Issue
A bug discovered last week in Firefox 3.5’s Just-in-time (JIT) JavaScript compiler was disclosed publicly yesterday. It is a critical vulnerability that can be used to execute malicious code.
Impact
The vulnerability can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code. The vulnerability can be mitigated by disabling the JIT in the JavaScript engine. To do so:
- Enter
about:config
in the browser’s location bar. - Type
jit
in the Filter box at the top of the config editor. - Double-click the line containing
javascript.options.jit.content
setting the value to false.
Note that disabling the JIT will result in decreased JavaScript performance and is only recommended as a temporary security measure. Once users have been received the security update containing the fix for this issue, they should restore the JIT setting to true by:
- Enter
about:config
in the browser’s location bar. - Type
jit
in the Filter box at the top of the config editor. - Double-click the line containing
javascript.options.jit.content
setting the value to true.
Alternatively, users can disable the JIT by running Firefox in Safe Mode. Windows users can do so by selecting Mozilla Firefox (Safe Mode)
from the Mozilla Firefox folder.
Status
Mozilla developers are working on a fix for this issue and a Firefox security update will be sent out as soon as the fix is completed and tested.
Credit
Zbyte reported this issue to Mozilla and Lucas Kruijswijk helped reduce the exploit test case.
Update: This vulnerability has been fixed in Firefox 3.5.1, released Thursday, July 16, 2009
Hugo wrote on
Renato S. Yamane wrote on
m0niker wrote on
this is my name wrote on
anon wrote on
Jess wrote on
Joe Bloggs wrote on
Asa Dotzler wrote on
skierpage wrote on
skierpage wrote on
Daniel Veditz wrote on
franz wrote on
Andy wrote on
Slush wrote on
AdrenalinMd wrote on
jmdesp wrote on
Tom wrote on
bub wrote on
Anka wrote on
John wrote on
paefrati wrote on
Zirro wrote on
BKF wrote on
Maarten wrote on
Maarten wrote on
Britt wrote on
glenn wrote on
nemo wrote on
Luiz wrote on
Woody wrote on
hkpk wrote on
Fausty | torrentfreedom wrote on
Spade wrote on
Cat wrote on
A wrote on
Kevin wrote on
mercohaulic wrote on
Daniel Veditz wrote on
Jim Davis wrote on
Daniel Veditz wrote on
Kevin wrote on
DJ wrote on
Cat wrote on
Daniel Veditz wrote on
Neam wrote on
Danny wrote on
free wrote on
Ho wrote on
hkpk wrote on
Yuhong Bao wrote on
mercohaulic wrote on
Cat wrote on
Allan wrote on
AGH wrote on
Cat wrote on
Daniel Veditz wrote on
jmdesp wrote on
mercohaulic wrote on
EB wrote on
marty wrote on
Joe Bloggs wrote on
Dzul RP W35B Singapore wrote on
Dzul Owen RP W35B Singapore wrote on
Alan Baxter wrote on
Spritemoney wrote on
DB wrote on
Paco Verde wrote on
Daniel Veditz wrote on
Christophe wrote on
Christophe wrote on
Daniel Veditz wrote on
TL wrote on
Concerned wrote on
Daniel Veditz wrote on
Concerned wrote on
Ruth wrote on
Peter wrote on
Russell Frank wrote on
Daniel Veditz wrote on
Brandon Sterne wrote on