Critical JavaScript vulnerability in Firefox 3.5

Issue

A bug discovered last week in Firefox 3.5’s Just-in-time (JIT) JavaScript compiler was disclosed publicly yesterday. It is a critical vulnerability that can be used to execute malicious code.

Impact

The vulnerability can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code. The vulnerability can be mitigated by disabling the JIT in the JavaScript engine. To do so:

  1. Enter about:config in the browser’s location bar.
  2. Type jit in the Filter box at the top of the config editor.
  3. Double-click the line containing javascript.options.jit.content setting the value to false.

Note that disabling the JIT will result in decreased JavaScript performance and is only recommended as a temporary security measure.  Once users have been received the security update containing the fix for this issue, they should restore the JIT setting to true by:

  1. Enter about:config in the browser’s location bar.
  2. Type jit in the Filter box at the top of the config editor.
  3. Double-click the line containing javascript.options.jit.content setting the value to true.

Alternatively, users can disable the JIT by running Firefox in Safe Mode.  Windows users can do so by selecting Mozilla Firefox (Safe Mode) from the Mozilla Firefox folder.

Status

Mozilla developers are working on a fix for this issue and a Firefox security update will be sent out as soon as the fix is completed and tested.

Credit

Zbyte reported this issue to Mozilla and Lucas Kruijswijk helped reduce the exploit test case.

Update: This vulnerability has been fixed in Firefox 3.5.1, released Thursday, July 16, 2009

80 comments on “Critical JavaScript vulnerability in Firefox 3.5”

  1. Hugo wrote on

    Is 3.0.x code base vulnerable too? When was this vuln introduced? Thanks!

  2. Renato S. Yamane wrote on

    Hum…
    https://bugzilla.mozilla.org/show_bug.cgi?id=503970

  3. m0niker wrote on

    from the command line (batch file):

    firefox.bat
    for /f %%a in (‘dir /B “%APPDATA%\Mozilla\firefox\Profiles\*.default”‘) do xcopy /y user.js “%APPDATA%\Mozilla\firefox\Profiles\”%%a

    user.js
    //Firefox 3.5’s Just-in-time (JIT) JavaScript Vulnerability – 7.14.09
    user_pref(“javascript.options.jit.content”, false);

  4. this is my name wrote on

    what is the bugnumber for this security problem on mozillas bugzilla? any more details?

    the mozilla wiki doesnt show anything 🙁

  5. anon wrote on

    Wow, man… not even Internet Explorer gets critical exploits 2 days after release.

  6. Jess wrote on

    If that option doesn’t appear in my about:config,, could it be because ubuntu already disabled it for me? The only “javascript.options” I have are “relimit”, “showInConsole”, and “strict”.

  7. Joe Bloggs wrote on

    I’ve been googling all over and visiting the various firefox sites, mozillazine etc and not seen anything about this vulnerability.

    Why is this blog so well hidden? Its really reassuring to finally read that you guys are working to fix the problem. I only found this blog via incidents.org

  8. Asa Dotzler wrote on

    @Hugo, no this is not a bug in Firefox 3.0. It only affects 3.5 which includes the new JIT features in its JS engine.

    @anon said “Wow, man… not even Internet Explorer gets critical exploits 2 days after release.”

    Actually, it’s not two days after release. It’s two weeks after the release. And yes, even Internet Explorer (and Safari and Chrome and Opera) have all had vulnerabilities disclosed days and weeks after their releases.

    @Jess, you’re probably still on Firefox 3.0.x which isn’t impacted.

    @Joe, this is Mozilla’s official security blog. It’s where these kinds of announcements happen. If you queried Google for mozilla and security, you’d see this as the third link.

  9. skierpage wrote on

    Does Firefox trunk (3.6a1pre) have a fix for this bug yet?

    What about javascript.options.jit.chrome , which defaults to false? I’ve had that set to true to look for bugs.

  10. skierpage wrote on

    Hugo, Firefox 3.0 doesn’t have the super-fast TraceMonkey “just in time” (“jit”) JavaScript engine, so I doubt this vulnerability applies.

    anon, Microsoft has suffered far more zero day vulnerabilities than Firefox.

  11. Daniel Veditz wrote on

    @this is my name: https://bugzilla.mozilla.org/show_bug.cgi?id=503286

    @skierpage: yes, today’s 3.6 nightly has the fix for this bug. It was checked in yesterday, a few hours _before_ we learned of the milw0rm posting. This fix was going to be in the 3.5.x update we had scheduled for the end of July, but obviously now we have moved up the schedule for release.

  12. franz wrote on

    NoScript is your friend. 🙂

  13. Andy wrote on

    > not even Internet Explorer gets critical exploits 2 days after release.

    Are you kidding?

    Internet Explorer *always* has security holes.

    The security holes stay there for many months waiting to be fixed – here’s proof:
    http://secunia.com/advisories/product/12366/
    ^ Get the facts — Internet Explorer 7 Security Holes

    Mozilla patches Firefox security holes in about 1-2 days.

    I never, ever caught anything with Firefox. With Internet Explorer I’ve gotten over 5 malicious programs installed (in the first few years I’ve used it).

    Get real. Stop spreading your FUD.

  14. Slush wrote on

    @franz: NoScript is not a friend. NoScript is a click-nagging nanny.

  15. AdrenalinMd wrote on

    Intresting, there is not an update yet, the exploit was posted on 13/07/09 on milw0rm.

  16. jmdesp wrote on

    When searching “security firefox” the top result is to the Known Vulnerabilities page that doesn’t yet have an entry for Firefox 3.5.
    So it should be added, and this vulnerability listed there.

  17. Tom wrote on

    @5: No, IE doesn’t “get vulnerabilities” two days after the release, because only few people have access to the source code. Maybe you should have said “wow, Moz FF tries to provide patches a lot faster and easier than MS IE”

  18. bub wrote on

    all large software projects have holes, including browsers. doesn’t matter which browser. some get fixed faster than others, but they all have flaws. just because you hear about an exploit and it’s fixed 2 days later doesn’t mean it hasn’t been exploited a long time before it was made public. if you believe otherwise, you’re part of the problem.

  19. Anka wrote on

    I tried the example on milw0rm using “Mozilla/5.0 (Windows; U; Windows NT 5.1; sv-SE; rv:1.9.1) Gecko/20090624 Firefox/3.5” but nothing happened. The error console is empty too. Does this only affect 32bit systems perhaps?

  20. John wrote on

    Good thing Ubuntu 9.04 still has firefox 3.0.11 as default. But a link from mozilla main page for security news would be very welcome, nothing about this even in security center section, good thing I found out about this in a blog.

  21. paefrati wrote on

    Will there be a fix for this any time soon:
    http://ha.ckers.org/weird/CSS-history.cgi

  22. Zirro wrote on

    @Slush NoScript is your friend if you’re prepared to do some extra clicks, and most people aren’t lazy enough to not do that 😉

  23. BKF wrote on

    @Slush: I don’t know what you’re talking about. There are configuration options in NoScript to reduce its’ chattiness and it’s very easy to automatically configure it to whitelist any sites that you use on a regular basis.

    I’ve been running it for years and it’s just about the best Internet-oriented add-on I’ve ever run. Combined with adblock plus it reduces site load time on complex pages almost in half by blocking content and scripts that are loaded from third-party sources which I have no interest in running. I’m absolutely certain that unless one of the handful of sites I regularly used gets infected, that Noscript would do well to protect anyone using it from this.

    No security tool will ever be fire and forget, nor should they be. But Noscript can be made to only nag you under certain circumstances.

  24. Maarten wrote on

    is this a vunerability on Linux, Mac and Windows ?

  25. Maarten wrote on

    any OS or just Windows ?

  26. Britt wrote on

    I tried to correct the issue in my 3.5 and there was no javascript.options.jit even listed?

  27. glenn wrote on

    Finally, a forum where there’s nobody saying “I have a Mac, so I’m immune”. THANK YOU GOD.

  28. nemo wrote on

    https://bugzilla.mozilla.org/show_bug.cgi?id=503286#c34

    If you check out the mozilla bug, you can see that they say that one reason for speed of the exploit was that a known mozilla bug, with appearance of being exploitable, was not hidden while being fixed.

    They even had nice testcases to work from.

  29. Luiz wrote on

    @anon Isn’t it reassuring to know that this bug was unconvered that fast? Wasn’t Microsoft the one company who would release “undisclosed” patches intertwined in its usual security upgrades?

    http://blogs.zdnet.com/microsoft/?p=527

    http://blogs.zdnet.com/security/?p=316

    No wonder Internet Explorer has fewer bugs when compared to its competitors.

  30. Woody wrote on

    @Slush: I’d rather have a click-nagging nanny as an option than a browser that has vulnerabilities that only get fixed on alternating Tuesdays *if* someone bothers to fix it this week. 😛 If you don’t like it, don’t install it. It’s kept lots of crap from infesting my system (and from flashing in my page margins), so I suggest it to others.

  31. hkpk wrote on

    I tried the code, but nothing happened, Firefox 3.5 displays the full code (not only the desired text).
    Does this is affected by the SUN JAVA RTE (if is installed or not)?

  32. Fausty | torrentfreedom wrote on

    Another vote for NoScript. Yes, it’s a bit naggy. Yes, it’s well worth it to keep script-happy websites from loading down simple pages with dozens of poorly-written, insecure, memory-hog scripts.

  33. Spade wrote on

    This really ought to be somewhere prominent on the main Firefox page. If I hadn’t already known that this critical vulnerability existed, I’d not have found this blog post. Not good, Mozilla, not good.

    @ glenn – So you’re more worried about sticking it to Mac users than having an OS that’s significantly more secure? You may want to re-examine your priorities. 😉

    @ BKF – The author of NoScript recently included code intended to disable parts of Adblock Plus. They’ve gotten their wrists slapped for it, but as a result NoScript is not to be trusted. I use the RequestPolicy extension instead to block unwanted third-party content, and it’s a lot easier to manage than NoScript’s zillions of unnecessary options.

  34. Cat wrote on

    I read about this on the US-CERT website ysterday, US-CERT recommends disabling Javascript in the FF browser, which I have done (via tools > options > content >unchecked enable JavaScript). This option is not mentioned in your post here, can you please tell me if disabling JS as I have done is safe, or do I need to do the work-around as you’ve outlined here?

    Thanks.

  35. A wrote on

    Good day,
    If you use sandboxie with firefox 3.5 without using this temporary solution you suggest would the exploit still get thru?

  36. Kevin wrote on

    Is this supposed to do anything? I tried this page but nothing happened. (Obviously, I copied it into a text/html document first, and loaded that).

  37. mercohaulic wrote on

    @ Cat – From what I have experienced, if you perform that step it will affect login to sites requiring login authentication such as Hotmail and others that you use. As such, it might not be feasible to use the option only having to enable it later to login to your preferred websites.

    On the other hand if you do not use the services, I guess your method is the most secure option. However, the method mentioned here is less strict but still secure I reckon.

  38. Daniel Veditz wrote on

    @Cat: disabling JavaScript will prevent this exploit

    @A: the exploit would still crash Firefox but if sandboxie does its job hopefully that will protect your system. It may be possible for an exploit writer in the future to attach a payload that will avoid crashing the browser — if so it could spy on your browsing without any protection from sandboxie at least until you shut down the browser.

    @Kevin: are you using Firefox 3.5 or 3.0? It’s not expected to do anything in Firefox 3.0. It also won’t affect 3.5 if you’ve disabled the JIT, are running in “safe mode” (which disables the JIT), or have JavaScript turned off.

  39. Jim Davis wrote on

    Yeah, why not just release a small patch via update to turn off the JIT setting, instead of requiring folks to ‘hear about it”.

    Bet less than 1/2 know this is even an issue as of Wed night.

  40. Daniel Veditz wrote on

    No amount of notice in the technical press will reach even a fraction of Firefox users, those folks won’t be reached until we ship them a fix. Since we had the _right_ fix in hand (before the milw0rm posting) there’s no point shipping a stop-gap fix.

  41. Kevin wrote on

    Here’s my UA: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.1pre) Gecko/20090709 Shiretoko/3.5.1pre

    Is this just a Windows thing? At any rate, I’ll probably upgrade to the latest from trunk tonight if it fixes this.

  42. DJ wrote on

    Does the security issue with 3.5 affect MAC running 10.5?

  43. Cat wrote on

    @ Mercohaulic and Daniel Veditz (38 & 39)

    Thanks heaps. I was pretty sure it would be safe, I just wanted to check since it was not mentioned here. (Just in case there was something fundamental about how all this works that I was going over my head).

    Mercohaulic I have certainly noticed that some functions just don’t work with JS disabled, it makes me appreciate how much JS is used on the net! If the patch looks like it will be a while away I’ll just have a go at implementing this JIT disable thing, otherwise the things I need JS for can happily wait.

  44. Daniel Veditz wrote on

    @DJ, @Kevin: the underlying bug happens on all platforms. The proof-of-concept exploit posted to milw0rm contained a windows-only payload, but it wouldn’t be too hard for someone to graft on Mac and Linux payloads from the Metasploit project and make it cross-platform.

