Critical Firefox 3.5 bug discovered

By on July 15, 2009, 9:27 AM
US-CERT posted a warning yesterday, of a critical vulnerability affecting the recently launched Firefox 3.5. The bug is due to an error in the way JavaScript code is processed. By exploiting this anomaly, an attacker may be able to execute arbitrary code. Furthermore, exploit code is publicly available for this vulnerability.

Mozilla is aware of and has publicly acknowledged the issue on their blog. They say that the bug can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code. Mozilla is working to fix the issue and a security update will be sent out when it’s ready.

For the time being, to mitigate the bug simply disable the Just-in-time (JIT) JavaScript engine. To accomplish this: Enter “about:config” in the address bar, type “jit” in the filter bar up top, and double-click the line containing “javascript.options.jit.content”, which should then have a value of “false”.

If that sounds a bit too troublesome, you can simply run Firefox in Safe Mode or even install an add-on like NoScript. Naturally, as soon as the fix is released, you can reverse any remedy.




User Comments: 27

Got something to say? Post a comment
captaincranky captaincranky, TechSpot Addict, said:

No Script to the Rescue.......

The article goes on to state the problem is with a Java Script exploit, so......

Everyone should install the "No Script" add-on. Regardless of which version of FF you're using. FF2 is probably as safe or safer than a newer version with this extension operating. It's like a bloody miracle!

Burty117 Burty117, TechSpot Chancellor, said:

but then you can't run Java script?

captaincranky captaincranky, TechSpot Addict, said:

but then you can't run Java script?

On the upside, neither can the a**holes who are trying to hack your computer.

Besides, you can "white list" any site you want, just by clicking on the "S" icon at the bottom of the screen.

Answer "B": Unless you actually want to be annoyed with "Vibrance" ads you generally don't have to permit Java anyway.

Go to the site and check it out for yourself... http://noscript.net/

Burty117 Burty117, TechSpot Chancellor, said:

oooww! ok sweet! as long as theres a white list I shall go get this now! =)

cheers for the advice.

Guest said:

First of all, Java is not the same as java script . They're not even second cousins once removed...

Secondly; java script  is used by almost every major website in the world today ( I say almost because there might be one or two who don't use it ) for a lot more than serving ads... Think Ajax, visual effects, statistics, dynamic HTML, etc...

To say that "you generally don't have to permit Java[script] anyway" is about the same as saying "you generally don't have to permit images anyway", or "you generally don't have to permit stylesheets anyway"... It's kind of true, but then again, why aren't you using Lynx to browse the web?

Staff
Rick Rick, TechSpot Staff, said:

Everyone should install the "No Script" add-on.

I enjoy the Internet and the media-rich content is has to offer.

Much like I wouldn't cover a leather sofa with a sheet of plastic to protect it, I'm not going to turn off java script . I hope many other people feel the same way.

Relic Relic, TechSpot Chancellor, said:

Some people here don't use No-Script? I can't imagine not using it while on FF its one of the greatest add-ons...it's rather easy to turn on/off depending on the site you're on.

captaincranky captaincranky, TechSpot Addict, said:

I enjoy the Internet and the media-rich content is has to offer.

Much like I wouldn't cover a leather sofa with a sheet of plastic to protect it, I'm not going to turn off java script . I hope many other people feel the same way.

Well, I suppose if you consider every other word you mouse over blowing up a "Vibrance" pop-up, a "media rich" environment, then by all means you're welcome to enjoy it to your hearts content. Myself, I'd rather surf in peace and quiet. "No Script" causes all the BS advertising in a website to be viewed at the discretion of the user.

As I said before, "No Script" allows "white listing", so you you can accept or reject as much content as your security software can handle.

Why are "guest" (anonymous) posts always the most abrasive? And for the record, "Guest", most sites do not require Java script running to display images. And the reason I don't use "Lynx" to browse the web is because I don't need it, I have "No-Script".

snowchick7669 snowchick7669 said:

Wow, another amazingly friendly 'Guest' user

captaincranky captaincranky, TechSpot Addict, said:

Wow, another amazingly friendly 'Guest' user

I'm like an oracle, you say they're abrasive, they predictably become more so. I suppose it easier than thinking of something worthwhile to say. "Hence I shall remain anonymous", how convenient. Most of our guest posers, er I mean posters would probably spend their time in a more worthwhile manner trashing celebrities at OK magazine's site.

snowchick7669 snowchick7669 said:

Hehe

I suspect it's the pleasant Guest user that was showing the same level of immaturity in this post here

captaincranky captaincranky, TechSpot Addict, said:

Reruns of "Profiler"......Or, Have You Seen "Criminal Minds".....?

