US-CERT posted a warning yesterday, of a critical vulnerability affecting the recently launched Firefox 3.5. The bug is due to an error in the way JavaScript code is processed. By exploiting this anomaly, an attacker may be able to execute arbitrary code. Furthermore, exploit code is publicly available for this vulnerability.

Read the whole story

The article goes on to state the problem is with a Java Script exploit, so......

Everyone should install the "No Script" add-on. Regardless of which version of FF you're using. FF2 is probably as safe or safer than a newer version with this extension operating. It's like a bloody miracle!

but then you can't run Java script?

On the upside, neither can the a**holes who are trying to hack your computer.

Besides, you can "white list" any site you want, just by clicking on the "S" icon at the bottom of the screen.

Answer "B": Unless you actually want to be annoyed with "Vibrance" ads you generally don't have to permit Java anyway.

Go to the site and check it out for yourself... http://noscript.net/

oooww! ok sweet! as long as theres a white list I shall go get this now! =)
cheers for the advice.

First of all, Java is not the same as Javascript. They're not even second cousins once removed...

Secondly; Javascript is used by almost every major website in the world today ( I say almost because there might be one or two who don't use it ) for a lot more than serving ads... Think Ajax, visual effects, statistics, dynamic HTML, etc...

To say that "you generally don't have to permit Java[script] anyway" is about the same as saying "you generally don't have to permit images anyway", or "you generally don't have to permit stylesheets anyway"... It's kind of true, but then again, why aren't you using Lynx to browse the web?

I enjoy the Internet and the media-rich content is has to offer.

Much like I wouldn't cover a leather sofa with a sheet of plastic to protect it, I'm not going to turn off JavaScript. I hope many other people feel the same way.

Some people here don't use No-Script? I can't imagine not using it while on FF its one of the greatest add-ons...it's rather easy to turn on/off depending on the site you're on.

Well, I suppose if you consider every other word you mouse over blowing up a "Vibrance" pop-up, a "media rich" environment, then by all means you're welcome to enjoy it to your hearts content. Myself, I'd rather surf in peace and quiet. "No Script" causes all the BS advertising in a website to be viewed at the discretion of the user.

As I said before, "No Script" allows "white listing", so you you can accept or reject as much content as your security software can handle.

Why are "guest" (anonymous) posts always the most abrasive? And for the record, "Guest", most sites do not require Java script running to display images. And the reason I don't use "Lynx" to browse the web is because I don't need it, I have "No-Script".

Wow, another amazingly friendly 'Guest' user

I'm like an oracle, you say they're abrasive, they predictably become more so. I suppose it easier than thinking of something worthwhile to say. "Hence I shall remain anonymous", how convenient. Most of our guest posers, er I mean posters would probably spend their time in a more worthwhile manner trashing celebrities at OK magazine's site.

Hehe

I suspect it's the pleasant Guest user that was showing the same level of immaturity in this post here

See, all along I've thought that Techspot has needed a behavioral analysis unit/thread.

My money's on a 13 year old closet case with a big mouth, little ****, and daddy's computer.

Will the mystery guest sign in please? Oh, never mind, please spare us.

Just use a more secure browser, Opera has had less security flaws and it has way more features out of the box than the touted Firefox security do has a larger attack profile. Admittedly the first two Firefox has been secure but since the release of three there's been update after update to the browser. Quality control has gone to the dogs with Mozilla, and it's starting to tarnish them. They now seem to put more premium on 'features' than they do on security.

Firefox has done wonders for the web, but come on start growing up and releasing more secure software please? Even IE is becoming more 'secure'.

I suppose it could be argued that the hackers have upped their game also, so perhaps Mozilla needn't shoulder the blame singularly. Since public participation is encouraged with the FF browser, it also might be that more people are familiar with it's internal workins'.

I always find it rather silly to suggest, (as many,many people often do), that all security flaws should be worked out before the product's release. Many individuals are working in different directions on such a large project, and preconceiving all the different possible future exploits that another group out people might eventually uncover, seems, (to me at least), a comprehensively unrealistic expectation.

