Zero-day flaw found in Firefox 3.5

There is a critical JavaScript vulnerability in the Firefox 3.5 Web browser, Mozilla has warned.

The zero-day flaw lies in Firefox 3.5's Just-in-time (JIT) JavaScript compiler. Proof-of-concept code to exploit the vulnerability has been posted online by a security research group, Mozilla said in a post on its security blog on Wednesday. Security company Secunia rated the vulnerability as "highly critical" on Wednesday.

The hole could allow a hacker to launch a "drive-by" attack, according to Mozilla. That means an attacker may be able to execute malicious code on a target machine, if the victim visits a Web site containing an exploit.

No patch is currently available, but Mozilla developers are working on a fix. A workaround suggested in the blog post is to disable the Firefox 3.5 JIT compiler. However, Mozilla warned this would result in decreased JavaScript performance in Firefox.

The JIT compiler is part of TraceMonkey, which was added to Firefox for its 3.5 update released at the end of June. TraceMonkey is meant to optimise the browser, which is faster than previous iterations of Firefox, according to Mozilla.

On Wednesday, the United States Computer Emergency Response Team said users and administrators should completely disable JavaScript functionality in Firefox 3.5.

The Sans Institute also said people could disable JavaScript, and suggested using NoScript, an open-source Firefox plug-in that only allows script to be executed by trusted Web sites.

Tom Espiner of ZDNet UK reported from London.

[monkeyfun14]

Lol

[Random_Walk]

So which platforms would be affected? Each handles such an error in different ways.

[Vegaman_Dan]

@Random_Walk:

Good point- we need to know which OS it is running on so that we can slander and spread rumors more effectively, right? :)

Seriously, it's a flaw with the browser that they are going to address. Give them a break.

[Random_Walk]

Not at all - accuracy is primary when it comes to security flaws. I suspect that only one platform is in any real danger, but it would be nice to know if any others are as well.

[Kwasiowusu]

But..but..the Great Firefox has no security flaws..at least that's what the Microsoft-hating open source crazies on this site keep telling us evey single day.

[Vegaman_Dan]

@RandomWalk:

I use Firefox on both my MacbookPro and my Windows boxes. I would like to know which I can trust to be safe to use Firefox on as well.

[Dalkorian]

Stolen from Secunia's website regarding this vuln:

"The vulnerability is caused due to an error when processing JavaScript code handling e.g. "font" HTML tags and can be exploited to cause a memory corruption.

Successful exploitation allows execution of arbitrary code."

I'd have to assume it's not tied to any OS in any significant way, or else a *LOT* of people are going out of their way to avoid mentioning a specific platform.

[mbenedict]

I can confirm that the OS X version of Firefox 3.5 is also affected.

Tested on: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5

The vulnerability can be triggered on any OS, however specific exploits might only target particular platforms.

[c|net Reader]

@Kwasiowusu

I doubt anyone has ever been so brazen or stupid as to declare FF to have no security flaws. It has fewer inherent flaws than IE because, for example, it doesn't support ActiveX. In response to FF raising the bar, other browsers are improving and even surpassing FF in numerous ways. That's good for us all.

[rich12313]

I love how all of these replies came from one guy saying "lol"

[RompStar_420]

Firefox is ok, on my Mac when I start it, after a while, when I click the URL space where you type addresses into, nothing happens! it's blank! Its weird, I stopped using it for now, just use Safari and Opera, they work great.

[Nocturnex]

that sounds like a personal problem...a pebkac error =)

[umbrae]

Its a TraceMonkey problem; not Firefox. Get used to it. With more and more browsers using optimizers for javascript this is going to get worse, and Firefox is not the only one.

[monkeyfun14]

"Its a TraceMonkey problem not Firefox"

I'm sorry but you win the award for the most apologist comment of the year.

If its built into the browser then its a firefox problem.

[Lerianis3]

monkeyfun14 has a point. If this is built-into the browser, it IS a browser problem.... though honestly I can give them a break, because they will NEVER be able to find ALL the bugs in OS's..... just impossible considering how many freaking lines of code there are!

