Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox 3.5's First Vulnerability "Self-Inflicted"

Posted by CmdrTaco on from the that-sounds-all-emo dept.

CWmike writes "Mozilla has confirmed the first security vulnerability in Firefox 3.5, saying that the bug could be used to hijack a machine running the company's newest browser. A noted Firefox contributor called the situation 'self-inflicted' and said it was likely that the hacker who posted public exploit code Monday became aware of the flaw by rooting through Bugzilla, Mozilla's bug- and change-tracking database. The vulnerability is in the TraceMonkey JavaScript engine that debuted with Firefox 3.5, said Mozilla. '[It] can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code,' Mozilla's security blog reported Tuesday."

5 of 156 comments (clear)

  1. Re:Nice test for the open source community by fedxone-v86 · · Score: 5, Informative

    If you had read the bugzilla thread (I know, I know) you'd know it's already fixed ;)

    --
    (USER WAS PUT ON PROBATION FOR THIS POST)
  2. Temporary fix by AdmiralXyz · · Score: 5, Informative

    According to TFA, the temporary fix is to disable TraceMonkey (JavaScript will still work). Set 'javascript.options.jit.content' in about:config to false until the patch is released.

    --
    Dislike the Electoral College? Lobby your state to join the National Popular Vote Interstate Compact.
  3. Re:Yeah, right by DoofusOfDeath · · Score: 4, Informative

    http://www.cutekittens.com/ how about that one? :D

    Oh man, that site is AWESOME!!! I can't believe what those women were doing. I can't believe it's a free site. Thanks!

  4. NoScript: http://noscript.net by Futurepower(R) · · Score: 4, Informative

    Careful.

    The official NoScript site is http://noscript.net/.

    To anyone who doesn't already know: NoScript prevents Javascript scripts from running unless they are chosen from a menu. That even protects against vulnerabilities that haven't been discovered yet.

  5. Re:This is why NoScript should be a core feature by VGPowerlord · · Score: 4, Informative

    I was going to point out that NoScript was near the top of the recommended add-ons page, but now I see that is no longer there at all! You have to search for it. Adblock Plus still tops the list, however.

    NoScript got buried after the incident with it fucking around with AdBlock's settings, then once that was discovered and pointed out, them adding an AdBlock filter set to bypass blocking on NoScript's author's site.

    As far as I know, it does neither any more, but it pissed off a lot of users, myself included, and its author's reputation went through the floor.

    --
    GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011