EmailSafety.net - Firefox 3.5's first vulnerability'self-inflicted,'says scientist

Firefox 3.5's first vulnerability'self-inflicted,'says scientist

Anti-Spam Software

What is Spam?

Spam Laws

Spam Facts

User Tips

Common Email Scams

What Are Visuses?

Virus Prevention Tips

Anti-Virus Software

Basic Tips

Recent News

Mozilla yesterday confirmed the first security vulnerability in Firefox 3.5, and said that the bug could be used to hijack a machine running the company's newest browser.

A noted Firefox contributor called the situation "self-inflicted," and said it was likely that the hacker who posted public exploit code Monday became aware of the flaw by rooting through Bugzilla, Mozilla's bug- and change-tracking database.

The vulnerability is in the TraceMonkey JavaScript engine that debuted with Firefox 3.5, said Mozilla. "[It] can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code," the company's security blog reported Tuesday.

Secunia, a Danish security company, rated the bug "highly critical," the second-highest threat ranking in its five-step system, and added that the vulnerability is in TraceMonkey's processing of JavaScript code handling "font" HTML tags.

Related Content

Older versions of Firefox, including Firefox 3.0, are not vulnerable, according to a message posted by Asa Dotzler, Mozilla's director of community development, in a comment to the company's blog.

"Mozilla developers are working on a fix for this issue and a Firefox security update will be sent out as soon as the fix is completed and tested," said that same blog.

In lieu of a patch, users can protect themselves by disabling the "just-in-time" component of the TraceMonkey engine. To do that, users should enter "about:config" in Firefox's address bar, type "jit" in the filter box, then double-click the "javascript.options.jit.content" entry to set the value to "false." The popular NoScript add-on will also ward off attacks.

The hacker who published exploit code on the milw0rm.com malware site Monday was not the first to uncover the vulnerability: Mozilla developers first noted the flaw last Thursday, and were in the middle of working on it when the attack code appeared.

"Looking at the exploit code and our test cases, I think this is self-inflicted and we should have hidden the bug earlier," argued Andreas Gal on Bugzilla. Gal is a project scientist at the University of California, Irvine, where the technique called "trace trees" was developed. Firefox 3.5's TraceMonkey engine is based on that technique, and builds on code and ideas shared with the open-source Tamarin Tracing project.

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.

Recent News:

· Feds draw a bead on Russian behind Mega-D botnet
· Ransomware Attack Resurfaces to Hold Files Hostage
· Adobe Reader X Makes PDF Files Safer
· PayPal Users Beware of Holiday Phishing Scam
· McAfee Reports Malware at All-Time High

Site Map | Recent News | Related Sites