Firefox 3.5.6 (and earlier), along with Java JRE now installs a Java Quick Start. This is a Firefox plug-in which cannot be automatically removed. I have no objection to such a plug-in being installed in my Firefox (under Windows XP Pro SP3) but I do object to the fact that when there was a recent JRE Update (JRE 6, update 17), the new version of the Firefox Java Quick Strart Plug-in was installed, but the old (Update 16) version of the Java Development Toolkit (a component of Java Quick Start) is not removed automatically.
It is not easy to find a solution on the Internet, probably because few users realize that they have the new Plug-In, let alone that it has Java’s old habit of leaving behind older, insecure versions of itself. Unlike the Java Runtimes in Windows, there is no user option to simply remove the older version (or the newer version, for that matter). So I investigated this issue myself and found the following facts:
1) Secunia (PSI) does not see the old (Update 16) version of the plug-in as insecure. PSI shows both versions, and shows their exact identiyt and location, so I am able to pick out exactly what to remove from the Firefox Program Folders. It is important to have accurate information on this, as the two versions are internally identified only by their hex-key codes. No Registry values seem to be involved. (See below (2).)
2) There is no corresponding Windows Registry entry visible in Regedit for this plug-in.
3) CCleaner’s Registry Cleaner module does not find any errors when two versions of this plug-in are present in Firefox. And when the old version folders are removed from the Firefox Programs Folders, CCleaner still finds no Registry Errors upon rescanning.
4) Revo Uninstaller does not see these plug-ins.
5) Simply removing (deleting) the corresponding folder from within the “C:/Program Files/ Mozilla Firefox/ Extensions/” Folder (Here you will need to consult the Secunia PSI Hex Code display, as the exact number may differ from machine to machine.) will render the plug-in undetectable to Secunia or the Acronis File Shredder utility in True Image Home 2010. Further, I suspect that while the visible listing inside of Firefox Add-ons still shows and is still Enabled, it is rendered (for the old version) non-functional. I Disabled the plug-in for each user on my computer, just as a precaution.
6) There is no official documentation of how to do the above anywhere in the Mozilla Forums for Firefox, as far as I have seen.
So, why should anyone care about an older version of a JRE Firefox Plug-in living alongside its updated cousin? Because, eventually, Secunia PSI may declare the older versions insecure, and they usually mean by this that there are known exploits in the field which can use the olde plug-ins as attack vectors. This has not happened yet, but I believe Mozilla is setting itself up for future problems, as long as these older versions have no Uninstall button in their listings.
If anyone knows a better way to manage the Firefox Java Quick Start / Java Development Toolkit Firefox Plug-In for version updates, won’t you please post here? I don’t like my way of dealing with this, but it seems to be harmless yet effective for now. It is just a two-step process, once I figured out what needed to be done. What I do not like, are the accumulating phantom entries in my Firefox Plug-Ins List. Also, I wonder, are there any other residues I should be concerned about?
Thanks in advance for any clues which anyone can offer here.
-- rc primak
