InformAction Forums

Greetings

Firefox in order to pretect users, they have enabled Click To Play for recent versions of Java on all platforms (Java 7u9, 7u10, 6u37, 6u38)
Firefox Blocks All Current Java Versions to Block Zero-Day

But, when you have Noscript installed,
the placeholder that Noscript shows for every java content that it blocks
doesn't contain the message that this plugin has been blocked by Firefox, as security vulnerable.


To reproduce:
in a clean FF profile without Noscript installed
visit a page with java content,
you'll get this message:


But, with Noscript installed
if you visit the page
you'll get this instead:



I'd suggest that,
for any content blocked by Noscript for which the plugin is blocked by Firefox,
Noscript to show the placeholder of screenshot2 with the text addition "This plugin has security vunrabilities".

Interesting idea.

However, if someone is using NoScript to block Java, then they are already choosing to mistrust Java in general, and only allow it on sites that they trust not to misuse it. And those sites presumably aren't going to exploit this zero-day. So I'm not sure that there's a strong enough benefit to be worth the extra effort. It's up to Giorgio to decide, of course.

Thanks for highlighting the issue, though. It's a good demonstration of exactly why NoScript uses default-deny, and why it markets itself as protecting you against even unknown threats.

I'll see what I can do, but doesn't seem easy.

For the moment (don't sneeze) it may be immaterial (assuming you've now updated & assuming Mozilla revises their blocklist, if need be).

Java 0-Day patched as Java 7 U 11 released