How To Protect Yourself from Newly Discovered "Critical" JavaScript Vulnerability in Firefox 3.5


According to Mozilla, a bug was discovered last week in Firefox 3.5's Just-in-Time JavaScript compiler and was disclosed publicly on Monday. Mozilla classifies the vulnerability as "critical," saying it can be used to execute malicious code. More specifically, by exploiting the bug, a hacker could trick a victim into viewing a malicious website containing the exploit code.

"This vulnerability is due to an error in the way JavaScript code is processed," the US-CERT acknowledged. "Exploitation of this vulnerability may allow an attacker to execute arbitrary code. Additionally, exploit code is publicly available for this vulnerability."

While Mozilla said it is currently working on a fix, Firefox 3.5 users don't have to be sitting ducks. Mozilla says the vulnerability can be mitigated by disabling the JIT in the JavaScript engine, which you can accomplish by doing the following:

  1. Enter about:config in the browser's location bar
  2. Type jit in the Filter box
  3. Double-click the line containing javascript.options.jit.content and set the value to false

Mozilla warns that this is a temporary fix and will reduce JavaScript performance. Once an official fix has been put in place, you'll want to go back in and change the value back to true.

If you'd rather not mess around with about:config settings, you can still disable JIT by running Firefox in Safe Mode, which is accessible from the Mozilla Firefox folder.

Around the web