• Firefox 3.5.6 and Java Quick Start updates

    Home » Forums » AskWoody support » Questions: Browsers and desktop software » Other browsers » Firefox 3.5.6 and Java Quick Start updates


    Firefox 3.5.6 (and earlier), along with Java JRE now installs a Java Quick Start. This is a Firefox plug-in which cannot be automatically removed. I have no objection to such a plug-in being installed in my Firefox (under Windows XP Pro SP3) but I do object to the fact that when there was a recent JRE Update (JRE 6, update 17), the new version of the Firefox Java Quick Strart Plug-in was installed, but the old (Update 16) version of the Java Development Toolkit (a component of Java Quick Start) is not removed automatically.

    It is not easy to find a solution on the Internet, probably because few users realize that they have the new Plug-In, let alone that it has Java’s old habit of leaving behind older, insecure versions of itself. Unlike the Java Runtimes in Windows, there is no user option to simply remove the older version (or the newer version, for that matter). So I investigated this issue myself and found the following facts:

    1) Secunia (PSI) does not see the old (Update 16) version of the plug-in as insecure. PSI shows both versions, and shows their exact identiyt and location, so I am able to pick out exactly what to remove from the Firefox Program Folders. It is important to have accurate information on this, as the two versions are internally identified only by their hex-key codes. No Registry values seem to be involved. (See below (2).)

    2) There is no corresponding Windows Registry entry visible in Regedit for this plug-in.

    3) CCleaner’s Registry Cleaner module does not find any errors when two versions of this plug-in are present in Firefox. And when the old version folders are removed from the Firefox Programs Folders, CCleaner still finds no Registry Errors upon rescanning.

    4) Revo Uninstaller does not see these plug-ins.

    5) Simply removing (deleting) the corresponding folder from within the “C:/Program Files/ Mozilla Firefox/ Extensions/” Folder (Here you will need to consult the Secunia PSI Hex Code display, as the exact number may differ from machine to machine.) will render the plug-in undetectable to Secunia or the Acronis File Shredder utility in True Image Home 2010. Further, I suspect that while the visible listing inside of Firefox Add-ons still shows and is still Enabled, it is rendered (for the old version) non-functional. I Disabled the plug-in for each user on my computer, just as a precaution.

    6) There is no official documentation of how to do the above anywhere in the Mozilla Forums for Firefox, as far as I have seen.

    So, why should anyone care about an older version of a JRE Firefox Plug-in living alongside its updated cousin? Because, eventually, Secunia PSI may declare the older versions insecure, and they usually mean by this that there are known exploits in the field which can use the olde plug-ins as attack vectors. This has not happened yet, but I believe Mozilla is setting itself up for future problems, as long as these older versions have no Uninstall button in their listings.

    If anyone knows a better way to manage the Firefox Java Quick Start / Java Development Toolkit Firefox Plug-In for version updates, won’t you please post here? I don’t like my way of dealing with this, but it seems to be harmless yet effective for now. It is just a two-step process, once I figured out what needed to be done. What I do not like, are the accumulating phantom entries in my Firefox Plug-Ins List. Also, I wonder, are there any other residues I should be concerned about?

    Thanks in advance for any clues which anyone can offer here.

    -- rc primak

    Viewing 2 reply threads
    • #1192239

      I should run Secunia because the information in about:plugins (this is for 3.5.5 still) only shows the dll name, not the full path. Doesn’t this seems odd?

      Java Deployment Toolkit
      [indent] File name: npdeploytk.dll
      NPRuntime Script Plug-in Library for Java(TM) Deploy[/indent]
      Java(TM) Platform SE 6 U17
      [indent]File name: npjp2.dll
      Next Generation Java Plug-in 1.6.0_17 for Mozilla browsers[/indent]
      Java(TM) Platform SE 6 U12
      [indent]File name: npdeploytk.dll
      Java(TM) Platform SE binary[/indent]

      The first entry matches the dll in the C:Program FilesMozilla Firefoxplugins folder. The second one is my main plugin. Not sure what the third one is. Debris?? Perhaps it was a stray registry entry picked up during plugin scanning or leftover after an update.

    • #1210059

      You could try JavaRa. http://raproducts.org/ It will check for updates and has an option to remove old versions.

      Win 10 home - 22H2
      Attitude is a choice...Choose wisely

      • #1210410

        You could try JavaRa. http://raproducts.org/ It will check for updates and has an option to remove old versions.

        The advantage of Secunia PSI over individual version-checkers for things like Java, is that it is one-stop shopping, and will find any insecure older versions, and their residues, no matter where they are on your computer.

        And yes, there will be residues of old installations, sometimes in the most unexpected of places. Remove them all for security purposes. Even Active-X installers, like the Adobe Download Helper from NOS Systems. It is itself insecure, according to Secunia.

        -- rc primak

    • #1212069

      The best place for Mozilla help is not the Mozilla.org forums, but http://www.mozillazine.org.

    Viewing 2 reply threads
    Reply To: Firefox 3.5.6 and Java Quick Start updates

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: