Most Popular
| Top Stories | Commented | Featured |
ATI Radeon HD 5570 Review featured
AMD's six-core Thuban to have feature like Turbo Boost?
Google to launch Twitter-like service for Gmail
Intel Core i5-based MacBook Pros coming soon?
Intel unveils Itanium 9300 series enterprise processors
Netflix to roll out 1080p streaming later this year
TechSpot RSSSoftware
Critical Firefox 3.5 bug discovered
US-CERT posted a warning yesterday, of a critical vulnerability affecting the recently launched Firefox 3.5. The bug is due to an error in the way JavaScript code is processed. By exploiting this anomaly, an attacker may be able to execute arbitrary code. Furthermore, exploit code is publicly available for this vulnerability.
Mozilla is aware of and has publicly acknowledged the issue on their blog. They say that the bug can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code. Mozilla is working to fix the issue and a security update will be sent out when it’s ready.
For the time being, to mitigate the bug simply disable the Just-in-time (JIT) JavaScript engine. To accomplish this: Enter “about:config” in the address bar, type “jit” in the filter bar up top, and double-click the line containing “javascript.options.jit.content”, which should then have a value of “false”.
If that sounds a bit too troublesome, you can simply run Firefox in Safe Mode or even install an add-on like NoScript. Naturally, as soon as the fix is released, you can reverse any remedy.
Mozilla is aware of and has publicly acknowledged the issue on their blog. They say that the bug can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code. Mozilla is working to fix the issue and a security update will be sent out when it’s ready.
For the time being, to mitigate the bug simply disable the Just-in-time (JIT) JavaScript engine. To accomplish this: Enter “about:config” in the address bar, type “jit” in the filter bar up top, and double-click the line containing “javascript.options.jit.content”, which should then have a value of “false”.
If that sounds a bit too troublesome, you can simply run Firefox in Safe Mode or even install an add-on like NoScript. Naturally, as soon as the fix is released, you can reverse any remedy.
Related Stories
User Comments (27)
Post a comment| captaincranky on July 15, 2009 9:50 AM | The article goes on to state the problem is with a Java
Script exploit, so...... Everyone should install the "No Script" add-on. Regardless of which version of FF you're using. FF2 is probably as safe or safer than a newer version with this extension operating. It's like a bloody miracle! |
| burty117 on July 15, 2009 10:07 AM | but then you can't run Java script? |
| captaincranky on July 15, 2009 10:13 AM | but then you can't run Java
script? On the upside, neither can the a**holes who
are trying to hack your computer. Besides, you can "white list" any site you want, just by clicking on the "S" icon at the bottom of the screen. Answer "B": Unless you actually want to be annoyed with "Vibrance" ads you generally don't have to permit Java anyway. Go to the site and check it out for yourself... http://noscript.net/ |
| burty117 on July 15, 2009 10:15 AM | oooww! ok sweet! as long as theres a white list I shall go
get this now! =) cheers for the advice. |
| Guest on July 15, 2009 2:41 PM | First of all, Java is not the same as java script . They're
not even second cousins once removed... Secondly; java script is used by almost every major website in the world today ( I say almost because there might be one or two who don't use it ) for a lot more than serving ads... Think Ajax, visual effects, statistics, dynamic HTML, etc... To say that "you generally don't have to permit Java[script] anyway" is about the same as saying "you generally don't have to permit images anyway", or "you generally don't have to permit stylesheets anyway"... It's kind of true, but then again, why aren't you using Lynx to browse the web? |
| Rick on July 15, 2009 3:23 PM | Everyone should install the "No
Script" add-on. I enjoy the Internet and the
media-rich content is has to offer.Much like I wouldn't cover a leather sofa with a sheet of plastic to protect it, I'm not going to turn off java script . I hope many other people feel the same way. |
| Relic on July 15, 2009 5:48 PM | Some people here don't use No-Script? I can't imagine not
using it while on FF its one of the greatest add-ons...it's
rather easy to turn on/off depending on the site you're
on. |
| captaincranky on July 15, 2009 6:28 PM | I enjoy the Internet and the media-rich
content is has to offer. Well, I suppose if you consider
every other word you mouse over blowing up a "Vibrance"
pop-up, a "media rich" environment, then by all means you're
welcome to enjoy it to your hearts content. Myself, I'd
rather surf in peace and quiet. "No Script" causes all the
BS advertising in a website to be viewed at the discretion
of the user.Much like I wouldn't cover a leather sofa with a sheet of plastic to protect it, I'm not going to turn off java script . I hope many other people feel the same way. As I said before, "No Script" allows "white listing", so you you can accept or reject as much content as your security software can handle. Why are "guest" (anonymous) posts always the most abrasive? And for the record, "Guest", most sites do not require Java script running to display images. And the reason I don't use "Lynx" to browse the web is because I don't need it, I have "No-Script". |
| snowchick7669 on July 15, 2009 9:23 PM | Wow, another amazingly friendly 'Guest' user |
| captaincranky on July 15, 2009 9:31 PM | Wow, another amazingly friendly
'Guest' user I'm like an oracle, you say they're
abrasive, they predictably become more so. I suppose it
easier than thinking of something worthwhile to say. "Hence
I shall remain anonymous", how convenient. Most of our guest
posers, er I mean posters would probably spend their time in
a more worthwhile manner trashing celebrities at OK
magazine's site.