[Nocturnex]

we all know its a firefox problem...read the title

however its not a firefox as a whole problem. the browser still works just fine with tracemonkey disabled. so as such it is an isolated problem.

when you disable it it just goes back to the old engine used in firefox 3.0

either way i want a fix, ive gotten too used to tracemonkey haha

[Vegaman_Dan]

I just find Java to be more of a headache than it is worth in the way of results. Reports like this one aren't doing much to help change that opinion.

[doubtthat]

Huh? JavaScript is the future of the web. How else are you going to get dynamic sites? Also, do you know how hard it is to code around users who have JavaScript turned off? URL rewriting and other tricks suck.

[zyxxy]

Java != JavaScript

[Vegaman_Dan]

@doubtthat:

I hate the frequent updates that pop up needing to be installed. I'm also concerned about Sun's sale and what the future will bring to the Java engine. Already Oracle who initially said they had no intent to break up the company is going back on that promise by shopping around the Sun hardware group to interested parties.

I don't know if Oracle is really interested in this or not, or if they will sell it all off piecemeal and who knows where that will leave us for support. :/

[Dalkorian]

Well, at least Zyxxy has proven he knows something about what he's talking about.

[JoeF2]

And yet another clueless troll...
This is about Javascript, *not* Java.
Two completely unrelated things, despite the similarity in name. Java is a programming language from Sun. Javascript is another, unrelated programming language that was originally developed at Netscape.

[Vegaman_Dan]

You got me on that one. I wasn't thinking about Java the programming language since people tend to use Java and Javascript interchangably here. I should have thought about that one more.

My bad!

[gggg sssss]

@ Vegaman_Dan only the most cluless of the clueless woudl confuse the two, or use them interchangeably.

[dudesmiles]

apple would never make such a bad product. take that mac haters. again we rule. i bet you wish you weren't so poor and could afford a mac.

[viper396]

"apple would never make such a bad product."

Yeah, Maybe if you click your heels together and keep saying it it might actually come true. Just keep telling yourself that...
....until then this kind of arrogance is just one more reason many people won't bother with Mac's.

[gofalcons]

afford a mac, thats right fool, and dont forget to install windows on your mac so you can actually use it at work and have more than 5 software titles to choose from at the store, read the facts fool, mac is still under 10% market share after 20 years, what a joke, apple is a fine company, but you fanboys kill thier name........

[ittesi259]

As a Mac user....comments like yours make me sick dudesmiles.

[wshun0]

@dudesmiles: How about Apple III?

[odubtaig]

Apart from that Safari drive-by download flaw that Apple took so long to fix and primarily affected OS X because of it's default no-confirm policy on downloads?

No. Never. Course not.

[syampillai]

I love apple Mac. I use MacBook Pro. Very good hardware. But, (un)fortunately I run Linux (openSUSE) on it.

[FF2009]

checked my Firefox on my Ubuntu box. NoScript it's on and everything is OK.

Buhahahahaaaa

Got to love it

[SIGHUP]

Every browser on every platform can disable JavaScript so what is your point?

[syampillai]

@SIGHUP
NoScript doesn't mean "No JavaSript"!

[c|net Reader]

@syampillai

NoScript does mean no JavaScript, provided scripting is disabled for each site you visit.

[TX-Sunset]

Funny, when it is Firefox, all the fanboys are "it's a flaw...they will fix it....relax" but when it is MS, everyone is like "haha....MS Sucks....IE Sucks".

Out of the box, IE is more secure, safer and just as fast as other browsers. Firefox does not become safe until all the plugins are installed and configured. And if there is a "Flaw" well, just relax while the hackers steal your info and keylog your passwords.

[Dalkorian]

Your credibility was seen flying out the window when you typed in your second sentence.

[dlh2009]

There is no web browser that is 100% secure. It is just how the maker of the browser patches the product. The faster the patches are released the more secure the browser is. Being an IE fan I would have to say that MS does a good job at patching IE.

