue addressed by this policy can be resolved by consensus among the Mozilla security module owner, the module owner’s peers, and other security bug group members through discussions on the private security bug group mailing list."

On this issue, they can go on pretending they have the absolute control over information. It is pure denial.

This vulnerability has nothing to do with Mozilla. It can be exploited in dozens or hundreds of other ways. It is based on an inherent weakness of insecure networking protocols and laziness or ignorance of developers and international, billion dollar corporations that develop core software used to run billions of systems. Hiding the details of this one bug report is inconsequential, as a few seconds of searching gets you all the gory details.

Someone can use this exploit technique on you even if the JDK plugin is disabled. Even if you do not have JDK installed. Even if you do not use Mozilla Firefox. Maybe this policy is more appropriate to bugs that affect ONLY Mozilla software, but NOT for general industry problems. Oh well, this entire issue is just silly now. There's nothing more to say on this thread.

sakodak 0 solutions 1 answers

I know this will fall on deaf ears, but I have to respond anyway.

I have the unfortunate responsibility to manage AIX machines. In order to do so I use IBM's HMC. The HMC *requires* firefox (won't work with IE or Chrome.) Console windows for systems managed by the HMC require java. Since firefox *helpfully* disables Java for me, I'm unable to do my job.

Seriously, which is worse? Giving me the option to enable Java when *I tell you to* or forcing me to install an older, bug ridden and vulnerable version of firefox?

The "solution" to enable java by clicking the red plugin box doesn't work because I have a grey plugin box that doesn't give that option. Digging further, I've allowed java by clicking the lock and going to "more information" and then "permissions" and allowing java there, but it ignores my requests.

Please stop "helping" me, Mozilla.