Mozilla Security Blog
Categories: Firefox Security Vulnerabilities

Critical JavaScript vulnerability in Firefox 3.5

Al Billings

80 responses

Issue

A bug discovered last week in Firefox 3.5’s Just-in-time (JIT) JavaScript compiler was disclosed publicly yesterday. It is a critical vulnerability that can be used to execute malicious code.

Impact

The vulnerability can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code. The vulnerability can be mitigated by disabling the JIT in the JavaScript engine. To do so:

  1. Enter about:config in the browser’s location bar.
  2. Type jit in the Filter box at the top of the config editor.
  3. Double-click the line containing javascript.options.jit.content setting the value to false.

Note that disabling the JIT will result in decreased JavaScript performance and is only recommended as a temporary security measure.  Once users have been received the security update containing the fix for this issue, they should restore the JIT setting to true by:

  1. Enter about:config in the browser’s location bar.
  2. Type jit in the Filter box at the top of the config editor.
  3. Double-click the line containing javascript.options.jit.content setting the value to true.

Alternatively, users can disable the JIT by running Firefox in Safe Mode.  Windows users can do so by selecting Mozilla Firefox (Safe Mode) from the Mozilla Firefox folder.

Status

Mozilla developers are working on a fix for this issue and a Firefox security update will be sent out as soon as the fix is completed and tested.

Credit

Zbyte reported this issue to Mozilla and Lucas Kruijswijk helped reduce the exploit test case.

Update: This vulnerability has been fixed in Firefox 3.5.1, released Thursday, July 16, 2009

80 comments on “Critical JavaScript vulnerability in Firefox 3.5”

  1. paefrati wrote on

    Will there be a fix for this any time soon:
    http://ha.ckers.org/weird/CSS-history.cgi

  2. Zirro wrote on

    @Slush NoScript is your friend if you’re prepared to do some extra clicks, and most people aren’t lazy enough to not do that 😉

  3. BKF wrote on

    @Slush: I don’t know what you’re talking about. There are configuration options in NoScript to reduce its’ chattiness and it’s very easy to automatically configure it to whitelist any sites that you use on a regular basis.

    I’ve been running it for years and it’s just about the best Internet-oriented add-on I’ve ever run. Combined with adblock plus it reduces site load time on complex pages almost in half by blocking content and scripts that are loaded from third-party sources which I have no interest in running. I’m absolutely certain that unless one of the handful of sites I regularly used gets infected, that Noscript would do well to protect anyone using it from this.

    No security tool will ever be fire and forget, nor should they be. But Noscript can be made to only nag you under certain circumstances.

  4. Maarten wrote on

    is this a vunerability on Linux, Mac and Windows ?

  5. Maarten wrote on

    any OS or just Windows ?

  6. Britt wrote on

    I tried to correct the issue in my 3.5 and there was no javascript.options.jit even listed?

  7. glenn wrote on

    Finally, a forum where there’s nobody saying “I have a Mac, so I’m immune”. THANK YOU GOD.

  8. nemo wrote on

    https://bugzilla.mozilla.org/show_bug.cgi?id=503286#c34

    If you check out the mozilla bug, you can see that they say that one reason for speed of the exploit was that a known mozilla bug, with appearance of being exploitable, was not hidden while being fixed.

    They even had nice testcases to work from.

  9. Luiz wrote on

    @anon Isn’t it reassuring to know that this bug was unconvered that fast? Wasn’t Microsoft the one company who would release “undisclosed” patches intertwined in its usual security upgrades?

    http://blogs.zdnet.com/microsoft/?p=527

    http://blogs.zdnet.com/security/?p=316

    No wonder Internet Explorer has fewer bugs when compared to its competitors.

  10. Woody wrote on

    @Slush: I’d rather have a click-nagging nanny as an option than a browser that has vulnerabilities that only get fixed on alternating Tuesdays *if* someone bothers to fix it this week. 😛 If you don’t like it, don’t install it. It’s kept lots of crap from infesting my system (and from flashing in my page margins), so I suggest it to others.

  11. hkpk wrote on

    I tried the code, but nothing happened, Firefox 3.5 displays the full code (not only the desired text).
    Does this is affected by the SUN JAVA RTE (if is installed or not)?

  12. Fausty | torrentfreedom wrote on

    Another vote for NoScript. Yes, it’s a bit naggy. Yes, it’s well worth it to keep script-happy websites from loading down simple pages with dozens of poorly-written, insecure, memory-hog scripts.

  13. Spade wrote on

    This really ought to be somewhere prominent on the main Firefox page. If I hadn’t already known that this critical vulnerability existed, I’d not have found this blog post. Not good, Mozilla, not good.

    @ glenn – So you’re more worried about sticking it to Mac users than having an OS that’s significantly more secure? You may want to re-examine your priorities. 😉

    @ BKF – The author of NoScript recently included code intended to disable parts of Adblock Plus. They’ve gotten their wrists slapped for it, but as a result NoScript is not to be trusted. I use the RequestPolicy extension instead to block unwanted third-party content, and it’s a lot easier to manage than NoScript’s zillions of unnecessary options.

  14. Cat wrote on

    I read about this on the US-CERT website ysterday, US-CERT recommends disabling Javascript in the FF browser, which I have done (via tools > options > content >unchecked enable JavaScript). This option is not mentioned in your post here, can you please tell me if disabling JS as I have done is safe, or do I need to do the work-around as you’ve outlined here?

    Thanks.

  15. A wrote on

    Good day,
    If you use sandboxie with firefox 3.5 without using this temporary solution you suggest would the exploit still get thru?

  16. Kevin wrote on

    Is this supposed to do anything? I tried this page but nothing happened. (Obviously, I copied it into a text/html document first, and loaded that).

  17. mercohaulic wrote on

    @ Cat – From what I have experienced, if you perform that step it will affect login to sites requiring login authentication such as Hotmail and others that you use. As such, it might not be feasible to use the option only having to enable it later to login to your preferred websites.

    On the other hand if you do not use the services, I guess your method is the most secure option. However, the method mentioned here is less strict but still secure I reckon.

  18. Daniel Veditz wrote on

    @Cat: disabling JavaScript will prevent this exploit

    @A: the exploit would still crash Firefox but if sandboxie does its job hopefully that will protect your system. It may be possible for an exploit writer in the future to attach a payload that will avoid crashing the browser — if so it could spy on your browsing without any protection from sandboxie at least until you shut down the browser.

    @Kevin: are you using Firefox 3.5 or 3.0? It’s not expected to do anything in Firefox 3.0. It also won’t affect 3.5 if you’ve disabled the JIT, are running in “safe mode” (which disables the JIT), or have JavaScript turned off.

  19. Jim Davis wrote on

    Yeah, why not just release a small patch via update to turn off the JIT setting, instead of requiring folks to ‘hear about it”.

    Bet less than 1/2 know this is even an issue as of Wed night.

  20. Daniel Veditz wrote on

    No amount of notice in the technical press will reach even a fraction of Firefox users, those folks won’t be reached until we ship them a fix. Since we had the _right_ fix in hand (before the milw0rm posting) there’s no point shipping a stop-gap fix.

More comments: 1 2 3 4