bit-tech.net

Firefox 3.5 suffers critical JS flaw

Firefox 3.5 suffers critical JS flaw

The bug in Firefox 3.5's just-in-time JavaScript compiler - introduced to improve performance - can lead to arbitrary code execution.

The Mozilla Foundation is warning users of its latest web browser, Firefox 3.5, that an as-yet unpatched bug in the JavaScript engine could lead to remote code execution.

According to an article on V3.co.uk, the Foundation has confirmed that a flaw in the just-in-time (JIT) compiler in the JavaScript engine included in the newly-released Firefox 3.5 web browser can allow a malicious site to execute arbitrary code under the privilege of the logged on user.

The flaw – for which there is no patch yet available – is the subject of at least one confirmed working exploit available on the web, making it easier for ne'er-do-wells to craft their own version and attack hapless web browsing users.

While the Foundation is working on a patch, an advisory on its security blog suggests temporarily disabling the JIT compiler via the javascript.options.jit.content option in the browser's about:config menu. While this workaround will protect users, JavaScript performance will be hampered until the hole is patched and the JIT compiler re-activated.

Alternatively, Firefox users could install the NoScript add-on, which will protect against any JavaScript execution on untrusted sites – although if a site on NoScript's trusted list gets infected, the browser would still be vulnerable.

The Firefox development team at Mozilla are said to be “working on a fix for this issue” which will be sent out to users as an automated Firefox Security Update as soon as testing is complete.

Any Firefox 3.0 users glad they didn't make the upgrade, or are you sniggering while patting your Opera or Internet Explorer install? Should the Mozilla Foundation be doing more to publicise this issue, which it rates as “critical?” Share your thoughts over in the forums.

21 Comments

Discuss in the forums Reply
lp1988 16th July 2009, 14:20 Quote
Running 3,5 but not using that manny diffrent sites so as long there is a fix within a reasonable timespan, I won't be worried.
pimonserry 16th July 2009, 16:03 Quote
I'm still on 3.0.11 because not all of my addons work with 3.5. Now I feel even better about it
Jozo 16th July 2009, 17:14 Quote
LOL I just upgraded yesterday. How does the "flaw" affect Vista with its UAC?



Ctrl + Shift + Pr0n for the win
Turbotab 16th July 2009, 17:20 Quote
Simple work around using about:config, but it look likes tracemonkey is still being a naughty sod. I wonder if you have to be running an admin level account, for the remote software to install?
thehippoz 16th July 2009, 17:27 Quote
yeah vista uac would catch this I would think.. thanks for the heads up though- running the 3.5 guinea pig
Turbotab 16th July 2009, 17:43 Quote
Quote:
Originally Posted by thehippoz
yeah vista uac would catch this I would think.. thanks for the heads up though- running the 3.5 guinea pig

There are malware packages that attempt to gain admin level access, by trying to crack the admin account's password, which in many cases may be very weak.
Otto69 16th July 2009, 17:48 Quote
I'm still using 2.x on some of my computers because 3.x can be a performance and reliability pig.

Also I just LOVE how every install of Firefox is a crapshoot as to whether it will delete some or all of my myriad bookmarks.
thehippoz 16th July 2009, 17:49 Quote
Quote:
Originally Posted by Turbotab
There are malware packages that attempt to gain admin level access, by trying to crack the admin account's password, which in many cases may be very weak.

yep.. actually if your like alot of people on pre-builts they put the password unencrypted in the registry- and they disable the uac anyways

the overflow should set off the uac though- I'm just guessing and not willing to try it- maybe after this weeks backup and they have no patch lol
pendragon 16th July 2009, 18:50 Quote
glad I use both IE and Firefox ..always have the freedom to use one or the other!
airchie 16th July 2009, 19:36 Quote
Quote:
Originally Posted by Turbotab
I wonder if you have to be running an admin level account, for the remote software to install?
It runs at whatever level you're logged in as so if you're running a restricted user account then you should recieve minimal damage.
Quote:
Originally Posted by Otto69
Also I just LOVE how every install of Firefox is a crapshoot as to whether it will delete some or all of my myriad bookmarks.
xmarks FTW. ;)
Quote:
Originally Posted by pendragon
glad I use both IE and Firefox ..always have the freedom to use one or the other!
Or alternatively, you have double the number if infection vectors to worry about... ;)

FF + Noscript + xmarks = tehwin IMO :D
l3v1ck 16th July 2009, 20:09 Quote
I use NoScript anyway. It's a genius little addon.
sear 16th July 2009, 21:24 Quote
NoScript and Adblock, coupled with Spybot's immunisation and SpywareBlaster's magic stuff, basically make Firefox an impenetrable fortress. The only way my computer's getting infected is if I let it get infected.
impar 16th July 2009, 23:54 Quote
Greetings!

3.5.1 will be released tomorrow to fix this.
http://www.ghacks.net/2009/07/16/firefox-3-5-1-update-available/
dicobalt 17th July 2009, 06:32 Quote
Quote:
Originally Posted by impar
Greetings!

3.5.1 will be released tomorrow to fix this.
http://www.ghacks.net/2009/07/16/firefox-3-5-1-update-available/

I just installed the 3.5.1 update, was a 1.8MB download.

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)
p3n 17th July 2009, 09:09 Quote
Quote:
Originally Posted by Jozo
LOL I just upgraded yesterday. How does the "flaw" affect Vista with its UAC?



Ctrl + Shift + Pr0n for the win

Your using UAC? rofl

It probably has no idea whats going on inside firefox, just that it allowed FF to run...
impar 17th July 2009, 10:15 Quote
Greetings!

3.5.1 is now available through the auto update.
crazyceo 17th July 2009, 13:21 Quote
This is hilarious.

ALL HAIL IE8!!!!!!!!!!!!!!
kingred 17th July 2009, 13:24 Quote
Before people start touting x is more secure the same vulnerability has been proven to crash safari, kill the process in ie8 and just makes chrome lockup.
crazyceo 17th July 2009, 14:56 Quote
Yeah but you have to have a little fun every now and then.
rickysio 19th July 2009, 16:03 Quote
I'm running 3.6a1pre.

Anything to worry about? :D
Chocobollz 8th August 2009, 11:43 Quote
Quote:
Originally Posted by kingred
Before people start touting x is more secure the same vulnerability has been proven to crash safari, kill the process in ie8 and just makes chrome lockup.

How about Opera?
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums