Security vulnerabilities in the Java Development Kit and Java Runtime Environment that were patched in a February release pose such a security risk to browser users that the Mozilla Foundation has added older versions of the Java plugin to Firefox’s blocklist, disabling them from running within the browser.

In a post to Mozilla’s Firefox Add-Ons blog, Mozilla channel manager Kev Needham said the vulnerability “is actively being exploited, and is a potential risk to users.” Currently, the blocklist includes only out-of-date versions of the Java 6 and Java 7 plugins for Windows, but Needham said that an entry for the Mac OS X Java plugin “may be added at a future date.”

The vulnerabilities, revealed by Oracle on February 14, allow an attacker to bypass the Java “sandbox” and execute code on the system being attacked. Malicious websites using the vulnerability have already been found by researchers at Microsoft’s Malware Protection Center. And according to security blogger Brian Krebs, tools that automate configuration of sites to take advantage of the vulnerability are already being distributed as “exploit packs” for BlackHole, a tool used to create malicious websites that can infect PCs with botnets and other malware.

But the patch posted by Oracle to close the vulnerability remains widely uninstalled. Marcus Carey, a security researcher at Rapid7, said that he estimates 60 to 80 percent of computers running Java are still vulnerable to the attack. “Looking long term, upwards of 60 percent of Java installations are never up to the current patch level,” he said in an e-mail to Ars.