Comments on: Critical JavaScript vulnerability in Firefox 3.5

By: Brandon Sterne

Brandon Sterne — Thu, 23 Jul 2009 23:30:01 +0000

@Russell

Yes, the fix was included in Firefox 3.5.1 which was release Thursday, July 16. You should have received an update notification if you are running Firefox 3.5.

By: Daniel Veditz

Daniel Veditz — Thu, 23 Jul 2009 23:29:51 +0000

This was fixed in Firefox 3.5.1 which was released Thursday July 16.

http://www.mozilla.com/en-US/firefox/3.5.1/releasenotes/

By: Russell Frank

Russell Frank — Thu, 23 Jul 2009 23:19:44 +0000

It’s been 9 days since this exploit was revealed. Is there a fix yet?

By: Peter

Peter — Sun, 19 Jul 2009 09:01:41 +0000

I’ve looked all over the web today and yesterday and cannot find a decent explanation for why firefox 3.5.1 is running so slowly on my macbook (OSX 10.5)

It’s not just loading pages where it’s slow, it appears to hang for short periods (2-8 seconds) after clicking in the menu bar or any other sort of “non-surfing” command. It’s a fresh install of 3.5.1 with no add-ons.

I am not finding the same sort of problem with safari or any other programs I’m running and there is no obvious increase in CPU activity.

I am getting an “unresponsive script” window when loading my home page on facebook with the details:

“Script: file:///Applications/Firefox.app/Contents/MacOS/components/nsProxyAutoConfig.js:133″

I don’t know if this is part of the problem. Any help would be appreciated. I don’t want to go back to using Safari but at the moment Firefox is too slow to be usable.

By: Ruth

Ruth — Sun, 19 Jul 2009 01:17:28 +0000

Please help me: I installed 3.5 and I lost access to many sites -ex:Huffington Post, BBC, AND all help sites. I removed it but my Mac still thinks it is there and then I tried to install 3.0.11 but it would not open. It tells me Firefox is already open. What can I do? I have a Mac version 10.5.7. I am no programmer.

By: Concerned

Concerned — Sat, 18 Jul 2009 23:44:53 +0000

Thanks for responding so quickly. I was just concerned as what I had read about the vulnerability on the site referenced in CVE-2009-2479 said:

“By sending an overly long string of unicode data to the document.write method, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.”

on another site:

“Successful exploits may allow an attacker to execute arbitrary code in the context of the user running the affected application. Failed attempts will likely result in denial-of-service conditions.”

I’m not familiar enough with firefox to know whether it really cannot be exploited to execute code or not.

By: Daniel Veditz

Daniel Veditz — Sat, 18 Jul 2009 21:14:39 +0000

There is no evidence of a buffer overflow with milw0rm 9158 (CVE-2009-2479). It’s an out-of-memory denial of service which would be nice to fix but doesn’t warrant an emergency response.

By: Concerned

Concerned — Sat, 18 Jul 2009 19:44:15 +0000

Can we now have a fix to: CVE-2009-2479 ?

Mozilla Firefox 3.5 Unicode Data Remote Stack Buffer Overflow Vulnerability

Which still exists in version 3.5.1 afaik

By: TL

TL — Sat, 18 Jul 2009 01:43:50 +0000

For all those asking whether FF 3.5.1 fixes the problem and allows one to revert the change to JIT settings, see

http://www.mozilla.org/security/announce/2009/mfsa2009-41.html

which asserts that “Users of Firefox 3.5 can avoid this vulnerability by disabling the Just-in-Time compiler as described in the Mozilla Security Blog. That workaround is not necessary in Firefox 3.5.1 and can be reverted.”

By: Daniel Veditz

Daniel Veditz — Sat, 18 Jul 2009 01:42:54 +0000

Firefox 3 and 3.5 do use /GS, /NXCOMPAT, and /DYNAMICBASE. Low Integrity Level is being worked on.