See, all along I've thought that Techspot has needed a behavioral analysis unit/thread.

My money's on a 13 year old closet case with a big mouth, little ****, and daddy's computer.

Will the mystery guest sign in please? Oh, never mind, please spare us.

Guest said:

Just use a more secure browser, Opera has had less security flaws and it has way more features out of the box than the touted Firefox security do has a larger attack profile. Admittedly the first two Firefox has been secure but since the release of three there's been update after update to the browser. Quality control has gone to the dogs with Mozilla, and it's starting to tarnish them. They now seem to put more premium on 'features' than they do on security.

Firefox has done wonders for the web, but come on start growing up and releasing more secure software please? Even IE is becoming more 'secure'.

captaincranky captaincranky, TechSpot Addict, said:

Just use a more secure browser, Opera has had less security flaws and it has way more features out of the box than the touted Firefox security do has a larger attack profile. Admittedly the first two Firefox has been secure but since the release of three there's been update after update to the browser. Quality control has gone to the dogs with Mozilla, and it's starting to tarnish them. They now seem to put more premium on 'features' than they

I suppose it could be argued that the hackers have upped their game also, so perhaps Mozilla needn't shoulder the blame singularly. Since public participation is encouraged with the FF browser, it also might be that more people are familiar with it's internal workins'.

I always find it rather silly to suggest, (as many,many people often do), that all security flaws should be worked out before the product's release. Many individuals are working in different directions on such a large project, and preconceiving all the different possible future exploits that another group out people might eventually uncover, seems, (to me at least), a comprehensively unrealistic expectation.

We're on the same page however with which version of FF is the best browsing experience, as I still use, (and trust), V2.xxxx.

As to your assertion that Opera is the best, let me say this, I have and use Opera, it's a decent product, but (to me at least), has its own sets of quirks. For example, with an extended download, (IE, a Linux distro), after a certain point, the browser crashes to unresponsiveness, taking out most of the graphics in my internet machine. So we're clear, the download does continue to a successful conclusion, but it's even difficult to access "Spider Solitare" in the meantime.

As I stated above, any version of FF can be improved with the addition of "No Script". You can confront yourself with as much crap advertising as you can handle, test your security software's fortitude, and experience all of the media richness you desire, simply by white listing whatever content pleases you.

Call me miss informed, or crazy, your choice, but I don't seem to need extended attention in the malware removal forum, and I attribute this in part to the script blocking add-on.

Guest said:

I am interested in what the symptoms are of this bug. I battled one all day yesterday after finally being able to get rid of it. It would not allow me to get to any virus software to download it and if it did it would let me run it. My virus protection did not catch it and the whole time I kept getting java script errors.

Staff
Rick Rick, TechSpot Staff, said:

3.5.1 has fixed the issue. Carry on.

Guest said:

Hi, it's me again.

First of all, if my post came across as abrasive, that's unfortunate, and not really intended.

Snowchick7669: No, I am not that user from whatever thread. And let me know where you find something immature in my previous post. Critical and abbrasive != immature.

CaptainCranky: I never said anything about sites using java script  to show images. I was simply equating your blanket statement with another, equally silly statement. Also, no, I will not sign in. I really don't need another account on some tech board.

I stand by my earlier statement: java script  is used by most, if not all, major websites in the world today, and by blocking it, you lose out on scores of design and functionality improvements. Turning off java script  will effectively cripple your browser.

captaincranky captaincranky, TechSpot Addict, said:

To "No Script", or to Not "No Script"..That is the Question

Hi, it's me again.First of all, if my post came across as abrasive, that's unfortunate, and not really intended.

Trust me, I know this feeling, and from personal experience.

Snowchick7669: No, I am not that user from whatever thread. And let me know where you find something immature in my previous post. Critical and abbrasive != immature.
Good point. Given the imprecise nature of our judicial system, one can only wonder at how many have faced the gallows in the same way, mistaken identity.
CaptainCranky: I never said anything about sites using java script  to show images. I was simply equating your blanket statement with another, equally silly statement. Also, no, I will not sign in. I really don't need another account on some tech board.
Even though I'm using an alias, whatever I say is attributable to me. So, it does beg the question, why would one want or need a second degree of abstraction.

But as to the topic. Certain sites do require Java running to gain access to their image library, and/or to view them, at least at full resolution. So, I think you've misinterpreted what I said. Or, in a spirit of co-operation, I was unable to state my point effectively.