|
| snowchick7669 on July 15, 2009 9:36 PM | Hehe I suspect it's the pleasant Guest user that was showing the same level of immaturity in this post here |
| captaincranky on July 15, 2009 9:44 PM | See, all along I've thought that Techspot has needed a
behavioral analysis unit/thread. My money's on a 13 year old closet case with a big mouth, little ****, and daddy's computer. Will the mystery guest sign in please? Oh, never mind, please spare us. |
| Guest on July 16, 2009 2:22 AM | Just use a more secure browser, Opera has had less security
flaws and it has way more features out of the box than the
touted Firefox security do has a larger attack profile.
Admittedly the first two Firefox has been secure but since
the release of three there's been update after update to the
browser. Quality control has gone to the dogs with Mozilla,
and it's starting to tarnish them. They now seem to put more
premium on 'features' than they do on
security. Firefox has done wonders for the web, but come on start growing up and releasing more secure software please? Even IE is becoming more 'secure'. |
| captaincranky on July 16, 2009 9:59 AM | Just use a more secure browser, Opera
has had less security flaws and it has way more features out
of the box than the touted Firefox security do has a larger
attack profile. Admittedly the first two Firefox has been
secure but since the release of three there's been update
after update to the browser. Quality control has gone to the
dogs with Mozilla, and it's starting to tarnish them. They
now seem to put more premium on 'features' than
they I suppose it could be argued that the hackers
have upped their game also, so perhaps Mozilla needn't
shoulder the blame singularly. Since public participation is
encouraged with the FF browser, it also might be that more
people are familiar with it's internal workins'.I always find it rather silly to suggest, (as many,many people often do), that all security flaws should be worked out before the product's release. Many individuals are working in different directions on such a large project, and preconceiving all the different possible future exploits that another group out people might eventually uncover, seems, (to me at least), a comprehensively unrealistic expectation. We're on the same page however with which version of FF is the best browsing experience, as I still use, (and trust), V2.xxxx. As to your assertion that Opera is the best, let me say this, I have and use Opera, it's a decent product, but (to me at least), has its own sets of quirks. For example, with an extended download, (IE, a Linux distro), after a certain point, the browser crashes to unresponsiveness, taking out most of the graphics in my internet machine. So we're clear, the download does continue to a successful conclusion, but it's even difficult to access "Spider Solitare" in the meantime. As I stated above, any version of FF can be improved with the addition of "No Script". You can confront yourself with as much crap advertising as you can handle, test your security software's fortitude, and experience all of the media richness you desire, simply by white listing whatever content pleases you. Call me miss informed, or crazy, your choice, but I don't seem to need extended attention in the malware removal forum, and I attribute this in part to the script blocking add-on. |
| Guest on July 16, 2009 12:15 PM | I am interested in what the symptoms are of this bug. I battled one all day yesterday after finally being able to get rid of it. It would not allow me to get to any virus software to download it and if it did it would let me run it. My virus protection did not catch it and the whole time I kept getting java script errors. |
| Rick on July 17, 2009 3:24 AM | 3.5.1 has fixed the issue. Carry on. |
| Guest on July 22, 2009 6:44 AM | Hi, it's me again. First of all, if my post came across as abrasive, that's unfortunate, and not really intended. Snowchick7669: No, I am not that user from whatever thread. And let me know where you find something immature in my previous post. Critical and abbrasive != immature. CaptainCranky: I never said anything about sites using java script to show images. I was simply equating your blanket statement with another, equally silly statement. Also, no, I will not sign in. I really don't need another account on some tech board. I stand by my earlier statement: java script is used by most, if not all, major websites in the world today, and by blocking it, you lose out on scores of design and functionality improvements. Turning off java script will effectively cripple your browser. |
| captaincranky on July 22, 2009 10:58 AM | Hi, it's me again.First of all, if my
post came across as abrasive, that's unfortunate, and not
really intended. Trust me, I know this feeling, and
from personal experience.Snowchick7669:
No, I am not that user from whatever thread. And let me know
where you find something immature in my previous post.
