This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Firefox 28.0 is indicating that my installed Java SE 7 U51 is vulnerable (2014 03 20)

  • 9 replies
  • 61 have this problem
  • 1 view
  • Last reply by tyme58dj

more options

When I use: "Tools -> Add-ons -> Plugins" and then select "Check to see if plugins are up to date", Firefox 28.0 (currently indicated as the latest, up-to-date version) signifies that the detected version of Java (currently Java(TM) Platform SE 7 U51) is "Vulnerable" and suggests an update.

The Java website indicates that Java(TM) Platform SE 7 U51 is the most current version. Downloading and re-installing Java and doing a system restart does not change Firefox's behavior, it continues to flag the Java version as needing an update.

Is there a newly discovered vulnerability in Java(TM) Platform SE 7 U51, or is Firefox just having a good time watching me try to wrangle a phantom problem??

When I use: "Tools -> Add-ons -> Plugins" and then select "Check to see if plugins are up to date", Firefox 28.0 (currently indicated as the latest, up-to-date version) signifies that the detected version of Java (currently Java(TM) Platform SE 7 U51) is "Vulnerable" and suggests an update. The Java website indicates that Java(TM) Platform SE 7 U51 is the most current version. Downloading and re-installing Java and doing a system restart does not change Firefox's behavior, it continues to flag the Java version as needing an update. Is there a newly discovered vulnerability in Java(TM) Platform SE 7 U51, or is Firefox just having a good time watching me try to wrangle a phantom problem??

Chosen solution

Java 8 was just released; could that be the problem?

http://www.oracle.com/technetwork/java/javase/overview/index.html

The design of the plugin check site (last time I checked) doesn't accommodate multiple "current" versions. So if the site has been updated to recognize Java 8 as current, this could lead to a lot of confusion.

Assuming the Plugins section of the Add-ons page has not disabled Platform SE 7 U51 (based on the block file that Firefox regularly downloads), then I think it's probably still good.

(I actually have U45 on this computer, whoops, so I can't test the response to U51 right now.)

Read this answer in context 👍 9

All Replies (9)

more options

Chosen Solution

Java 8 was just released; could that be the problem?

http://www.oracle.com/technetwork/java/javase/overview/index.html

The design of the plugin check site (last time I checked) doesn't accommodate multiple "current" versions. So if the site has been updated to recognize Java 8 as current, this could lead to a lot of confusion.

Assuming the Plugins section of the Add-ons page has not disabled Platform SE 7 U51 (based on the block file that Firefox regularly downloads), then I think it's probably still good.

(I actually have U45 on this computer, whoops, so I can't test the response to U51 right now.)

more options

BINGO !

The routine update path for Java continues to show SE 7 U51 as the current release.

I followed the link to the Oracle release information and found the download for version 8 and installed it.

The vulnerability checker is now happy.

My risk-aversity can now relax.

Thanks for the clue to the solution.

more options

I have the same confusion. FF says to update from V51, but, when you go to update it still has V51 as the most current version. I even tried Java.com and it still shows V51 as the most current version. I'm confused. What's the story here?

more options

I think there are two things going on here:

(1) The plugin check site now recognizes Java 8 as "current" and therefore recognizes Java 7 as "old." But Java 7 U51 is not blocked and you can still use it.

(2) Oracle is reluctant to push everyone to Java 8 now; probably they fear it is not fully debugged. So they still recommend Java 7 on java.com.

Yes, that leaves a confusing picture; it's a limitation of the plugin check site that it can't keep track of multiple current, fully patched versions of plugins. It always recommends the latest. (Windows Vista users would be familiar with this problem from the Adobe Acrobat plugin, because Adobe doesn't support Acrobat/Reader XI on Vista.)

more options

When I originally started this thread, I was lead through the registration process, and appeared to be dumped part way through, so with my new registration, I tried again, resulting in two threads, 990988 and 990986 linkified ~J99 and two response threads containing reference to the new Java 8 release, but differing in detail.

In the other thread, there was a response which included a link to the Java Developer site, which posts the developer release of Java 8. Versions are released for developer eval prior to releasing to the rest of us unwashed masses, so that they can get technically-accurate comments on the release and any anomalies that might be found.

My perception is that they have yet to publicize and mass-distribute this release until they have tested the waters with their established developer base.

I suspect that the Firefox vulnerability checker got updated prematurely.

I did jump the gun using the link posted in the other thread, with the result being that the vulnerability checker stopped waving a red (orange) flag in my face.

I probably would have been wise to wait for the mass-consumable version.

The other thread on this subject has the link to the developer website that I used to fish for the developer release.

Modified by John99

more options

27MAR14 Sun / Oracle Java version 8 is not compatible with 32-bit XP. The installer fails because there in no RegDeleteKeyExA in 32-bit XP. Sun screwed up another one ... I will stick with JRE 7_U51 until ... Complete explanation link follows: <> http://koitsu.wordpress.com/2014/03/18/oracle-java-8-jre-8-and-windows-xp-32-bit-failure/

more options

so it is best to just ignore the vulnerbility?

more options

Hi tyme58dj, this is a problem with the Plugin Checker site, that old versions are assumed to be vulnerable. There is no actual indication that Java(TM) SE 7 U51 is vulnerable. So for the moment, yes, it is best to just ignore that information and rely on the Java updater to make sure Java is up-to-date. (Unless you've turned it off, the updater runs automatically when you start Windows.)

more options

thanks for the help jscher2000.....i never turn java off and check it frequently as i do other checks and updates. I guess in time Mozilla and Oracle will work it out