I stand by my earlier statement: java script  is used by most, if not all, major websites in the world today, and by blocking it, you lose out on scores of design and functionality improvements. Turning off java script  will effectively cripple your browser.
OK, as my understanding of the inner working of the modern browser, much less Java are quite limited, I can only give you my impressions.

First, "No Script" blocks pop-up ads, such as vibrance, and most flash from the jump. Why this is seen as a bad thing, I have no idea.

Second, my understanding is that script is still running within the browser itself, and the add-on is merely preventing sites from running it in the browser. And more specifically, preventing third party sites from inflicting script on you.

As I stated earlier, you can "white list" any site you desire, allow any, (or all), "interested parties", at your discretion or for that matter peril.

One particular "interested party" is "Google Analyltics", and I think that the first part of the second word speaks volumes about that. So, basically wherever you go, and whenever you go there, Google is running script that basically, puts their inquisitive nose up your unsuspecting a**! Hey, but it's your call, white list it, they deserve to know, just ask them.

I ignored this extension for many months, and was very skeptical about its usefulness. Now, quite simply, I "don't leave home without it"!

Guest said:

But as to the topic. Certain sites do require Java running to gain access to their image library, and/or to view them, at least at full resolution. So, I think you've misinterpreted what I said. Or, in a spirit of co-operation, I was unable to state my point effectively.

In the spirit of co-operation, I was not aware that NoScript also blocks Java and Flash apps in addition to java script . I was under the impression you were only talking about java script .

First, "No Script" blocks pop-up ads, such as vibrance, and most flash from the jump. Why this is seen as a bad thing, I have no idea.

Blocking popup ads is not seen as a bad thing, but it's a bit overkill to block all java script  for the sake of these. On a side note, Vibrance/Kontera ads can be disabled by clicking the question mark in the pop-over, and clicking the link at the bottom of the page.

One particular "interested party" is "Google Analyltics", and I think that the first part of the second word speaks volumes about that. So, basically wherever you go, and whenever you go there, Google is running script that basically, puts their inquisitive nose up your unsuspecting a**! Hey, but it's your call, white list it, they deserve to know, just ask them.

I'm not arguing that java script  can't be used for other things than what I previously mentioned. But to me the benefits of java script  by far outweigh the possible disadvantages. Serious problems, such as the Firefox bug in question, ar far and few between. Generally, java script  is safe to use.

I ignored this extension for many months, and was very skeptical about its usefulness. Now, quite simply, I "don't leave home without it"!

Personally, I have never felt the need for such an app, and malware is a non-occurring phenomenon on my computers.

captaincranky captaincranky, TechSpot Addict, said:

Dear Guest, I posted this link earlier but it might be worth it for you to at least visit the home page of the add-on. http://noscript.net/ The best, (or worst (viewpoint dependent, obviously)), thing that could happen is that you may find you were right all along. In any event, at least you'll have a clear view of what the author of the software is trying to accomplish.

BTW, at the moment these scripts could be running on my machine. Perhaps it's that I'm a curmudgeon, but I don't feel even the slightest inclination to allow these "organizations". to invade my space...!

Google analytics; plus; "com.com", "contera.com" , "quantserve.com" , "googleapis.com" , and last but by no means least; "doubleclick.net" . Which as we all know is an obnoxious tracking cookie.

Oops, almost forgot, Techspot too, but you know that's white listed.

The only perhaps objectionable side effect, is that you must hand type the emoticons, since they are powered by "googleapis". Still, with the google thing running, it also renders it impossible the re-edit the title field. So, it's absolutely not all downside there either.

Guest said:

I'm a different guest, and I'll confess to ignorance regarding the details of the browser's working. That said, I did try to use an extension like noscript in the past (though I believe it was a different one) and I eventually ended up removing the script suppression. I have found that Flashblock and AdBlock do a pretty good job of removing ads without causing the problems I was seeing when I suppressed all scripts.

In my case the problem was that useful web pages frequently did not display some of their intended content because they used scripts, but I could not reliably tell when I was missing content that I wanted.

Perhaps you are smarter or more observant than I am. I was not able to reliably determine when the script blocking removed too much of the web page's content. IOW, I could not reliably tell when I needed to put pages on the 'white list'. I ended up missing too much useful information.

I understand that there are risks to running scripts, but there are risks to not running them. On the whole I think that careful selection of web sites that I choose to visit and the files I choose to download are at least as important as the security programs I choose to run on my PC.

I don't recall ever seeing any malware on my PC, and about the only warnings from my AV program came when I deliberately tested it with the EICAR.com testing program so I guess that my approach has worked thus far.

