Firefox keeps prompting users to disable java plugins How can reinable them through the command line or registry?
Windows users keep getting prompted about java version being insecure and are advised to disable the plugin. They then complain that java based websites no longer work. Can I disable / prevent this warning feature. And can I re-enable java plugin via command line or script? I need to do this on a large scale and various versions of firefox. Right now I will need to abandon firefox if I cannot easily resolve this. Yes I realize updating to latest version of java is a solution... but this will take too much time now and how long before another security fix for java and then I will have to update yet again.
All Replies (18)
The Java plugin was blocked (just so you know, we don't block the old version of Java usually, this was done because of an extreme security issue wild on the internet). http://blog.mozilla.org/addons/2012/04/02/blocking-java/. while you can reenable Java through the extension manager, the best solution is to: Update to Firefox 12.
Uninstall all versions of Java on your machine
Go to http://javadl.sun.com/webapps/download/AutoDL?BundleId=62313 and download and install the latest version of Java.
This way you are kept secure. Yes, more updates may come out in the future, but java does automatically check for updates every so often.
Thanks Tyler... I am not sure what is meant by "we do not block the old version java usually" What versions are you speaking of here? Are you referring to version 5 and lower? I am experiencing this on several of different updates (version 6) like update 12 update 20 update 21 update 30 update 24 etc.
Do to time constraints to go around and uninstall java and Firefox and reinstall latest versions is simply not a viable solution at this point. Automatic updates for java and Firefox don't work due to user account privileges and restrictions that we have to keep in place. I know there are others out there who have these same issues. An automated way to just re-enable java plugin would be the perfect solution for our situation. And a method for prevention would be good also.
I seen something in another post similar saying to delete the blocklist.xml file. Does this file contian the plugins that are disabled? Is there a config file that determines what is enabled / disabled. I could perhaps denied user permissions to change this file and perhaps prevent users from disabling java? Where does firefox store these changes when the Java plugin is disabled?
I mean that the steps of blocking old versions of the Java plugin does not normally happen. all versions under 6 update 31 and 7 update 3 are blocked, but this is the first time we've done this (I think) ever.
The blocklist file is simply a local store of Mozilla's global blocklist. It updates every 24 hours, so if you delete it, it forces a refresh. That is about it.
I have firefox 3.6.28 and java 6 update 31. Just got a prompt from firefox telling me that java plugin has been disabled as it is unstable. Can this issue be resolved without having to update to FF12?
Modified
Firefox 3.6 is no longer supported, so to stay current with the most recent security fixes you need to update to firefox 12.
Tylerdowner, to say that Firefox 3.6 is no longer supported is not an answer. Apparently, the so-called block deployed for the Mac OS X version of Firefox, created to deal with a vulnerability in Oracle's Java, has now crept into the Windows version. Moreover, it is blocking the latest version of Java, which was not intended according to https://bugzilla.mozilla.org/show_bug.cgi?id=741592. The official text of the block follows:
Java Plugin has been blocked for your protection.
Why was it blocked?
Outdated versions of the Java plugin are vulnerable to an actively exploited security issue. All Mac OS X users are strongly encouraged to update their Java plugin through Software Update, or disable it if no alternatives are available. For more information, please read our blog post or Oracle's Advisory.
Who is affected?
All Firefox users who have installed the Java plugin, JRE versions below 1.6.0_31 or between 1.7.0 and 1.7.0_2.
What does this mean?
Users are strongly encouraged to disable the problematic add-on or plugin, but may choose to continue using it if they accept the risks described.
When Mozilla becomes aware of add-ons, plugins, or other third-party software that seriously compromises Firefox security, stability, or performance and meets certain criteria, the software may be blocked from general use. For more information, please read this support article.
Well, whoever wrote the code to block the Java plug-ins specified above screwed up, since it is blocking even the updated Java plug-in.
I have an enterprise with many computers, and we had deployed Firefox as our browsing platform. Based on the latest decisions at Mozilla, new version numbering, forced release cycle, and almost all add-on vendors just walking away from the maintainence nightmare created by this decision, I guess it's time to move over to the Dark Side and adopt Google Chrome.
You are aware that google chrome has rapid release as well right? I was addressing the fact that Firefox 3.6 is no longer supported and all users need to update to Firefox 12. The java issue is also best corrected by updating to Java 6 update 32 or 7 update 4 (I believe it is released now).
i can tell you from experience (also from a large network) that the unfixed java versions <6.31 and <7.03 allow for drive-by-infections (users without admin rights don't have to interact in any way with the sites to get infected with spyware/trojans etc.) and it is used in the wild. we had dozens of cases of infection here before the plugins were blocked & then brought to the newest level... I'd strongly recommend that you take the effort and update to the latest java version!
