Results 1 to 6 of 6
  1. #1
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,482
    Thanks
    176
    Thanked 152 Times in 129 Posts
    Firefox 3.5.6 (and earlier), along with Java JRE now installs a Java Quick Start. This is a Firefox plug-in which cannot be automatically removed. I have no objection to such a plug-in being installed in my Firefox (under Windows XP Pro SP3) but I do object to the fact that when there was a recent JRE Update (JRE 6, update 17), the new version of the Firefox Java Quick Strart Plug-in was installed, but the old (Update 16) version of the Java Development Toolkit (a component of Java Quick Start) is not removed automatically.

    It is not easy to find a solution on the Internet, probably because few users realize that they have the new Plug-In, let alone that it has Java's old habit of leaving behind older, insecure versions of itself. Unlike the Java Runtimes in Windows, there is no user option to simply remove the older version (or the newer version, for that matter). So I investigated this issue myself and found the following facts:

    1) Secunia (PSI) does not see the old (Update 16) version of the plug-in as insecure. PSI shows both versions, and shows their exact identiyt and location, so I am able to pick out exactly what to remove from the Firefox Program Folders. It is important to have accurate information on this, as the two versions are internally identified only by their hex-key codes. No Registry values seem to be involved. (See below (2).)

    2) There is no corresponding Windows Registry entry visible in Regedit for this plug-in.

    3) CCleaner's Registry Cleaner module does not find any errors when two versions of this plug-in are present in Firefox. And when the old version folders are removed from the Firefox Programs Folders, CCleaner still finds no Registry Errors upon rescanning.

    4) Revo Uninstaller does not see these plug-ins.

    5) Simply removing (deleting) the corresponding folder from within the "C:/Program Files/ Mozilla Firefox/ Extensions/" Folder (Here you will need to consult the Secunia PSI Hex Code display, as the exact number may differ from machine to machine.) will render the plug-in undetectable to Secunia or the Acronis File Shredder utility in True Image Home 2010. Further, I suspect that while the visible listing inside of Firefox Add-ons still shows and is still Enabled, it is rendered (for the old version) non-functional. I Disabled the plug-in for each user on my computer, just as a precaution.

    6) There is no official documentation of how to do the above anywhere in the Mozilla Forums for Firefox, as far as I have seen.

    So, why should anyone care about an older version of a JRE Firefox Plug-in living alongside its updated cousin? Because, eventually, Secunia PSI may declare the older versions insecure, and they usually mean by this that there are known exploits in the field which can use the olde plug-ins as attack vectors. This has not happened yet, but I believe Mozilla is setting itself up for future problems, as long as these older versions have no Uninstall button in their listings.

    If anyone knows a better way to manage the Firefox Java Quick Start / Java Development Toolkit Firefox Plug-In for version updates, won't you please post here? I don't like my way of dealing with this, but it seems to be harmless yet effective for now. It is just a two-step process, once I figured out what needed to be done. What I do not like, are the accumulating phantom entries in my Firefox Plug-Ins List. Also, I wonder, are there any other residues I should be concerned about?

    Thanks in advance for any clues which anyone can offer here.
    -- Bob Primak --

  2. #2
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    I should run Secunia because the information in aboutlugins (this is for 3.5.5 still) only shows the dll name, not the full path. Doesn't this seems odd?

    Java Deployment Toolkit 6.0.170.4
    File name: npdeploytk.dll
    NPRuntime Script Plug-in Library for Java(TM) Deploy
    Java(TM) Platform SE 6 U17
    File name: npjp2.dll
    Next Generation Java Plug-in 1.6.0_17 for Mozilla browsers
    Java(TM) Platform SE 6 U12
    File name: npdeploytk.dll
    Java(TM) Platform SE binary
    The first entry matches the dll in the C:\Program Files\Mozilla Firefox\plugins folder. The second one is my main plugin. Not sure what the third one is. Debris?? Perhaps it was a stray registry entry picked up during plugin scanning or leftover after an update.

  3. #3
    Star Lounger
    Join Date
    Dec 2009
    Location
    Wisconsin, USA
    Posts
    56
    Thanks
    10
    Thanked 12 Times in 11 Posts
    You could try JavaRa. http://raproducts.org/ It will check for updates and has an option to remove old versions.

  4. #4
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,482
    Thanks
    176
    Thanked 152 Times in 129 Posts
    Quote Originally Posted by Mark E View Post
    You could try JavaRa. http://raproducts.org/ It will check for updates and has an option to remove old versions.
    The advantage of Secunia PSI over individual version-checkers for things like Java, is that it is one-stop shopping, and will find any insecure older versions, and their residues, no matter where they are on your computer.

    And yes, there will be residues of old installations, sometimes in the most unexpected of places. Remove them all for security purposes. Even Active-X installers, like the Adobe Download Helper from NOS Systems. It is itself insecure, according to Secunia.
    -- Bob Primak --

  5. #5
    2 Star Lounger Katz's Avatar
    Join Date
    Feb 2010
    Location
    NYS
    Posts
    169
    Thanks
    0
    Thanked 0 Times in 0 Posts
    The best place for Mozilla help is not the Mozilla.org forums, but www.mozillazine.org.
    2 desktops: Win XP Pro SP3 / 3 GHZ/3 GB RAM/ Firefox, Thunderbird /
    Open Office

  6. #6
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    Quote Originally Posted by RochelleP View Post
    The best place for Mozilla help is not the Mozilla.org forums, but www.mozillazine.org.
    They've done pretty well on the SuMo Forum considering it is the first stop for every imaginable question. The mozillaZine community tends to handle higher level questions. (I'm registered with both.)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •