Critical JavaScript vulnerability in Firefox 3.5

Brandon Sterne

80

Issue

A bug discovered last week in Firefox 3.5’s Just-in-time (JIT) JavaScript compiler was disclosed publicly yesterday. It is a critical vulnerability that can be used to execute malicious code.

Impact

The vulnerability can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code. The vulnerability can be mitigated by disabling the JIT in the JavaScript engine. To do so:

  1. Enter about:config in the browser’s location bar.
  2. Type jit in the Filter box at the top of the config editor.
  3. Double-click the line containing javascript.options.jit.content setting the value to false.

Note that disabling the JIT will result in decreased JavaScript performance and is only recommended as a temporary security measure.  Once users have been received the security update containing the fix for this issue, they should restore the JIT setting to true by:

  1. Enter about:config in the browser’s location bar.
  2. Type jit in the Filter box at the top of the config editor.
  3. Double-click the line containing javascript.options.jit.content setting the value to true.

Alternatively, users can disable the JIT by running Firefox in Safe Mode.  Windows users can do so by selecting Mozilla Firefox (Safe Mode) from the Mozilla Firefox folder.

Status

Mozilla developers are working on a fix for this issue and a Firefox security update will be sent out as soon as the fix is completed and tested.

Credit

Zbyte reported this issue to Mozilla and Lucas Kruijswijk helped reduce the exploit test case.

Update: This vulnerability has been fixed in Firefox 3.5.1, released Thursday, July 16, 2009

80 responses

  1. mercohaulic wrote on :

    An update has been rolled out guys.
    Im pretty sure it fixes the problem highlighted here.

  2. Cat wrote on :

    I just got a firefox update – 3.5.1. When I re-started my browser it opened to this page: http://www.mozilla.com/en-US/firefox/3.5.1/releasenotes/

    I clicked on the “Several Security Issues” link in the list of fixes to see if this JIT problem above had been fixed, however that link takes you to a 404: File not found error page. ( http://www.mozilla.org/security/known-vulnerabilities/firefox35.html#firefox3.5.1 )

    Can someone from Mozila please advise readers here if we can re-enable JIT safely after getting this 3.5.1 update? Thank-you.

  3. Allan wrote on :

    I have Firefox 3.0.11.
    Does the bug affect this version?
    Thank you

  4. AGH wrote on :

    Last time I jump onto a new major FF version so soon. This is all the marketers’ fault, “THE FASTEST FIREFOX YET”, 10 TIMES FASTER – who the hell cares, or needs JS.

  5. Cat wrote on :

    Re comment 52 – scratch that – the link is working now and it appears to be the fix for this. :)

  6. Daniel Veditz wrote on :

    @mercohaulic: you beat me to it. Yes, we just released the update that fixes this problem. Firefox 3.5 users can “Check for Updates” from the Help menu, and everyone else can get it from http://www.mozilla.com

    @Cat: The Known-vulnerabilities page should be visible now.

    @Allan: Please read the comments, the very first one asked that same question (and was answered in comment 8). Firefox 3.0 does not have the JIT feature that was at fault here.

  7. jmdesp wrote on :

    Daniel, can you *also* update the “Known Vulnerabilities in Mozilla Products” http://www.mozilla.org/security/known-vulnerabilities/ so that it list Firefox 3.5 ?

  8. mercohaulic wrote on :

    @Daniel Veditz
    Its all cool =D. The sooner people know the better, especially when it comes to security.

  9. EB wrote on :

    So… Can we put javascript.options.jit.content=true again?
    Thanks

  10. marty wrote on :

    Dumb question, but after the update, can you set JIT back to “true” safely?

  11. Joe Bloggs wrote on :

    Thank you mozilla team for the update!

    This has been a tense few days waiting for the update and clicking “Check for updates” hourly..

    I am also pleased to now be able to turn back on the JIT feature which finally made javascript work at a reasonable speed instead of slowing my PC to a crawl!

    Keep up the great work

  12. Dzul RP W35B Singapore wrote on :

    So, with the new version 3.5.1, is the issues completely fixed?? So I can enable all the Java back to normal??

  13. Dzul Owen RP W35B Singapore wrote on :

    The new version is out. 3.5.1 . Does that mean that the issue of the recent security is fixed?? So, that means that I can change back all the setting for the Java back to normal, like used to?? Thanks for any reply..

  14. Alan Baxter wrote on :

    @marty:
    Yes. The blog says it’s safe to set it back to true now.

  15. Spritemoney wrote on :

    Firefox 3.5.1 patches this. This is what i love about firefox, if there is a problem with the browser, updates are sent ASAP.

