Firefox is advising users to disable vulnerable Java versions on Windows. I actually saw this in action on a machine yesterday–a machine that has to run a slightly dated version of the JRE because a vendor hasn’t certified their product with the current version yet.
That’s unavoidable sometimes. So Mozilla’s mitigation is great–display a popup recommending that a user deselect a checkbox to keep that version of Java from running within Firefox. This is good, because web browsers visiting web sites make the best possible conduit for malware, planted inside hostile Java applets. Get hit this way, and it can be days or weeks or even longer before you even realize you’re infected.
So far, Firefox is only doing this in Windows. I hope they’ll start doing it on all platforms. And I hope other browsers will copy this feature.