We're on the same page however with which version of FF is the best browsing experience, as I still use, (and trust), V2.xxxx.

As to your assertion that Opera is the best, let me say this, I have and use Opera, it's a decent product, but (to me at least), has its own sets of quirks. For example, with an extended download, (IE, a Linux distro), after a certain point, the browser crashes to unresponsiveness, taking out most of the graphics in my internet machine. So we're clear, the download does continue to a successful conclusion, but it's even difficult to access "Spider Solitare" in the meantime.

As I stated above, any version of FF can be improved with the addition of "No Script". You can confront yourself with as much crap advertising as you can handle, test your security software's fortitude, and experience all of the media richness you desire, simply by white listing whatever content pleases you.

Call me miss informed, or crazy, your choice, but I don't seem to need extended attention in the malware removal forum, and I attribute this in part to the script blocking add-on.

I am interested in what the symptoms are of this bug. I battled one all day yesterday after finally being able to get rid of it. It would not allow me to get to any virus software to download it and if it did it would let me run it. My virus protection did not catch it and the whole time I kept getting java script errors.

3.5.1 has fixed the issue. Carry on.

Hi, it's me again.

First of all, if my post came across as abrasive, that's unfortunate, and not really intended.

Snowchick7669: No, I am not that user from whatever thread. And let me know where you find something immature in my previous post. Critical and abbrasive != immature.

CaptainCranky: I never said anything about sites using javascript to show images. I was simply equating your blanket statement with another, equally silly statement. Also, no, I will not sign in. I really don't need another account on some tech board.

I stand by my earlier statement: JavaScript is used by most, if not all, major websites in the world today, and by blocking it, you lose out on scores of design and functionality improvements. Turning off javascript will effectively cripple your browser.

Trust me, I know this feeling, and from personal experience. Good point. Given the imprecise nature of our judicial system, one can only wonder at how many have faced the gallows in the same way, mistaken identity. Even though I'm using an alias, whatever I say is attributable to me. So, it does beg the question, why would one want or need a second degree of abstraction.

But as to the topic. Certain sites do require Java running to gain access to their image library, and/or to view them, at least at full resolution. So, I think you've misinterpreted what I said. Or, in a spirit of co-operation, I was unable to state my point effectively.
OK, as my understanding of the inner working of the modern browser, much less Java are quite limited, I can only give you my impressions.

First, "No Script" blocks pop-up ads, such as vibrance, and most flash from the jump. Why this is seen as a bad thing, I have no idea.
Second, my understanding is that script is still running within the browser itself, and the add-on is merely preventing sites from running it in the browser. And more specifically, preventing third party sites from inflicting script on you.

As I stated earlier, you can "white list" any site you desire, allow any, (or all), "interested parties", at your discretion or for that matter peril.

One particular "interested party" is "Google Analyltics", and I think that the first part of the second word speaks volumes about that. So, basically wherever you go, and whenever you go there, Google is running script that basically, puts their inquisitive nose up your unsuspecting a**! Hey, but it's your call, white list it, they deserve to know, just ask them.

I ignored this extension for many months, and was very skeptical about its usefulness. Now, quite simply, I "don't leave home without it"!

In the spirit of co-operation, I was not aware that NoScript also blocks Java and Flash apps in addition to Javascript. I was under the impression you were only talking about Javascript.

Blocking popup ads is not seen as a bad thing, but it's a bit overkill to block all Javascript for the sake of these. On a side note, Vibrance/Kontera ads can be disabled by clicking the question mark in the pop-over, and clicking the link at the bottom of the page.

I'm not arguing that Javascript can't be used for other things than what I previously mentioned. But to me the benefits of Javascript by far outweigh the possible disadvantages. Serious problems, such as the Firefox bug in question, ar far and few between. Generally, Javascript is safe to use.

Personally, I have never felt the need for such an app, and malware is a non-occurring phenomenon on my computers.