Firefox 26 says no to Java plugins

Mozilla’s flagship product Firefox just released its latest version, number 26, and although it comes with an array of features, one stands out: by default it blocks all Java plugins, you have to specifically allow each one. You might not be aware of this if you are not a techie but Java plugins are ubiquitous on the net.

Though this is a rather significant shift it is not entirely a surprise — unfortunately exploitations of Java plugins through web-based malware attacks are not uncommon and have escalated in the last few years. So much so that a site was made to have a count down since the last known Java 0-day exploit (0-day generally means that it was exploited in the wild before the vendor in this case Firefox knew about the issue. If a security researcher declares publicly that there is some vulnerability, it begins counting. They are at 148 on the date of this post) thus this security update is needed.

Apparently Mozilla wanted to have the feature in version 24 already but it caused a rather large stir with the users stating:

The history of security vulnerabilities in Java and poor response times means that Java is likely to be permanently unsafe. In order to protect most users, while still allowing users to override per-site, we intend to:

* mark the most recent version of the Java plugin as unsafe without an available update.
* mark older versions of the Java plugin as unsafe with an update available.

The effects of this change is that the user can still enable Java permanently for particular sites, but will not be able to enable Java for all sites.

This change should be applied to Firefox 24 and later only, because we have improved the click-to-play UI so that it is more discoverable and usable.

Now when the browser lands on a page it blocks every Java plugin by default, asking the user if it should allow each plugin. Here is an example via virtual horse racing game digiturf.com:

The user is given the options:

• Block Plugin
• Allow now
• Allow and Remember

Obviously the ‘Allow and Remember’ adds the current webpage to the browser’s whitelist so that Java code on it will run automatically from then on.

The most used plugin on the web is of course Adobe Flash, but that in itself is also the reason it gets a free pass (at least for now) as it would cut off half the web to the average user. Though the Apple devices are cutting that trend down in short order (the iPhone and iPads don’t allow flash).

Firefox’s latest version has number of security patches, bug fixes, and minor new features. The release notes are available online and here are the top new features:

What do you think of the update and the ramifications of it on the web? Let us know in the comments.