Tylerdowner and Madperson, Both of you are correct in ways. First, all of our resources track the latest security updates. Second, Firefox 12 is brand new, and every time Mozilla releases an update, it breaks 2/3rds of the customizations installed (plug-ins). I can confirm the Java and other active scripting drive-by attacks, which are well known and a major reason that Enterprises must keep on top of security and privacy issues. What upsets me is that Mozilla has a great product, but has created an unbelievably obtuse environment for both Enterprise maintenance and independent development. You can't expect many independent developers to have their add-ons ready before each scheduled release. This is not MSDN, and I don't see a lot of strictly paid for add-ons out there. Look at NoScript, for example. It's the best designed web content mitigation tool out there, and it's free (although you should donate). The open source movement is quite different than Microsoft's business model, and needs to accommodate reasonable efforts by supporting developers, as well as Enterprise requirements, if it is to continue.
If you are running an enterprise environment, why don't you use the ESR of Firefox? http://www.mozilla.org/en-US/firefox/organizations/
Also, with the release of Firefox 10, most add-ons that are marked compatible with Firefox 4 are defaulted to compatible, so the story is much different now.
Ive already looked at the ESR releases. That still doesn't fix the systemic issues created by a lack of process control within the greater Mozilla community. I just addressed a bug yesterday that related to an add-on that looked 100% OK, and was permitted to load in Thunderbird 12.0, but broke the spell checker suggestions. Moreover, Thunderbird 12.0, after loading from the release update channel, was not even prompting me to update to 12.0.1. On that note, here's a great example of an unnecessary risk created by the new "forced" scheduled update cycle, which creates significant opportunities for errors and poor quality based on insufficient pre-deployment testing (yea, that's a mouthful):
Running TB 12 with local mail folders and pop3 mail filters may produce summary files that aren't correctly read by previous versions of Thunderbird. If you decide to go back to a previous version of Thunderbird after running TB 12, you should delete the .msf files for your local folders and pop3 accounts, or repair the folders using the folder properties dialog, to avoid potential data loss.
Errors like this are intolerable in an Enterprise deployment, and create a markedly negative perception in the consumer marketplace as well. Most users wouldn't have a clue how to fix this issue. Thus, you create more Outlook or Apple Mail users, and Mozilla's products eventually die. That's sad, because Mozilla is the future, Open Source, and not proprietary closed source communication products.
OK, I even updated Java to version 1.6 update 32 (yet to be officially released) and Firefox still blocks the plug-in. This is obviously an error, unless Mozilla knows something that all of us have missed!
Well I am glad to see I am not the only one who suffers from this "lets block insecure plugins campaign" I would be OK with it, if there was an easy way to re-enable the java plugins that users keep getting coached into disabling. Is there no way to enable these from the command line? Is there no config file that I can edit to re-enable. I mean, I need something that is automated and can be run at each user login or pc startup or when Firefox starts. Because it is pretty obvious that as soon as a different user sits down and visits a java based website they will be tricked into disabling it again. In my situation this could happen several times in one day all on the same pc. Multiply this times a 1500 and you see why I am here writing this.
I do see this is not just a Firefox thing. I am seeing this in IE also... Except IE will only temporarily disable java until the browser is closed and then it works again. It will prompt users again but at least each session is given a chance to not disable it. Thus I don't have to go around re-enabling anything.
Someone posted a work-around here: http://support.mozilla.org/en-US/questions/924629#answer-324013
" I solved it. Proceed at your own risk
Open new Tab Navigate to about:config Accept security warning Change extensions.blocklist.enabled to false Restart browser
This prevents firefox from checking the blocklist you have configured at extensions.blocklist.detailsURL "
Modified
I HIGHLY DISCOURAGE ANYONE FROM DOING THIS
THIS WILL DISABLE Firefox from checking to see if you have insecure plugins and also re-enable ANY disabled plugins, not just Java!
However, sometimes we don't get a choice.
I haven't been able to find any documentation whatsoever on how Firefox manages enabling and disabling plugins. The only place I've been able to find details is inside pluginreg.dat. It's a mostly human readable file, but it's automatically generated by Firefox and appears to be too complicated to parse and edit with any sort of simple script.
So what I did was the following:
- Follow cobo's instructions in the above post to set extensions.blocklist.enabled to false using about:config or using a script or echo >> command to add the line user_pref("extensions.blocklist.enabled", false); to the users prefs.js file
- Delete blocklist.xml from their Firefox profile
- Delete pluginreg.dat from their Firefox profile
Make sure Firefox isn't open when you modify prefs.js directly (not using about:config) or try and remove the blocklist.xml or pluginreg.dat or they will just get re-written unmodified when Firefox closes down.
When Firefox starts the next time it will automatically regenerate pluginreg.dat with Java enabled and the blocklist.xml file shouldn't be downloaded anymore to disable it again.
Will Java ever be secure? I mean what's the point really? I go and update and 3 weeks later oh that version isn't secure anymore go update to this version... Why bother? It's no more secure than the last version if it's going to be vulnerable again in a matter of days. If you ask me, drive by infections are due to the lack of OS security. Its like trying to make a wooden sail boat into a armored battleship... Windows OS will never be secure or free from all it's vulnerabilities. It just simply wasn't designed around security.
Hi toy4x4, apparently building secure software is harder than it looks.
Windows 7 has a much better security design than earlier versions, but for convenience, we often prefer to run with high privileges and minimize permission prompts, because we need usability, too.
But I digress. Did you have an update on the Java front?