Critical JavaScript vulnerability in Firefox 3.5

Brandon Sterne

80

Issue

A bug discovered last week in Firefox 3.5’s Just-in-time (JIT) JavaScript compiler was disclosed publicly yesterday. It is a critical vulnerability that can be used to execute malicious code.

Impact

The vulnerability can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code. The vulnerability can be mitigated by disabling the JIT in the JavaScript engine. To do so:

  1. Enter about:config in the browser’s location bar.
  2. Type jit in the Filter box at the top of the config editor.
  3. Double-click the line containing javascript.options.jit.content setting the value to false.

Note that disabling the JIT will result in decreased JavaScript performance and is only recommended as a temporary security measure.  Once users have been received the security update containing the fix for this issue, they should restore the JIT setting to true by:

  1. Enter about:config in the browser’s location bar.
  2. Type jit in the Filter box at the top of the config editor.
  3. Double-click the line containing javascript.options.jit.content setting the value to true.

Alternatively, users can disable the JIT by running Firefox in Safe Mode.  Windows users can do so by selecting Mozilla Firefox (Safe Mode) from the Mozilla Firefox folder.

Status

Mozilla developers are working on a fix for this issue and a Firefox security update will be sent out as soon as the fix is completed and tested.

Credit

Zbyte reported this issue to Mozilla and Lucas Kruijswijk helped reduce the exploit test case.

Update: This vulnerability has been fixed in Firefox 3.5.1, released Thursday, July 16, 2009

80 responses

  1. Joe Bloggs wrote on :

    Thank you mozilla team for the update!

    This has been a tense few days waiting for the update and clicking “Check for updates” hourly..

    I am also pleased to now be able to turn back on the JIT feature which finally made javascript work at a reasonable speed instead of slowing my PC to a crawl!

    Keep up the great work

  2. Dzul RP W35B Singapore wrote on :

    So, with the new version 3.5.1, is the issues completely fixed?? So I can enable all the Java back to normal??

  3. Dzul Owen RP W35B Singapore wrote on :

    The new version is out. 3.5.1 . Does that mean that the issue of the recent security is fixed?? So, that means that I can change back all the setting for the Java back to normal, like used to?? Thanks for any reply..

  4. Alan Baxter wrote on :

    @marty:
    Yes. The blog says it’s safe to set it back to true now.

  5. Spritemoney wrote on :

    Firefox 3.5.1 patches this. This is what i love about firefox, if there is a problem with the browser, updates are sent ASAP.

  6. DB wrote on :

    Before updating to 3.5.1, I had a weird experience – On my Mac (OS 10.4.11) I had Safari 4.0 and Firefox 3.5.0 open at the same time. Javascript was turned off in Firefox, ON in Safari. In SAFARI, I saw a porn-related text string in the status bar from a travel-related site that you wouldn’t expect that from. I reloaded the page and it was not there… Firefox had not crashed.
    A) Was JIT vulnerability in Firefox operative with Javascript off?
    B) Could it have run a Javascript in the status bar of Safari?
    C) Would the JIT problem happen if the browser had not 1st crashed?
    D) Or was it just that the travel site – seriously, about campgrounds! – was making money on the side?

    Thanks for any help!

  7. Paco Verde wrote on :

    @glenn: I have a Mac, so I’m immune 😉

  8. Daniel Veditz wrote on :

    @Paco Verde: Macs are not immune. The payload in the milw0rm posting was windows-only, but as I said earlier it’s easy enough to replace the payload with a Mac or Linux one. Or even all three — we’ve seen lots of malicious pages do browser-detection and serve up different exploits for different browsers and platforms.

    @DB: there is no JIT running if you’ve disabled JavaScript. I don’t know what you saw but it wasn’t this. If you want help trying to figure it out please visit the forums or Live Chat at http://support.mozilla.com

  9. Christophe wrote on :

    Chrome and IE7/8 all have Integrity Level (on Vista/7) and NX protection enabled. When will Firefox have this? Shouldn’t the user’s security be a first? Firefox developers, wake up.

  10. Christophe wrote on :

    Also worth mentioning is /GS (-fstack-protector with gcc) and /DYNAMICBASE (-fPIE). How about enable those as well?

  11. Daniel Veditz wrote on :

    Firefox 3 and 3.5 do use /GS, /NXCOMPAT, and /DYNAMICBASE. Low Integrity Level is being worked on.

  12. TL wrote on :

    For all those asking whether FF 3.5.1 fixes the problem and allows one to revert the change to JIT settings, see

    http://www.mozilla.org/security/announce/2009/mfsa2009-41.html

    which asserts that “Users of Firefox 3.5 can avoid this vulnerability by disabling the Just-in-Time compiler as described in the Mozilla Security Blog. That workaround is not necessary in Firefox 3.5.1 and can be reverted.”

  13. Concerned wrote on :

    Can we now have a fix to: CVE-2009-2479 ?

    Mozilla Firefox 3.5 Unicode Data Remote Stack Buffer Overflow Vulnerability

    Which still exists in version 3.5.1 afaik

  14. Daniel Veditz wrote on :

    There is no evidence of a buffer overflow with milw0rm 9158 (CVE-2009-2479). It’s an out-of-memory denial of service which would be nice to fix but doesn’t warrant an emergency response.

  15. Concerned wrote on :

    Thanks for responding so quickly. I was just concerned as what I had read about the vulnerability on the site referenced in CVE-2009-2479 said:

    “By sending an overly long string of unicode data to the document.write method, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.”

    on another site:

    “Successful exploits may allow an attacker to execute arbitrary code in the context of the user running the affected application. Failed attempts will likely result in denial-of-service conditions.”

    I’m not familiar enough with firefox to know whether it really cannot be exploited to execute code or not.

  16. Ruth wrote on :

    Please help me: I installed 3.5 and I lost access to many sites -ex:Huffington Post, BBC, AND all help sites. I removed it but my Mac still thinks it is there and then I tried to install 3.0.11 but it would not open. It tells me Firefox is already open. What can I do? I have a Mac version 10.5.7. I am no programmer.

  17. Peter wrote on :

    I’ve looked all over the web today and yesterday and cannot find a decent explanation for why firefox 3.5.1 is running so slowly on my macbook (OSX 10.5)

    It’s not just loading pages where it’s slow, it appears to hang for short periods (2-8 seconds) after clicking in the menu bar or any other sort of “non-surfing” command. It’s a fresh install of 3.5.1 with no add-ons.

    I am not finding the same sort of problem with safari or any other programs I’m running and there is no obvious increase in CPU activity.

    I am getting an “unresponsive script” window when loading my home page on facebook with the details:

    “Script: file:///Applications/Firefox.app/Contents/MacOS/components/nsProxyAutoConfig.js:133″

    I don’t know if this is part of the problem. Any help would be appreciated. I don’t want to go back to using Safari but at the moment Firefox is too slow to be usable.

  18. Russell Frank wrote on :

    It’s been 9 days since this exploit was revealed. Is there a fix yet?

  19. Daniel Veditz wrote on :

    This was fixed in Firefox 3.5.1 which was released Thursday July 16.

    http://www.mozilla.com/en-US/firefox/3.5.1/releasenotes/

  20. Brandon Sterne wrote on :

    @Russell

    Yes, the fix was included in Firefox 3.5.1 which was release Thursday, July 16. You should have received an update notification if you are running Firefox 3.5.

More comments: 1 2 3 4