Firefox 3.5's First Vulnerability "Self-Inflicted"

CWmike writes "Mozilla has confirmed the first security vulnerability in Firefox 3.5, saying that the bug could be used to hijack a machine running the company's newest browser. A noted Firefox contributor called the situation 'self-inflicted' and said it was likely that the hacker who posted public exploit code Monday became aware of the flaw by rooting through Bugzilla, Mozilla's bug- and change-tracking database. The vulnerability is in the TraceMonkey JavaScript engine that debuted with Firefox 3.5, said Mozilla. '[It] can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code,' Mozilla's security blog reported Tuesday."

Foundation, Not a Company

[eldavojohn]

Mozilla has confirmed the first security vulnerability in Firefox 3.5, saying that the bug could be used to hijack a machine running the company's newest browser.

Just a note, I think Mozilla tries to shirk any idea of "company" or "corporation" from the open source development side of things. Instead, they are a non-profit foundation and recently created a separate taxable corporation with the intent of distribution and productizing Firefox & Thunderbird.

I think the word 'company' implies commercial interests and the developing part of Mozilla--the Foundation--does not have any commercial interests. While this may seem unimportant to you, I believe it to be a pretty important concept to clarify when you're talking about open source from a non-profit and open source from a company.

Re:time to close Bugzilla to the public

[maxume]

They already had a standing policy of hiding security related bugs (I.e. those that they figured were exploitable; It is even discussed in the log linked in the summary!).

Re:Nice test for the open source community

[fedxone-v86]

If you had read the bugzilla thread (I know, I know) you'd know it's already fixed ;)

Temporary fix

[AdmiralXyz]

According to TFA, the temporary fix is to disable TraceMonkey (JavaScript will still work). Set 'javascript.options.jit.content' in about:config to false until the patch is released.

Re:the only browser with 0 vulnerabilities

[Colonel+Korn]

is Google Chrome...

Nope:

http://chromekb.com/vulnerabilities/

The attitude that some platforms are simply immune to attacks is foolish and counterproductive.

Re:Right! Quick!

[zorg50]

No-Script has never been spyware. Adware, on the other hand...

Re:Yeah, right

[DoofusOfDeath]

http://www.cutekittens.com/ how about that one? :D

Oh man, that site is AWESOME!!! I can't believe what those women were doing. I can't believe it's a free site. Thanks!

NoScript: http://noscript.net

[Futurepower(R)]

Careful.

The official NoScript site is http://noscript.net/.

To anyone who doesn't already know: NoScript prevents Javascript scripts from running unless they are chosen from a menu. That even protects against vulnerabilities that haven't been discovered yet.

Re:This is why NoScript should be a core feature

[VGPowerlord]

I was going to point out that NoScript was near the top of the recommended add-ons page, but now I see that is no longer there at all! You have to search for it. Adblock Plus still tops the list, however.

NoScript got buried after the incident with it fucking around with AdBlock's settings, then once that was discovered and pointed out, them adding an AdBlock filter set to bypass blocking on NoScript's author's site.

As far as I know, it does neither any more, but it pissed off a lot of users, myself included, and its author's reputation went through the floor.