Critical and abbrasive != immature. Good point.
Given the imprecise nature of our judicial system, one can
only wonder at how many have faced the gallows in the same
way, mistaken identity. CaptainCranky: I
never said anything about sites using java script to show
images. I was simply equating your blanket statement with
another, equally silly statement. Also, no, I will not sign
in. I really don't need another account on some tech
board. Even though I'm using an alias, whatever I say
is attributable to me. So, it does beg the question, why
would one want or need a second degree of
abstraction.But as to the topic. Certain sites do require Java running to gain access to their image library, and/or to view them, at least at full resolution. So, I think you've misinterpreted what I said. Or, in a spirit of co-operation, I was unable to state my point effectively. I stand by my earlier
statement: java script is used by most, if not all, major
websites in the world today, and by blocking it, you lose
out on scores of design and functionality improvements.
Turning off java script will effectively cripple your
browser. OK, as my understanding of the inner
working of the modern browser, much less Java are quite
limited, I can only give you my impressions.First, "No Script" blocks pop-up ads, such as vibrance, and most flash from the jump. Why this is seen as a bad thing, I have no idea. Second, my understanding is that script is still running within the browser itself, and the add-on is merely preventing sites from running it in the browser. And more specifically, preventing third party sites from inflicting script on you. As I stated earlier, you can "white list" any site you desire, allow any, (or all), "interested parties", at your discretion or for that matter peril. One particular "interested party" is "Google Analyltics", and I think that the first part of the second word speaks volumes about that. So, basically wherever you go, and whenever you go there, Google is running script that basically, puts their inquisitive nose up your unsuspecting a**! Hey, but it's your call, white list it, they deserve to know, just ask them. I ignored this extension for many months, and was very skeptical about its usefulness. Now, quite simply, I "don't leave home without it"! |
| Guest on July 22, 2009 3:09 PM | But as to the topic. Certain sites do require Java running to gain access to their image library, and/or to view them, at least at full resolution. So, I think you've misinterpreted what I said. Or, in a spirit of co-operation, I was unable to state my point effectively. Firs t, "No Script" blocks pop-up ads, such as vibrance, and most flash from the jump. Why this is seen as a bad thing, I have no idea. One particular "interested party" is "Google Analyltics", and I think that the first part of the second word speaks volumes about that. So, basically wherever you go, and whenever you go there, Google is running script that basically, puts their inquisitive nose up your unsuspecting a**! Hey, but it's your call, white list it, they deserve to know, just ask them. I ignored this extension for many months, and was very skeptical about its usefulness. Now, quite simply, I "don't leave home without it"! |
| captaincranky on July 22, 2009 5:47 PM | Dear Guest, I posted this link earlier but it might be worth
it for you to at least visit the home page of the add-on.
