How To Protect Yourself from Newly Discovered "Critical" JavaScript Vulnerability in Firefox 3.5
How To Protect Yourself from Newly Discovered "Critical" JavaScript Vulnerability in Firefox 3.5
Posted 07/15/2009 at 10:30am
| by Paul Lilly
8
Comments
Print
According to Mozilla, a bug was discovered last week in Firefox 3.5's Just-in-Time JavaScript compiler and was disclosed publicly on Monday. Mozilla classifies the vulnerability as "critical," saying it can be used to execute malicious code. More specifically, by exploiting the bug, a hacker could trick a victim into viewing a malicious website containing the exploit code.
"This vulnerability is due to an error in the way JavaScript code is processed," the US-CERT acknowledged. "Exploitation of this vulnerability may allow an attacker to execute arbitrary code. Additionally, exploit code is publicly available for this vulnerability."
While Mozilla said it is currently working on a fix, Firefox 3.5 users don't have to be sitting ducks. Mozilla says the vulnerability can be mitigated by disabling the JIT in the JavaScript engine, which you can accomplish by doing the following:
- Enter about:config in the browser's location bar
- Type jit in the Filter box
- Double-click the line containing javascript.options.jit.content and set the value to false
Mozilla warns that this is a temporary fix and will reduce JavaScript performance. Once an official fix has been put in place, you'll want to go back in and change the value back to true.
If you'd rather not mess around with about:config settings, you can still disable JIT by running Firefox in Safe Mode, which is accessible from the Mozilla Firefox folder.
More like this
dc10ten
July 15, 2009 at 3:53pm
thats the beauty of firefox extensions
https://addons.mozilla.org/en-US/firefox/addon/722
I Jedi
July 15, 2009 at 1:13pm
Geez, what's with all the hate towards Firefox lately, guys? I notice no problems when I surf the web with Firefox. This is a temporary issue that they will have resolved. You can't honestly expect them to foresee ever single problem with their browser, can you? And for that matter, anyone else, too.
**UPDATE**
Furthermore, we're lucky they even caught it early to begin with, rather than it being out in the wild and unknown to the masses for even longer.
dethdeks
July 15, 2009 at 1:02pm
LOL @ going to ie. your complaining about 1 tiny bug in firefox's javascript engine and your gonna jump to the most buggiest browser there is? isnt that pretty much going from having an open window to opening all windows and doors in your house? kinda retarded, considering the fix takes a whole 30 seconds to do. acaully less because in the time it took me to type this response i did the fix on all 4 computers in my house. funny how a 2 second fix is going to detour someone to switch browsers which would take like 8 times the lenght to download/install on all your pc's then it would to just do the fix and stop bitching about 1 tiny problem.
DBsantos77
July 15, 2009 at 5:15pm
1 tiny bug? Go troll somewhere else I'll use what I want.. You obviously either 1. haven't been using it long enough to experience problems. Or 2. are oblivious to the articles written IN THIS SITE explaining more issues.
Oh, and I'll run IE8 any day, given that I actually know how use Windows Update to eliminate myself of most if any, bugs.
I Jedi
July 15, 2009 at 1:07pm
I'm sure they have other reasons, rather legitimately sound or not, for wanting to leave Firefox. However, I'm in agreement with you. This exploit can be fixed very simply.
DBsantos77
July 15, 2009 at 11:56am
Wow. Mozilla has just plain **cked up with 3.5 What gives? Temporary fix? No reason the end-user would have to do that, geez talk about Quality Control.
If the next release screws up I'm leaving Firefox all together and using either Opera or IE. Neither of which have huge issues.
Connect with MaximumPC
Featured Content
Where have all the memorable videogame enemies gone?
This month's issue
Feature
How to Set Up A New PC
Feature
The State of GPU Computing
How-To
Benchmark an Android Phone
Build It
Sandy Bridge-E
Most Commented Articles
Latest Max PC Tweets
- maximumpc: We referred to "motherboad" prices in an earlier tweet. Not to be confused with motherboard prices, which are ALSO going up.5 hours 56 min ago
- maximumpc: Oh hooray. Motherboad price hikes inbound. http://t.co/nacDWfjJ8 hours 31 min ago
- maximumpc: AMD's New Direction For 2012: Heterogenous Computing, Trinity, and Hondo http://t.co/2KzhCT1N1 day 49 min ago
