Firefox 3.5 suffers critical JS flaw

July 16, 2009 // 1:11 p.m.

Tags: #0day #actionscript #ecmascript #firefox #firefox-35 #firefox-vulnerability #javascript #jit-compiler #js #vulnerability #zero-day

The Mozilla Foundation is warning users of its latest web browser, Firefox 3.5, that an as-yet unpatched bug in the JavaScript engine could lead to remote code execution.

According to an article on V3.co.uk, the Foundation has confirmed that a flaw in the just-in-time (JIT) compiler in the JavaScript engine included in the newly-released Firefox 3.5 web browser can allow a malicious site to execute arbitrary code under the privilege of the logged on user.

The flaw – for which there is no patch yet available – is the subject of at least one confirmed working exploit available on the web, making it easier for ne'er-do-wells to craft their own version and attack hapless web browsing users.

While the Foundation is working on a patch, an advisory on its security blog suggests temporarily disabling the JIT compiler via the javascript.options.jit.content option in the browser's about:config menu. While this workaround will protect users, JavaScript performance will be hampered until the hole is patched and the JIT compiler re-activated.

Alternatively, Firefox users could install the NoScript add-on, which will protect against any JavaScript execution on untrusted sites – although if a site on NoScript's trusted list gets infected, the browser would still be vulnerable.

The Firefox development team at Mozilla are said to be “working on a fix for this issue” which will be sent out to users as an automated Firefox Security Update as soon as testing is complete.

Any Firefox 3.0 users glad they didn't make the upgrade, or are you sniggering while patting your Opera or Internet Explorer install? Should the Mozilla Foundation be doing more to publicise this issue, which it rates as “critical?” Share your thoughts over in the forums.

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU