If you’ve heard the news in the last few days, whole web gone with buzz about vulnerabilities in Java, only Java 7 versions are affected though. Oracle knew about these vulnerabilities since April but left users in the dark till yesterday as they released the update yesterday it self which patches these.
Mozilla which always concerns about security of users has enabled Java update notification for Firefox on Windows and Linux platforms “that will show up every time a user visits a site with a Java applet using a vulnerable Java plugin”. The notification points user to Mozilla Plugin Check page, which helps user to update their Java to latest version.
Mozilla plans to extend this notification to Mac where majority of people is not affected with this vulnerability and IcedTea plugin on Linux. This notification is live for Windows and Linux versions of Firefox.
Before Firefox alerting you to visit their plugin check page why not check out of date plugins in your browser by visiting that page, we suggest you to stay secure by installing latest version of Java from Oracle website before getting this notification.
It’s important to remember the limitations of this notification system: all it does is check to see if you have the latest version of a plugin. However:
1) If the latest version has a vulnerability, and you’re better off staying at an older version (like with Java), it has no way of telling you this, unless Mozilla blacklists it. Case in point: Java 1.7.0.7 is the latest, but there are reports of a very critical vulnerability, so the latest 1.6 release may actually be a better choice for users. (I’m not sure what the plugin detector does if the latest version is blacklisted but the previous one is not.)
2) Some vendors maintain multiple major releases (like Adobe), because patches are free but upgrades are not. (*) For these, Mozilla may report that you are “outdated” if you are not on the latest major release, which is not correct. (In the case of Adobe, 9.5.2 is NOT outdated, but Mozilla thinks it is merely because of the existence of a 10.x branch. In truth, Adobe still supports and updates v9.)
(*) Technically, Reader and its plugin are free, but Acrobat Pro is not, and if you have the latter, you generally want to keep the versions in sync.