Critical JavaScript vulnerability in Firefox 3.5

07.14.09 - 10:15am

Issue

A bug discovered last week in Firefox 3.5’s Just-in-time (JIT) JavaScript compiler was disclosed publicly yesterday. It is a critical vulnerability that can be used to execute malicious code.

Impact

The vulnerability can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code. The vulnerability can be mitigated by disabling the JIT in the JavaScript engine. To do so:

  1. Enter about:config in the browser’s location bar.
  2. Type jit in the Filter box at the top of the config editor.
  3. Double-click the line containing javascript.options.jit.content setting the value to false.

Note that disabling the JIT will result in decreased JavaScript performance and is only recommended as a temporary security measure.  Once users have been received the security update containing the fix for this issue, they should restore the JIT setting to true by:

  1. Enter about:config in the browser’s location bar.
  2. Type jit in the Filter box at the top of the config editor.
  3. Double-click the line containing javascript.options.jit.content setting the value to true.

Alternatively, users can disable the JIT by running Firefox in Safe Mode.  Windows users can do so by selecting Mozilla Firefox (Safe Mode) from the Mozilla Firefox folder.

Status

Mozilla developers are working on a fix for this issue and a Firefox security update will be sent out as soon as the fix is completed and tested.

Credit

Zbyte reported this issue to Mozilla and Lucas Kruijswijk helped reduce the exploit test case.

Category: Firefox, Security, Vulnerabilities |

Shutting Down XSS with Content Security Policy

The Conversation {14 comments}

  1. Hugo {Tuesday July 14, 2009 @ 1:39 pm}

    Is 3.0.x code base vulnerable too? When was this vuln introduced? Thanks!

  2. Renato S. Yamane {Tuesday July 14, 2009 @ 2:45 pm}

    Hum…
    https://bugzilla.mozilla.org/show_bug.cgi?id=503970

  3. m0niker {Tuesday July 14, 2009 @ 2:50 pm}

    from the command line (batch file):

    firefox.bat
    for /f %%a in (’dir /B “%APPDATA%\Mozilla\firefox\Profiles\*.default”‘) do xcopy /y user.js “%APPDATA%\Mozilla\firefox\Profiles\”%%a

    user.js
    //Firefox 3.5’s Just-in-time (JIT) JavaScript Vulnerability – 7.14.09
    user_pref(”javascript.options.jit.content”, false);

  4. this is my name {Tuesday July 14, 2009 @ 3:08 pm}

    what is the bugnumber for this security problem on mozillas bugzilla? any more details?

    the mozilla wiki doesnt show anything :(

  5. anon {Tuesday July 14, 2009 @ 3:12 pm}

    Wow, man… not even Internet Explorer gets critical exploits 2 days after release.

  6. Jess {Tuesday July 14, 2009 @ 4:17 pm}

    If that option doesn’t appear in my about:config,, could it be because ubuntu already disabled it for me? The only “javascript.options” I have are “relimit”, “showInConsole”, and “strict”.

  7. Joe Bloggs {Tuesday July 14, 2009 @ 4:43 pm}

    I’ve been googling all over and visiting the various firefox sites, mozillazine etc and not seen anything about this vulnerability.

    Why is this blog so well hidden? Its really reassuring to finally read that you guys are working to fix the problem. I only found this blog via incidents.org

  8. Asa Dotzler {Tuesday July 14, 2009 @ 6:32 pm}

    @Hugo, no this is not a bug in Firefox 3.0. It only affects 3.5 which includes the new JIT features in its JS engine.

    @anon said “Wow, man… not even Internet Explorer gets critical exploits 2 days after release.”

    Actually, it’s not two days after release. It’s two weeks after the release. And yes, even Internet Explorer (and Safari and Chrome and Opera) have all had vulnerabilities disclosed days and weeks after their releases.

    @Jess, you’re probably still on Firefox 3.0.x which isn’t impacted.

    @Joe, this is Mozilla’s official security blog. It’s where these kinds of announcements happen. If you queried Google for mozilla and security, you’d see this as the third link.

  9. skierpage {Tuesday July 14, 2009 @ 7:32 pm}

    Does Firefox trunk (3.6a1pre) have a fix for this bug yet?

    What about javascript.options.jit.chrome , which defaults to false? I’ve had that set to true to look for bugs.

  10. skierpage {Tuesday July 14, 2009 @ 7:37 pm}

    Hugo, Firefox 3.0 doesn’t have the super-fast TraceMonkey “just in time” (”jit”) JavaScript engine, so I doubt this vulnerability applies.

    anon, Microsoft has suffered far more zero day vulnerabilities than Firefox.

  11. Daniel Veditz {Tuesday July 14, 2009 @ 8:44 pm}

    @this is my name: https://bugzilla.mozilla.org/show_bug.cgi?id=503286

    @skierpage: yes, today’s 3.6 nightly has the fix for this bug. It was checked in yesterday, a few hours _before_ we learned of the milw0rm posting. This fix was going to be in the 3.5.x update we had scheduled for the end of July, but obviously now we have moved up the schedule for release.

  12. franz {Tuesday July 14, 2009 @ 8:47 pm}

    NoScript is your friend. :)

  13. Andy {Tuesday July 14, 2009 @ 9:06 pm}

    > not even Internet Explorer gets critical exploits 2 days after release.

    Are you kidding?

    Internet Explorer *always* has security holes.

    The security holes stay there for many months waiting to be fixed – here’s proof:
    http://secunia.com/advisories/product/12366/
    ^ Get the facts — Internet Explorer 7 Security Holes

    Mozilla patches Firefox security holes in about 1-2 days.

    I never, ever caught anything with Firefox. With Internet Explorer I’ve gotten over 5 malicious programs installed (in the first few years I’ve used it).

    Get real. Stop spreading your FUD.

  14. Slush {Wednesday July 15, 2009 @ 1:25 am}

    @franz: NoScript is not a friend. NoScript is a click-nagging nanny.

Speak Your Peace

  • Comment Policy:Could go here if there's a nagging need Login Instructions: Would go here if there's a desire.