Bill Osler

SNGX1275 SNGX1275, TS Forces Special, said:

the dude that said Opera is dead on. Call it what you want, but what it boils down to is Opera isn't having exploits near as often. And ON TOP OF THAT it is a fantastic browser, if you FF users would get off your damn high horse you'd see that. The ONLY way FF beats Opera is in expanded functionality, and if you are that involved in your browser then... well ok.

captaincranky captaincranky, TechSpot Addict, said:

This extension is aimed at preventing cross site scripting as much as the site visited. This is maybe the most relevant part of it.

"No Script" will, (and has for me in the past), create problems with other add-ons. I found that "Flash Block", created a conflict that prevented "shop local", ( in Best Buy's Sunday ad) from loading. Well, since "No Script" blocks Flash anyway, that came out.

.

I suppose I could propose that it's easier to manage one extension rather than more, so I will.

You could be correct that content could be blocked that you wanted. The flip side of which I suppose is the old adage that, "if you've never had it, you won't miss".

Truly content rich sites like "nbc.com", do require quite a few approvals.

Anyway, I'm here @TS with only the primary site approved, in peaceful bliss, having a nice chat. As you admit. and I'll cop to as well, I don't understand the browser's inner workins' either. But, I feel more secure with No Scrip in place. So, with No Script running, FF's delete private data and cookies on exit, and a quick run with CCleaner after exiting the browser, I feel pretty good about a successful "getaway".

captaincranky captaincranky, TechSpot Addict, said:

the dude that said Opera is dead on. Call it what you want, but what it boils down to is Opera isn't having exploits near as often. And ON TOP OF THAT it is a fantastic browser, if you FF users would get off your damn high horse you'd see that. The ONLY way FF beats Opera is in expanded functionality, and if you are that involved in your browser then... well ok.

Opera works dandy, I use it all the time!

It leaves more sludge on exit that FF. This is, I suppose that I don't have it configured correctly.

It crashes on protracted downloads, but then I'm using an Emachine. By "crash" in this case, I mean that the browser becomes nonfunctional. But yes, the download does come to a successful conclusion. This is with version 9.25, I haven't tried this with 9.64.

I still am put out by "Vibrance" rollovers, abundantly so! "No Script" kills these, every time. If there was an extension that did so in Opera, I would probably use the browser more than I do.

strategic strategic, TechSpot Paladin, said:

Dear Guest, I posted this link earlier but it might be worth it for you to at least visit the home page of the add-on. http://noscript.net/ The best, (or worst (viewpoint dependent, obviously)), thing that could happen is that you may find you were right all along. In any event, at least you'll have a clear view of what the author of the software

is trying to accomplish.

Another fine thread. On a personal note, 'guest' users should have identifiable information to the website (not the users) to be able to distinguish between one or the other.

Anyway, what would the difference be between the above mentioned 'no script' and the windows 'hosts' file (which I believe is editable and possibly similar) Maybe?

I am by the way, a proud user of Firefox...

captaincranky captaincranky, TechSpot Addict, said:

I'm not exactly certain of the absolute difference in specific function between No Script and the Windows hosts file. I'm also not sure of the difference between the function of "Combo Fix" and the Hosts file either. Just thought I'd throw that in there. SpyBot SD16 also places a massive amount of entries into the hosts file. I may be showing my ignorance here, but I thought the hosts file was to prevent hostile redirects.

No Script stops pretty much ALL cross site scripting. I don't know if you use this extension but, if you don't, why not install it for a bit of a trial. It creates a button to approve or deny, all scripts running on a page. If you have trouble a a specific site you can approve all scripts on a page. I still turn then on one at a time until I get all of what I want, and none of what I don't.

Why not give it a shot, if you don't already use it? A picture is worth a thousand words, at least so they say. If you don't like it, take it back out! It won't do any damage, and it's easy to get rid of.

If the extension only got rid of those stinking Vibrance roll-overs that turn a page into a veritable mine field, wouldn't that be enough?

strategic strategic, TechSpot Paladin, said:

No Script stops pretty much ALL cross site scripting. I don't know if you use this extension but, if you don't, why not install it for a bit of a trial.

Actually, since you were the one to recommend it, I already have instaled it on my desktop PC lastnight, and have now just installed it on my notebook.

So far, I like it, it may have slowed it down a bit,

but it's much nicer surfing now. Thanks!

I haven't played with it yet,I'm in the learning stage, but the HOSTS file can be manipulated to block malicious sites or ad servers. You list the name of the Web site you want to block. With it is listed the IP number 127.0.0.1. That is the number of your computer. Doing this has the effect of short-circuiting the request. The request just dies.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.