“This vulnerability-present in the older versions of the JDK and JRE-is actively being exploited, and is a potential risk to users.
If users don’t have the automatic updates enabled for Java, it could be a long time before they remember to update the software and that’s a dangerous habit given how much attackers love to exploit Java. The specific vulnerability in Java that Mozilla is trying to protect users against was patched by Oracle in February, but Java is one of the many browser components and extensions that users sometimes will fail to update for long periods of time. The decision to add these vulnerable versions of Java to the browser’s blocklist is designed to protect users who may not be aware of the flaw and attacks. Mozilla has made a change in Firefox that will block all of the older versions of Java that contain a critical vulnerability that’s being actively exploited.
