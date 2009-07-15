Browsers, E-mail, & Web Apps forum

General discussion

Mozilla confirms critical vulnerability in Firefox 3.5

by Carol~ Moderator / July 15, 2009 9:01 AM PDT

15 July 2009

Mozilla has acknowledged that there is a critical JavaScript vulnerability in its Firefox 3.5 web browser and has confirmed that it's currently working on an update to address the problem. As a workaround, Mozilla advises users to disable the Just-in-time (JIT) JavaScript compiler. To do so, users must first enter about:config into the browsers location bar and then set the javascript.options.jit.content setting value to "false". When making changes to the about:config settings, users will first see a warning message stating that "This might void your warranty" and that changes to the advanced settings can be harmful to the stability, security and performance of Firefox. To continue users must click a button marked "I'll be careful I promise!".

Mozilla notes that disabling the JIT compiler is only a temporary security measure and that it will result in decreased JavaScript performance. Once the update is released, users should change the value back to "true". Alternatively, users running Firefox 3.5 on Windows can run Firefox in Safe Mode, which automatically disables JIT.

More Here: http://www.h-online.com/security/Mozilla-confirms-critical-vulnerability-in-Firefox-3-5--/news/113772

Discussion is locked
Flag
Permalink
You are posting a reply to: Mozilla confirms critical vulnerability in Firefox 3.5
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Mozilla confirms critical vulnerability in Firefox 3.5
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Track this discussion
Thread display: Collapse / Expand
4 total posts
Collapse -
Mozilla Security Blog: Critical JavaScript vulnerability
by Carol~ Moderator / July 15, 2009 9:04 AM PDT

"Critical JavaScript vulnerability in Firefox 3.5"

07.14.09

Issue

A bug discovered last week in Firefox 3.5?s Just-in-time (JIT) JavaScript compiler was disclosed publicly yesterday. It is a critical vulnerability that can be used to execute malicious code.

Impact

The vulnerability can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code. The vulnerability can be mitigated by disabling the JIT in the JavaScript engine. To do so:

Enter about:config in the browser?s location bar.
Type jit in the Filter box at the top of the config editor.
Double-click the line containing javascript.options.jit.content setting the value to false.
Note that disabling the JIT will result in decreased JavaScript performance and is only recommended as a temporary security measure. Once users have been received the security update containing the fix for this issue, they should restore the JIT setting to true by:

Enter about:config in the browser?s location bar.
Type jit in the Filter box at the top of the config editor.
Double-click the line containing javascript.options.jit.content setting the value to true.
Alternatively, users can disable the JIT by running Firefox in Safe Mode. Windows users can do so by selecting Mozilla Firefox (Safe Mode) from the Mozilla Firefox folder.

Status

Mozilla developers are working on a fix for this issue and a Firefox security update will be sent out as soon as the fix is completed and tested.

http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/

Flag
Permalink
This was helpful (0)
Collapse -
Related issue, the Firefox NoScript Add-on
by MarkFlax Forum moderator / July 15, 2009 9:44 PM PDT

Many Firefox users will have the NoScript add-on, and may assume that this will protect them from this vulnerability.

That may not be the case. NoScript is very good about disabling scripts in web sites and offering the user options to Allow, or Temporarily Allow them. If the web site is infected with this malicious code, then letting NoScript allow all scripts may give the code the access it needs.

Other than disabling Javascript completely as described in Carol's posts, there is no easy answer to this. Just beware, and be cautious.

Mark

Flag
Permalink
This was helpful (0)
Collapse -
Mozilla Firefox v3.5.1 - Update
by Carol~ Moderator / July 16, 2009 11:31 PM PDT

Firefox 3.5.1 fixes the following issues:

* Several security issues.
* Several stability issues.
* An issue that was making Firefox take a long time to load on some Windows systems.

http://www.mozilla.com/en-US/firefox/3.5.1/releasenotes
http://www.mozilla.com/en-US/firefox/all.html

Existing users can update via FF's built-in updater.
http://forums.cnet.com/5208-6132_102-0.html?messageID=3082998#3082998

A Note for those who disabled the JIT Compiler as a temporary measure:

'Once the update is released, users should change the value back to "true". Alternatively, users running Firefox 3.5 on Windows can run Firefox in Safe Mode, which automatically disables JIT. '

http://www.h-online.com/security/Mozilla-confirms-critical-vulnerability-in-Firefox-3-5--/news/113772

Flag
Permalink
This was helpful (0)
Back to Browsers, E-mail, & Web Apps forum 4 total posts
Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

REVIEW

A slim, stylish 2-in-1 with some graphics muscle

Asus packed a lot of value -- and discrete graphics -- into the slim ZenBook Flip 14, making it fine choice for more performance and portability in a two-in-one design.