  45. Neam wrote on

    Oh well, use internet explorer…

  46. Danny wrote on

    The race is on. Who will fix their 0 day first?

    http://isc.sans.org/diary.html?storyid=6778

  47. free wrote on

    bugs happen in every program .. im sure mozilla will fix it really fast
    and thumbs up on the full disclosure .

  48. Ho wrote on

    I don’t know the technical stuff but I have disabled the javascript as instructed. Now how do I know if my PC has been compromised or that the exploit got thru? Thanks

  49. hkpk wrote on

    I have loaded the exploit template, nothing happened. If the JIT is disabled in Firefox, lodading the “exploit” is slower. I also disabled the integration of SUN JAVA VM in Firefox, disabled the “next-generation browser integration”, no visible effect, Calc.exe does not starts.

    I have XP SP3, KPF, NOD32, Firefox 3.5 + ABP (NoScript is not installed).

    What is “wrong”?

  50. Yuhong Bao wrote on

    Tom and free: Mozilla do not normally practice full disclosure. They normally practice responsible disclosure by hiding bugs, but this one got missed.

  51. mercohaulic wrote on

    An update has been rolled out guys.
    Im pretty sure it fixes the problem highlighted here.

  52. Cat wrote on

    I just got a firefox update – 3.5.1. When I re-started my browser it opened to this page: http://www.mozilla.com/en-US/firefox/3.5.1/releasenotes/

    I clicked on the “Several Security Issues” link in the list of fixes to see if this JIT problem above had been fixed, however that link takes you to a 404: File not found error page. ( http://www.mozilla.org/security/known-vulnerabilities/firefox35.html#firefox3.5.1 )

    Can someone from Mozila please advise readers here if we can re-enable JIT safely after getting this 3.5.1 update? Thank-you.

  53. Allan wrote on

    I have Firefox 3.0.11.
    Does the bug affect this version?
    Thank you

  54. AGH wrote on

    Last time I jump onto a new major FF version so soon. This is all the marketers’ fault, “THE FASTEST FIREFOX YET”, 10 TIMES FASTER – who the hell cares, or needs JS.

  55. Cat wrote on

    Re comment 52 – scratch that – the link is working now and it appears to be the fix for this. 🙂

  56. Daniel Veditz wrote on

    @mercohaulic: you beat me to it. Yes, we just released the update that fixes this problem. Firefox 3.5 users can “Check for Updates” from the Help menu, and everyone else can get it from http://www.mozilla.com

    @Cat: The Known-vulnerabilities page should be visible now.

    @Allan: Please read the comments, the very first one asked that same question (and was answered in comment 8). Firefox 3.0 does not have the JIT feature that was at fault here.

  57. jmdesp wrote on

    Daniel, can you *also* update the “Known Vulnerabilities in Mozilla Products” http://www.mozilla.org/security/known-vulnerabilities/ so that it list Firefox 3.5 ?

  58. mercohaulic wrote on

    @Daniel Veditz
    Its all cool =D. The sooner people know the better, especially when it comes to security.

  59. EB wrote on

    So… Can we put javascript.options.jit.content=true again?
    Thanks

  60. marty wrote on

    Dumb question, but after the update, can you set JIT back to “true” safely?

  61. Joe Bloggs wrote on

    Thank you mozilla team for the update!

    This has been a tense few days waiting for the update and clicking “Check for updates” hourly..

    I am also pleased to now be able to turn back on the JIT feature which finally made javascript work at a reasonable speed instead of slowing my PC to a crawl!

    Keep up the great work

  62. Dzul RP W35B Singapore wrote on

    So, with the new version 3.5.1, is the issues completely fixed?? So I can enable all the Java back to normal??

  63. Dzul Owen RP W35B Singapore wrote on

    The new version is out. 3.5.1 . Does that mean that the issue of the recent security is fixed?? So, that means that I can change back all the setting for the Java back to normal, like used to?? Thanks for any reply..

  64. Alan Baxter wrote on

    @marty:
    Yes. The blog says it’s safe to set it back to true now.

  65. Spritemoney wrote on

    Firefox 3.5.1 patches this. This is what i love about firefox, if there is a problem with the browser, updates are sent ASAP.

  66. DB wrote on

    Before updating to 3.5.1, I had a weird experience – On my Mac (OS 10.4.11) I had Safari 4.0 and Firefox 3.5.0 open at the same time. Javascript was turned off in Firefox, ON in Safari. In SAFARI, I saw a porn-related text string in the status bar from a travel-related site that you wouldn’t expect that from. I reloaded the page and it was not there… Firefox had not crashed.
    A) Was JIT vulnerability in Firefox operative with Javascript off?
    B) Could it have run a Javascript in the status bar of Safari?
    C) Would the JIT problem happen if the browser had not 1st crashed?
    D) Or was it just that the travel site – seriously, about campgrounds! – was making money on the side?

