Critical JavaScript vulnerability in Firefox 3.5

Issue

A bug discovered last week in Firefox 3.5’s Just-in-time (JIT) JavaScript compiler was disclosed publicly yesterday. It is a critical vulnerability that can be used to execute malicious code.

Impact

The vulnerability can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code. The vulnerability can be mitigated by disabling the JIT in the JavaScript engine. To do so:

  1. Enter about:config in the browser’s location bar.
  2. Type jit in the Filter box at the top of the config editor.
  3. Double-click the line containing javascript.options.jit.content setting the value to false.

Note that disabling the JIT will result in decreased JavaScript performance and is only recommended as a temporary security measure.  Once users have been received the security update containing the fix for this issue, they should restore the JIT setting to true by:

  1. Enter about:config in the browser’s location bar.
  2. Type jit in the Filter box at the top of the config editor.
  3. Double-click the line containing javascript.options.jit.content setting the value to true.

Alternatively, users can disable the JIT by running Firefox in Safe Mode.  Windows users can do so by selecting Mozilla Firefox (Safe Mode) from the Mozilla Firefox folder.

Status

Mozilla developers are working on a fix for this issue and a Firefox security update will be sent out as soon as the fix is completed and tested.

Credit

Zbyte reported this issue to Mozilla and Lucas Kruijswijk helped reduce the exploit test case.

Update: This vulnerability has been fixed in Firefox 3.5.1, released Thursday, July 16, 2009

80 responses

  1. Kevin wrote on :

    Here’s my UA: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.1pre) Gecko/20090709 Shiretoko/3.5.1pre

    Is this just a Windows thing? At any rate, I’ll probably upgrade to the latest from trunk tonight if it fixes this.

  2. DJ wrote on :

    Does the security issue with 3.5 affect MAC running 10.5?

  3. Cat wrote on :

    @ Mercohaulic and Daniel Veditz (38 & 39)

    Thanks heaps. I was pretty sure it would be safe, I just wanted to check since it was not mentioned here. (Just in case there was something fundamental about how all this works that I was going over my head).

    Mercohaulic I have certainly noticed that some functions just don’t work with JS disabled, it makes me appreciate how much JS is used on the net! If the patch looks like it will be a while away I’ll just have a go at implementing this JIT disable thing, otherwise the things I need JS for can happily wait.

  4. Daniel Veditz wrote on :

    @DJ, @Kevin: the underlying bug happens on all platforms. The proof-of-concept exploit posted to milw0rm contained a windows-only payload, but it wouldn’t be too hard for someone to graft on Mac and Linux payloads from the Metasploit project and make it cross-platform.

  5. Neam wrote on :

    Oh well, use internet explorer…

  6. Danny wrote on :

    The race is on. Who will fix their 0 day first?

    http://isc.sans.org/diary.html?storyid=6778

  7. free wrote on :

    bugs happen in every program .. im sure mozilla will fix it really fast
    and thumbs up on the full disclosure .

  8. Ho wrote on :

    I don’t know the technical stuff but I have disabled the javascript as instructed. Now how do I know if my PC has been compromised or that the exploit got thru? Thanks

  9. hkpk wrote on :

    I have loaded the exploit template, nothing happened. If the JIT is disabled in Firefox, lodading the “exploit” is slower. I also disabled the integration of SUN JAVA VM in Firefox, disabled the “next-generation browser integration”, no visible effect, Calc.exe does not starts.

    I have XP SP3, KPF, NOD32, Firefox 3.5 + ABP (NoScript is not installed).

    What is “wrong”?

  10. Yuhong Bao wrote on :

    Tom and free: Mozilla do not normally practice full disclosure. They normally practice responsible disclosure by hiding bugs, but this one got missed.

  11. mercohaulic wrote on :

    An update has been rolled out guys.
    Im pretty sure it fixes the problem highlighted here.

  12. Cat wrote on :

    I just got a firefox update – 3.5.1. When I re-started my browser it opened to this page: http://www.mozilla.com/en-US/firefox/3.5.1/releasenotes/

    I clicked on the “Several Security Issues” link in the list of fixes to see if this JIT problem above had been fixed, however that link takes you to a 404: File not found error page. ( http://www.mozilla.org/security/known-vulnerabilities/firefox35.html#firefox3.5.1 )

    Can someone from Mozila please advise readers here if we can re-enable JIT safely after getting this 3.5.1 update? Thank-you.

  13. Allan wrote on :

    I have Firefox 3.0.11.
    Does the bug affect this version?
    Thank you

  14. AGH wrote on :

    Last time I jump onto a new major FF version so soon. This is all the marketers’ fault, “THE FASTEST FIREFOX YET”, 10 TIMES FASTER – who the hell cares, or needs JS.

  15. Cat wrote on :

    Re comment 52 – scratch that – the link is working now and it appears to be the fix for this. 🙂

  16. Daniel Veditz wrote on :

    @mercohaulic: you beat me to it. Yes, we just released the update that fixes this problem. Firefox 3.5 users can “Check for Updates” from the Help menu, and everyone else can get it from http://www.mozilla.com

    @Cat: The Known-vulnerabilities page should be visible now.

    @Allan: Please read the comments, the very first one asked that same question (and was answered in comment 8). Firefox 3.0 does not have the JIT feature that was at fault here.

  17. jmdesp wrote on :

    Daniel, can you *also* update the “Known Vulnerabilities in Mozilla Products” http://www.mozilla.org/security/known-vulnerabilities/ so that it list Firefox 3.5 ?

  18. mercohaulic wrote on :

    @Daniel Veditz
    Its all cool =D. The sooner people know the better, especially when it comes to security.

  19. EB wrote on :

    So… Can we put javascript.options.jit.content=true again?
    Thanks

  20. marty wrote on :

    Dumb question, but after the update, can you set JIT back to “true” safely?

More comments: 1 2 3 4