Wedevoy

Bogey · by **Bogey** » Thu Jul 16, 2009 4:43 am

Apparently, Firefox 3.5 has a security thread in the way it handles JavaScript.

Firefox 3.5 has a security vulnerability in the way it handles JavaScript code, potentially allowing an attacker to execute code on a victim's computer, according to code posted on the milw0rm site.

I'm not sure yet whether it was the new version's effort to speed up JavaScript handling is what caused the problem.

Security firm Secunia says the issue is "highly critical" and is also unsure whether older versions of the browser are affected.

Until the issue is fixed, Secunia suggests setting your "javascript.options.jit.content" to "false" in Firefox's about:config.

CERT advises: "To disable the vulnerable components, use the about:config interface to set javascript.options.jit.content and javascript.options.jit.chrome to false. This will still allow JavaScript to run, but it will disable the TraceMonkey performance enhancements."

The security hole was first reported by Simon Berry-Byrne ("SBerry"), with an example of exploit code.

Source: ComputerWorld

Soupy · by **Soupy** » Thu Jul 16, 2009 6:19 am

That's weird, my firefox updated today when I started it, but it says version 3.0.12 and that option (javascript.options.jit.content) isn't in my config options. I thought my FFBeta stayed up to date with the latest updates, but perhaps not. Still, good find!

Bogey · by **Bogey** » Thu Jul 16, 2009 6:27 am

I think that Firefox waits to update even though another version of Firefox has being released. I think it is probably to give some time for Mozilla to make any necessary bug fixes/changes, as I feel that they need to do right now, before they update everybody's browser.

I felt the update lag myself and wondered why they did it... I installed Firefox 3.5 manually by going to their site.

I didn't think they would make such a security threat... I'm sure though, that this was accidental. I don't think that any company on their right, honest mind, would purposefully create a security threat.

Soupy · by **Soupy** » Thu Jul 16, 2009 6:35 am

Well, especially when that company or organization rather, if firefox. They are usually pretty good with security, but stuff happens. I am just glad I am not at risk at the moment, but when I do get to 3.5, I will probably be checking into this to make sure it's fixed.

Bogey · by **Bogey** » Thu Jul 16, 2009 6:40 am

Yeah, it's a good idea to fix the issue... I don't know what's possible with Javascript if it's left running on my PC, but I'm sure its nothing good

[EDIT:] Looks like Mozilla is going to Fix the problem. Hope they hurry up, I want my JavaScript performance back

Bogey · by **Bogey** » Sun Jul 19, 2009 2:31 am

Looks like the problem could be fixed now... Mozilla 3.5.1 was just now released. (Well, I got the pop-up from my browser about 5 minutes ago).

superj707 · by **superj707** » Sun Aug 09, 2009 6:57 pm

Bogey wrote:Looks like the problem could be fixed now... Mozilla 3.5.1 was just now released. (Well, I got the pop-up from my browser about 5 minutes ago).

I just got the 3.5.3 version and it seems to be a great improvement.

Bogey · by **Bogey** » Tue Aug 11, 2009 1:16 am

I didn't knew there was a different version out there... I must visit the site more often :lol:

Thanks for bringing me up to date.

Wedevoy

Information Desk

Login • Register

Firefox 3.5 a security threat!

Re: Firefox 3.5 a security threat!

Re: Firefox 3.5 a security threat!

Re: Firefox 3.5 a security threat!

Re: Firefox 3.5 a security threat!

Re: Firefox 3.5 a security threat!

Re: Firefox 3.5 a security threat!

Re: Firefox 3.5 a security threat!

Who is online