Mozilla this week began blocking outdated versions of a Java plug-in in Firefox for some Mac users after calling the threat posed by the Flashback malware “evident and imminent.”
The move came two weeks after Mozilla disabled unpatched versions of Oracle’s software on Firefox for Windows.
Although Mozilla said on April 2 that it might add the Java plug-in to Firefox for Mac’s blocklist—a list it maintains of add-ons and plug-ins that the company disables because they’re infected with malware or have been targeted by attackers—it didn’t follow through until Monday.
In a post to the company’s Add-Ons blog, Mozilla said the delay was due to the uptake of the patched plug-in Apple began distributing April 3.
As Mozilla noted, cleanup efforts have made headway on the number of Macs infected with the Flashback malware. While more than 600,000 Macs were infested with Flashback as recently as two weeks ago, that number fell by 60 percent last week.
On Tuesday, Symantec—which had “sinkholed” command-and-control domains used by Flashback to communicate with its makers — said the botnet had shrunk even more in the last several days, and controlled fewer than 100,000 Macs.
Another reason for Mozilla’s pause between blocklisting Java on Windows and Mac: Firefox has a bug.
“There’s a bug in Firefox that prevents it from reloading plug-in metadata after an update,” acknowledged Mozilla. “This means that even if someone updates Java on Mac, Firefox will continue to say an old and vulnerable version is installed.”
Mozilla has fixed the bug and will roll the patch into Firefox 12, which is set for release April 24.
For those reasons, Mozilla instituted only a partial block of the Java plug-in, limiting it to copies of Firefox running on Macs powered by OS X 10.5 or earlier. OS X 10.5 is better known as Leopard.
While Apple no longer packages Oracle’s Java with OS X—it stopped that practice with Lion in July 2011 — it continues to issue Java security updates to people running Lion as well as 2009’s Snow Leopard, or OS X 10.6. Java may be on some Lion systems: Users are prompted to install the software the first time they try to run a Java applet.
Because Apple no longer supports OS X 10.5, or Leopard, its predecessor Tiger or any older operating system, it doesn’t ship patches for Java to those users.
“People who are using Mac OS X 10.5 and older won’t get the Java update, which means they will remain vulnerable unless they update their operating system or upgrade their hardware,” noted Mozilla. “For these users there’s no point in waiting, so we have blocked the Java plug-in for them.”
Firefox users running OS X 10.5 or earlier, will have JRE 1.6.0_31 and earlier, or JRE versions 1.7.0 through 1.7.0_2 disabled.
Mozilla called its move a “soft block,” which means users are notified that the plug-in has been disabled, but they can continue using it at their own risk by clearing the “Disable” box in the notification dialog. Users can also later enable the plug-in from the Plug-ins section of Add-ons Manager by selecting “Add-ons” from the Tools menu.
Firefox users running OS X 10.6 and later will have outdated Java plug-ins disabled next week if they upgrade to version 12 of the browser.
While Mozilla’s block of Java on Firefox for Windows didn’t go flawlessly—it mistakenly was issued as a “hard block,” which gave users no way to use the plug-in—there’s no evidence of a similar problem on Mozilla’s support forum for Mac users after Monday’s move.
In a blog post April 6, Christian Holler, a Mozilla security engineer, gave more details on the thinking behind Mozilla’s blocking of the Java plug-in.
“As the popularity of the Mac platform has grown so has its attractiveness as a target for attackers,” Holler said. “The threat to Mac users is evident and imminent, thus prompting our response on all platforms.”