Mozilla has blacklisted an unpatched versions of the Java plug-in from Firefox on Windows in order to protect its users from attacks that exploit known vulnerabilities in those versions. The February 2012 update to the Java Development Kit (JDK) and Java Runtime Environment (JRE) included a patch to correct a critical vulnerability that can permit the loading of arbitrary code on an end-user’s computer.

This vulnerability - present in the older versions of the JDK and JRE - is actively being exploited, and is a potential risk to users, according to Mozilla. To mitigate this risk, Mozila has added affected versions of the Java plugin for Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and below) to Firefox’s blocklist. A blocklist entry for the Java plugin on OS X may be added at a future date.

Mozilla strongly encourages anyone who requires the JDK and JRE to update to the current version as soon as possible on all platforms.

Mozilla will automatically disable affected versions of the Java plugin unless a user makes an explicit choice to keep it enabled at the time they are notified of the block being applied.

Updated versions of the JRE for Windows and Linux operating systems are available through java.com.

Researchers from F-Secure announced that new Web-based attacks are exploiting a vulnerability in the latest Java version for Mac OS in order to install malware. Preventing those attacks from affecting Firefox users would mean blacklisting the latest version of the Java plug-in for Mac.