[bananaphonerules]

Firefox: "we're the most secure" blah blah blah. FUD.
On the count of 3; everyone jump back to IE.

[ikramerica--2008]

yes, that would be a jump backwards... ;)

[BtmnHatesRbn]

I'm out of my league here, but HTML and XML programming and authoring should've been perfected to avoid this, and stop using so much damned JAVA, Flash, etc.

[viper396]

By your own admission you are hardly qualified to determine what "...should've been perfected..."
What exactly did you hope to prove by making a worthless comment on a subject you know little about?

[SandboxIE]

Another browser exploit found. What irresponsible website made it public before a Mozilla issued a patch? Anyway, just use SandboxIE with any browser of your choice, and you won't have to worry about these exploits.

[viper396]

...untill someone finds the inevitable flaw in SanboxIE. Learn by example and don't be so arrogant as to say that will never happen.

Why no 64-bit support?

[Michichael]

viper: Because 64 bit XP is outdated, and 64 bit Vista + has built in sandboxing of memory. All programs run in their own memory space and don't allow escaping that memoryspace to add code or something - which is one way sandboxie works. It's in better detail on their website.

[SandboxIE]

@viper: It's not arrogance to say sandboxIE will protect against browser exploits. It will. SandboxIE itself has already had at least one "potential" security vulnerability found in the past and fixed. No software is perfect, but browsing with SandboxIE wrapping your browser is exponentially more safe than browsing without it.

Most crackers prefer to spend their time looking for flaws in the most commonly used browsers and sofware, not something relatively unpopular, like SandboxIE. If/when SandboxIE becomes a household name with a broad user base, then it'll get more attention from the crackers, at which point, some other obscure security app will provide another layer of protection.

The bottomline is, if you're at all concerned about browser exploits, use it. You're much safer with it than without it. NoScript is great, too, but sometimes, even trusted sites get hacked with malicious code. SandboxIE is more of a set it and forget it app. Why no 64-bit support? Again, no software is perfect.

[JoeF2]

"What irresponsible website made it public before a Mozilla issued a patch? "

Hmm, Mozilla...
From the discussion on their bug database, it seems that the bug was known, and the exploit was just one of their test cases. Usually, they limit who can view security-related bugs in their bug database. That apparently didn't happen in this case. One developer called it a "self-inflicted" bug.

[Michichael]

And yet, Firefox + NoScript is still immune to this. Don't you love having scripts disabled by default unless you specifically allow them? It should be default on all web browsers.

[odubtaig]

I knew there was a reason I was holding off upgrading. It may say .5 but it looks point-oh.

[gravax]

Hum... Yet another CNET journalist who favors sensational news titles to actual factual ones... there is no such thing as a zero-day flaw. Or rather, all flaws are zero day on the day they are discovered.

There are, of course, zero day attacks / exploits : those that are (made) available the day the flaw is discovered... :)

Please, more journalism, less sensationalism.

[Carrick2222]

Why am I not surprised by this? Every single edition of Firefox there is whole bunch of bugs which they supposedly try to fix, but they are deliberately putting those bugs in so they can earn money by announcing new projects that will, again have the same bugs. Firefox is a joke.

[JoeF2]

I know, I should ignore trolls...
Are you talking about Microsoft???
Firefox is Open Source, there is no money to be earned with it.
Now go back under your rock.

[RyanShab]

This is just the reason I love Firefox though. If this happened in IE, we would have to wait for Microsoft to issue out a patch. with the add-on feature of FF, we already have the fix. NoScript. javascript is disabled unless you permit it. if there was no add-on, i'd be willing to put money on the opensource community being able to fix any security flaw before any corporate IT department can.

solution has been there before the problem even existed.

[gggg sssss]

You mean I cant use FF to surf porn sites anymore? Then what is the point? Whereis teh Opera guy on this?

[Freedomstarfox]

Mozilla just released Firefox 3.5.1 and it fixes many security (like this one) and stability issues as well as the slow startup issue.

[jpap93]

Spot on.