  16. DB wrote on :

    Before updating to 3.5.1, I had a weird experience – On my Mac (OS 10.4.11) I had Safari 4.0 and Firefox 3.5.0 open at the same time. Javascript was turned off in Firefox, ON in Safari. In SAFARI, I saw a porn-related text string in the status bar from a travel-related site that you wouldn’t expect that from. I reloaded the page and it was not there… Firefox had not crashed.
    A) Was JIT vulnerability in Firefox operative with Javascript off?
    B) Could it have run a Javascript in the status bar of Safari?
    C) Would the JIT problem happen if the browser had not 1st crashed?
    D) Or was it just that the travel site – seriously, about campgrounds! – was making money on the side?

    Thanks for any help!

  17. Paco Verde wrote on :

    @glenn: I have a Mac, so I’m immune ;)

  18. Daniel Veditz wrote on :

    @Paco Verde: Macs are not immune. The payload in the milw0rm posting was windows-only, but as I said earlier it’s easy enough to replace the payload with a Mac or Linux one. Or even all three — we’ve seen lots of malicious pages do browser-detection and serve up different exploits for different browsers and platforms.

    @DB: there is no JIT running if you’ve disabled JavaScript. I don’t know what you saw but it wasn’t this. If you want help trying to figure it out please visit the forums or Live Chat at http://support.mozilla.com

  19. Christophe wrote on :

    Chrome and IE7/8 all have Integrity Level (on Vista/7) and NX protection enabled. When will Firefox have this? Shouldn’t the user’s security be a first? Firefox developers, wake up.

  20. Christophe wrote on :

    Also worth mentioning is /GS (-fstack-protector with gcc) and /DYNAMICBASE (-fPIE). How about enable those as well?

  21. Daniel Veditz wrote on :

    Firefox 3 and 3.5 do use /GS, /NXCOMPAT, and /DYNAMICBASE. Low Integrity Level is being worked on.

  22. TL wrote on :

    For all those asking whether FF 3.5.1 fixes the problem and allows one to revert the change to JIT settings, see

    http://www.mozilla.org/security/announce/2009/mfsa2009-41.html

    which asserts that “Users of Firefox 3.5 can avoid this vulnerability by disabling the Just-in-Time compiler as described in the Mozilla Security Blog. That workaround is not necessary in Firefox 3.5.1 and can be reverted.”

  23. Concerned wrote on :

    Can we now have a fix to: CVE-2009-2479 ?

    Mozilla Firefox 3.5 Unicode Data Remote Stack Buffer Overflow Vulnerability

    Which still exists in version 3.5.1 afaik

  24. Daniel Veditz wrote on :

    There is no evidence of a buffer overflow with milw0rm 9158 (CVE-2009-2479). It’s an out-of-memory denial of service which would be nice to fix but doesn’t warrant an emergency response.

  25. Concerned wrote on :

    Thanks for responding so quickly. I was just concerned as what I had read about the vulnerability on the site referenced in CVE-2009-2479 said:

    “By sending an overly long string of unicode data to the document.write method, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.”

    on another site:

    “Successful exploits may allow an attacker to execute arbitrary code in the context of the user running the affected application. Failed attempts will likely result in denial-of-service conditions.”

    I’m not familiar enough with firefox to know whether it really cannot be exploited to execute code or not.

  26. Ruth wrote on :

    Please help me: I installed 3.5 and I lost access to many sites -ex:Huffington Post, BBC, AND all help sites. I removed it but my Mac still thinks it is there and then I tried to install 3.0.11 but it would not open. It tells me Firefox is already open. What can I do? I have a Mac version 10.5.7. I am no programmer.

  27. Peter wrote on :

    I’ve looked all over the web today and yesterday and cannot find a decent explanation for why firefox 3.5.1 is running so slowly on my macbook (OSX 10.5)

    It’s not just loading pages where it’s slow, it appears to hang for short periods (2-8 seconds) after clicking in the menu bar or any other sort of “non-surfing” command. It’s a fresh install of 3.5.1 with no add-ons.

    I am not finding the same sort of problem with safari or any other programs I’m running and there is no obvious increase in CPU activity.

    I am getting an “unresponsive script” window when loading my home page on facebook with the details:

    “Script: file:///Applications/Firefox.app/Contents/MacOS/components/nsProxyAutoConfig.js:133″

    I don’t know if this is part of the problem. Any help would be appreciated. I don’t want to go back to using Safari but at the moment Firefox is too slow to be usable.

  28. Russell Frank wrote on :

    It’s been 9 days since this exploit was revealed. Is there a fix yet?

  29. Daniel Veditz wrote on :

    This was fixed in Firefox 3.5.1 which was released Thursday July 16.

    http://www.mozilla.com/en-US/firefox/3.5.1/releasenotes/

  30. Brandon Sterne wrote on ::

    @Russell

    Yes, the fix was included in Firefox 3.5.1 which was release Thursday, July 16. You should have received an update notification if you are running Firefox 3.5.

More comments: 1 2