Firefox 3.5 vulnerable to critical Javascript attack

Discussion in 'Mac Apps and Mac App Store' started by jon08, Jul 16, 2009.

  1. jon08 macrumors 68000

    Joined:
    Nov 14, 2008
    #1
    Hmm, what was that all about.. is it a serious threat or what?


    Taken from: http://www.macworld.com/article/141694/2009/07/firefox35_javascript.html


    The following article is reprinted from the Security Alert blog at PCWorld.com.

    Sample exploit code is already available online, so while there aren't yet any reports of active attacks against this new flaw, there soon could be. Such an assault would likely take the form of a poisoned Web page that uses behind-the-scenes attack code to trigger the flaw.

    The Washington Post's Security Fix has posted a workaround to protect against the flaw while Mozilla prepares a patch. The temporary fix disables a new Javascript processing feature in Firefox 3.5, which Security Fix says will slow down Javascript handling but protect against this exploit. See Brian Krebs' post for instructions. Firefox 3.0 users who haven't yet upgraded shouldn't be vulnerable to this flaw, and won’t find the setting that Krebs describes.
     
  2. Michaelgtrusa macrumors 604

    Joined:
    Oct 13, 2008
  3. MacMini2009 macrumors 68000

    MacMini2009

    Joined:
    May 22, 2009
    Location:
    California
  4. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #4
    I read about it a day or two ago from MacWorld I think. It's unclear as to whether or not Macs could be exploited using this bug. (Edit: Confirmed Mac is vulnerable to the exploit based on this bug report. A note though that the exploit is currently being exploited in-the-wild. Disabling JIT content (described below) or using a add-on like NoScript will help protect you until this is patched.)

    (http://secunia.com/advisories/35798/)
    Temporary fix:
    1. In a new tab/window type about:config into the location bar and hit enter.
    2. Click the button "I'll be careful, I promise!"
    3. In the Filter text field type in jit
    4. This should leave only two entries below, double-click the one that ends with the word content.
    5. This will change the value to false.
    6. All set. You may notice a slow down in page rendering as this will turn off some of the new rendering techniques introduced with version 3.5.
    Edit: And bam, just like that it's fixed. Be sure to update your Firefox to 3.5.1 and don't worry about the temporary fix above.
     
  5. clevin macrumors G3

    clevin

    Joined:
    Aug 6, 2006
    #5
    3.5.1 is on the ftp server now.

    autoupdate should be on by tomorrow, you can download right now from ftp server if you can't wait.
     
  6. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #6
    Did my link to 3.5.1 not work for you? The FTP site isn't needed to get this.
     
  7. clevin macrumors G3

    clevin

    Joined:
    Aug 6, 2006
    #7
    indeed
     
  8. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #8
    Indeed the link didn't work, or indeed you don't need the ftp site? I've used the link I gave from 2 computers now without issue and Firefox's update check finds it too.
     
  9. clevin macrumors G3

    clevin

    Joined:
    Aug 6, 2006
    #9
    indeed you are correct and the link you provided works.
     

Share This Page