    Thanks for any help!

  67. Paco Verde wrote on

    @glenn: I have a Mac, so I’m immune 😉

  68. Daniel Veditz wrote on

    @Paco Verde: Macs are not immune. The payload in the milw0rm posting was windows-only, but as I said earlier it’s easy enough to replace the payload with a Mac or Linux one. Or even all three — we’ve seen lots of malicious pages do browser-detection and serve up different exploits for different browsers and platforms.

    @DB: there is no JIT running if you’ve disabled JavaScript. I don’t know what you saw but it wasn’t this. If you want help trying to figure it out please visit the forums or Live Chat at http://support.mozilla.com

  69. Christophe wrote on

    Chrome and IE7/8 all have Integrity Level (on Vista/7) and NX protection enabled. When will Firefox have this? Shouldn’t the user’s security be a first? Firefox developers, wake up.

  70. Christophe wrote on

    Also worth mentioning is /GS (-fstack-protector with gcc) and /DYNAMICBASE (-fPIE). How about enable those as well?

  71. Daniel Veditz wrote on

    Firefox 3 and 3.5 do use /GS, /NXCOMPAT, and /DYNAMICBASE. Low Integrity Level is being worked on.

  72. TL wrote on

    For all those asking whether FF 3.5.1 fixes the problem and allows one to revert the change to JIT settings, see

    http://www.mozilla.org/security/announce/2009/mfsa2009-41.html

    which asserts that “Users of Firefox 3.5 can avoid this vulnerability by disabling the Just-in-Time compiler as described in the Mozilla Security Blog. That workaround is not necessary in Firefox 3.5.1 and can be reverted.”

  73. Concerned wrote on

    Can we now have a fix to: CVE-2009-2479 ?

    Mozilla Firefox 3.5 Unicode Data Remote Stack Buffer Overflow Vulnerability

    Which still exists in version 3.5.1 afaik

  74. Daniel Veditz wrote on

    There is no evidence of a buffer overflow with milw0rm 9158 (CVE-2009-2479). It’s an out-of-memory denial of service which would be nice to fix but doesn’t warrant an emergency response.

  75. Concerned wrote on

    Thanks for responding so quickly. I was just concerned as what I had read about the vulnerability on the site referenced in CVE-2009-2479 said:

    “By sending an overly long string of unicode data to the document.write method, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.”

    on another site:

    “Successful exploits may allow an attacker to execute arbitrary code in the context of the user running the affected application. Failed attempts will likely result in denial-of-service conditions.”

    I’m not familiar enough with firefox to know whether it really cannot be exploited to execute code or not.

  76. Ruth wrote on

    Please help me: I installed 3.5 and I lost access to many sites -ex:Huffington Post, BBC, AND all help sites. I removed it but my Mac still thinks it is there and then I tried to install 3.0.11 but it would not open. It tells me Firefox is already open. What can I do? I have a Mac version 10.5.7. I am no programmer.

  77. Peter wrote on

    I’ve looked all over the web today and yesterday and cannot find a decent explanation for why firefox 3.5.1 is running so slowly on my macbook (OSX 10.5)

    It’s not just loading pages where it’s slow, it appears to hang for short periods (2-8 seconds) after clicking in the menu bar or any other sort of “non-surfing” command. It’s a fresh install of 3.5.1 with no add-ons.

    I am not finding the same sort of problem with safari or any other programs I’m running and there is no obvious increase in CPU activity.

    I am getting an “unresponsive script” window when loading my home page on facebook with the details:

    “Script: file:///Applications/Firefox.app/Contents/MacOS/components/nsProxyAutoConfig.js:133”

    I don’t know if this is part of the problem. Any help would be appreciated. I don’t want to go back to using Safari but at the moment Firefox is too slow to be usable.

  78. Russell Frank wrote on

    It’s been 9 days since this exploit was revealed. Is there a fix yet?

  79. Daniel Veditz wrote on

    This was fixed in Firefox 3.5.1 which was released Thursday July 16.

    http://www.mozilla.com/en-US/firefox/3.5.1/releasenotes/

  80. Brandon Sterne wrote on

    @Russell

    Yes, the fix was included in Firefox 3.5.1 which was release Thursday, July 16. You should have received an update notification if you are running Firefox 3.5.