Mozilla this week began blocking outdated versions of a Java plug-in in Firefox for some Mac users after calling the threat posed by the Flashback malware "evident and imminent."
[ Also on InfoWorld: Mozilla blacklists vulnerable Java plug-ins from Firefox. | Get your websites up to speed with HTML5 today using the techniques in InfoWorld's HTML5 Deep Dive PDF how-to report. | Learn how to secure your Web browsers in InfoWorld's "Web Browser Security Deep Dive" PDF guide. ]
Although Mozilla said on April 2 that it might add the Java plug-in to Firefox for Mac's blocklist -- a list it maintains of add-ons and plug-ins that the company disables because they're infected with malware or have been targeted by attackers -- it didn't follow through until Monday.
As Mozilla noted, cleanup efforts have made headway on the number of Macs infected with the Flashback malware. While more than 600,000 Macs were infested with Flashback as recently as two weeks ago, that number fell by 60 percent last week.
On Tuesday, Symantec -- which had "sinkholed" command-and-control domains used by Flashback to communicate with its makers -- said the botnet had shrunk even more in the last several days, and controlled fewer than 100,000 Macs.
Another reason for Mozilla's pause between blocklisting Java on Windows and Mac: Firefox has a bug.
"There's a bug in Firefox that prevents it from reloading plug-in metadata after an update," acknowledged Mozilla. "This means that even if someone updates Java on Mac, Firefox will continue to say an old and vulnerable version is installed."
Mozilla has fixed the bug and will roll the patch into Firefox 12, which is set for release April 24.
For those reasons, Mozilla instituted only a partial block of the Java plug-in, limiting it to copies of Firefox running on Macs powered by OS X 10.5 or earlier. OS X 10.5 is better known as Leopard.
While Apple no longer packages Oracle's Java with OS X -- it stopped that practice with Lion in July 2011 -- it continues to issue Java security updates to people running Lion as well as 2009's Snow Leopard, or OS X 10.6. Java may be on some Lion systems: Users are prompted to install the software the first time they try to run a Java applet.
Because Apple no longer supports OS X 10.5, or Leopard, its predecessor Tiger or any older operating system, it doesn't ship patches for Java to those users.