Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox 3.5's First Vulnerability "Self-Inflicted"

Posted by CmdrTaco on from the that-sounds-all-emo dept.

CWmike writes "Mozilla has confirmed the first security vulnerability in Firefox 3.5, saying that the bug could be used to hijack a machine running the company's newest browser. A noted Firefox contributor called the situation 'self-inflicted' and said it was likely that the hacker who posted public exploit code Monday became aware of the flaw by rooting through Bugzilla, Mozilla's bug- and change-tracking database. The vulnerability is in the TraceMonkey JavaScript engine that debuted with Firefox 3.5, said Mozilla. '[It] can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code,' Mozilla's security blog reported Tuesday."

13 of 156 comments (clear)

  1. Foundation, Not a Company by eldavojohn · · Score: 3, Informative

    Mozilla has confirmed the first security vulnerability in Firefox 3.5, saying that the bug could be used to hijack a machine running the company's newest browser.

    Just a note, I think Mozilla tries to shirk any idea of "company" or "corporation" from the open source development side of things. Instead, they are a non-profit foundation and recently created a separate taxable corporation with the intent of distribution and productizing Firefox & Thunderbird.

    I think the word 'company' implies commercial interests and the developing part of Mozilla--the Foundation--does not have any commercial interests. While this may seem unimportant to you, I believe it to be a pretty important concept to clarify when you're talking about open source from a non-profit and open source from a company.

    --
    My work here is dung.
  2. Maybe off topic but... by vertinox · · Score: 2, Informative

    Has anyone notice performance degradation in 3.5? Opening a slew of bookmarked pages into tabs tends to make it feel like my internet connection has slowed down. Yet when all the tabs load, they all respond snappily.

    And sometimes certain sites act sluggish when opening the same exact site works fine in Safari.

    It wasn't like this in 3.01

    --
    "I am the king of the Romans, and am superior to rules of grammar!"
    -Sigismund, Holy Roman Emperor (1368-1437)
  3. Re:time to close Bugzilla to the public by maxume · · Score: 3, Informative

    They already had a standing policy of hiding security related bugs (I.e. those that they figured were exploitable; It is even discussed in the log linked in the summary!).

    --
    Nerd rage is the funniest rage.
  4. Re:Nice test for the open source community by fedxone-v86 · · Score: 5, Informative

    If you had read the bugzilla thread (I know, I know) you'd know it's already fixed ;)

    --
    (USER WAS PUT ON PROBATION FOR THIS POST)
  5. Temporary fix by AdmiralXyz · · Score: 5, Informative

    According to TFA, the temporary fix is to disable TraceMonkey (JavaScript will still work). Set 'javascript.options.jit.content' in about:config to false until the patch is released.

    --
    Dislike the Electoral College? Lobby your state to join the National Popular Vote Interstate Compact.
  6. Re:the only browser with 0 vulnerabilities by Colonel+Korn · · Score: 3, Informative

    is Google Chrome...

    Nope:

    http://chromekb.com/vulnerabilities/

    The attitude that some platforms are simply immune to attacks is foolish and counterproductive.

    --
    "I zero-index my hamsters" - Willtor (147206)
  7. Why didn't you post the (simple) fix??? by brunes69 · · Score: 2, Informative

    Why not post in the summary the simple fix?

        In lieu of a patch, users can protect themselves by disabling the "just-in-time" component of the TraceMonkey engine.
        To do that, users should enter "about:config" in Firefox's address bar, type "jit" in the filter box, then double-click
        the "javascript.options.jit.content" entry to set the value to "false." The popular NoScript add-on will also ward off attacks.

  8. Re:Right! Quick! by zorg50 · · Score: 3, Informative

    No-Script has never been spyware. Adware, on the other hand...

  9. Re:Yeah, right by DoofusOfDeath · · Score: 4, Informative

    http://www.cutekittens.com/ how about that one? :D

    Oh man, that site is AWESOME!!! I can't believe what those women were doing. I can't believe it's a free site. Thanks!

  10. NoScript: http://noscript.net by Futurepower(R) · · Score: 4, Informative

    Careful.

    The official NoScript site is http://noscript.net/.

    To anyone who doesn't already know: NoScript prevents Javascript scripts from running unless they are chosen from a menu. That even protects against vulnerabilities that haven't been discovered yet.

    1. Re:NoScript: http://noscript.net by kalirion · · Score: 2, Informative

      And how are readers to know that your link is any more valid than mine?

      Actually, the safest way to link to extensions would be through Mozilla's Own Site. That page should have the actual category.

  11. Re:Granted bugs happen and is obviously nice explo by jank1887 · · Score: 2, Informative

    fixed, but not pushed out yet. For the 'days to a fix' count, you need to count all days from the time the hole was discovered to the day a fixed version / patch is pushed out to users. (if I have to go looking for it, it's not 'fixed' yet) Most people are trained to only respond to Firefox's Update popups.

  12. Re:This is why NoScript should be a core feature by VGPowerlord · · Score: 4, Informative

    I was going to point out that NoScript was near the top of the recommended add-ons page, but now I see that is no longer there at all! You have to search for it. Adblock Plus still tops the list, however.

    NoScript got buried after the incident with it fucking around with AdBlock's settings, then once that was discovered and pointed out, them adding an AdBlock filter set to bypass blocking on NoScript's author's site.

    As far as I know, it does neither any more, but it pissed off a lot of users, myself included, and its author's reputation went through the floor.

    --
    GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011