http://noscript.net/ The best, (or worst
(viewpoint dependent, obviously)), thing that could happen
is that you may find you were right all along. In any event,
at least you'll have a clear view of what the author of the
software is trying to accomplish. BTW, at the moment these scripts could be running on my machine. Perhaps it's that I'm a curmudgeon, but I don't feel even the slightest inclination to allow these "organizations". to invade my space...! Google analytics; plus; "com.com", "contera.com" , "quantserve.com" , "googleapis.com" , and last but by no means least; "doubleclick.net" . Which as we all know is an obnoxious tracking cookie. Oops, almost forgot, Techspot too, but you know that's white listed. The only perhaps objectionable side effect, is that you must hand type the emoticons, since they are powered by "googleapis". Still, with the google thing running, it also renders it impossible the re-edit the title field. So, it's absolutely not all downside there either. |
| Guest on July 26, 2009 7:56 PM | I'm a different guest, and I'll confess to ignorance
regarding the details of the browser's working. That said,
I did try to use an extension like noscript in the past
(though I believe it was a different one) and I eventually
ended up removing the script suppression. I have found that
Flashblock and AdBlock do a pretty good job of removing ads
without causing the problems I was seeing when I suppressed
all scripts. In my case the problem was that useful web pages frequently did not display some of their intended content because they used scripts, but I could not reliably tell when I was missing content that I wanted. Perhaps you are smarter or more observant than I am. I was not able to reliably determine when the script blocking removed too much of the web page's content. IOW, I could not reliably tell when I needed to put pages on the 'white list'. I ended up missing too much useful information. I understand that there are risks to running scripts, but there are risks to not running them. On the whole I think that careful selection of web sites that I choose to visit and the files I choose to download are at least as important as the security programs I choose to run on my PC. I don't recall ever seeing any malware on my PC, and about the only warnings from my AV program came when I deliberately tested it with the EICAR.com testing program so I guess that my approach has worked thus far. Bill Osler |
| SNGX1275 on July 26, 2009 8:38 PM | the dude that said Opera is dead on. Call it what you want, but what it boils down to is Opera isn't having exploits near as often. And ON TOP OF THAT it is a fantastic browser, if you FF users would get off your damn high horse you'd see that. The ONLY way FF beats Opera is in expanded functionality, and if you are that involved in your browser then... well ok. |
| captaincranky on July 26, 2009 8:41 PM | This extension is aimed at preventing cross site scripting
as much as the site visited. This is maybe the most relevant
part of it. "No Script" will, (and has for me in the past), create problems with other add-ons. I found that "Flash Block", created a conflict that prevented "shop local", ( in Best Buy's Sunday ad) from loading. Well, since "No Script" blocks Flash anyway, that came out. . I suppose I could propose that it's easier to manage one extension rather than more, so I will. You could be correct that content could be blocked that you wanted. The flip side of which I suppose is the old adage that, "if you've never had it, you won't miss". Truly content rich sites like "nbc.com", do require quite a few approvals. Anyway, I'm here @TS with only the primary site approved, in peaceful bliss, having a nice chat. As you admit. and I'll cop to as well, I don't understand the browser's inner workins' either. But, I feel more secure with No Scrip in place. So, with No Script running, FF's delete private data and cookies on exit, and a quick run with CCleaner after exiting the browser, I feel pretty good about a successful "getaway". |
| captaincranky on July 26, 2009 8:52 PM | the dude that said Opera is dead on.
Call it what you want, but what it boils down to is Opera
isn't having exploits near as often. And ON TOP OF THAT it
is a fantastic browser, if you FF users would get off your
damn high horse you'd see that. The ONLY way FF beats
Opera is in expanded functionality, and if you are that
involved in your browser then... well ok. Opera
works dandy, I use it all the time! It leaves more sludge on exit that FF. This is, I suppose that I don't have it configured correctly. It crashes on protracted downloads, but then I'm using an Emachine. By "crash" in this case, I mean that the browser becomes nonfunctional. But yes, the download does come to a successful conclusion. This is with version 9.25, I haven't tried this with 9.64. I still am put out by "Vibrance" rollovers, abundantly so! "No Script" kills these, every time. If there was an extension that did so in Opera, I would probably use the browser more than I do. |
| strategic on July 26, 2009 9:43 PM | Dear Guest, I posted this link
earlier but it might be worth it for you to at least visit
the home page of the add-on. http://noscript.net/
The best, (or worst (viewpoint dependent, obviously)), thing
that could happen is that you may find you were right all
along. In any event, at least you'll have a clear view of
what the author of the software Another fine thread. On a personal
note, 'guest' users should have identifiable information to
the website (not the users) to be able to distinguish
between one or the other. is trying to accomplish. Anyway, what would the difference be between the above mentioned 'no script' and the windows 'hosts' file (which I believe is editable and possibly similar) Maybe? I am by the way, a proud user of Firefox... |
