Firefox 3.5's First Vulnerability "Self-Inflicted"

CWmike writes "Mozilla has confirmed the first security vulnerability in Firefox 3.5, saying that the bug could be used to hijack a machine running the company's newest browser. A noted Firefox contributor called the situation 'self-inflicted' and said it was likely that the hacker who posted public exploit code Monday became aware of the flaw by rooting through Bugzilla, Mozilla's bug- and change-tracking database. The vulnerability is in the TraceMonkey JavaScript engine that debuted with Firefox 3.5, said Mozilla. '[It] can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code,' Mozilla's security blog reported Tuesday."

Yeah, right

[DoofusOfDeath]

'[It] can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code,' Mozilla's security blog reported Tuesday."

Oh sure, I'm definitely going to follow that link now.

Re:Nice test for the open source community

[fedxone-v86]

If you had read the bugzilla thread (I know, I know) you'd know it's already fixed ;)

Re:WTF

[maxume]

So when they know about and are actively working on fixing a bug that is an exploit vulnerability, you think they should do it in public?

I get the argument that telling your users about it means that they can protect themselves (say, by running noscript), but for a consumer facing organization like Mozilla, the majority of users aren't going to notice or do anything.

Temporary fix

[AdmiralXyz]

According to TFA, the temporary fix is to disable TraceMonkey (JavaScript will still work). Set 'javascript.options.jit.content' in about:config to false until the patch is released.

Re:MOD PARENT UP

[the+way,+what're+you]

I've got at least a dozen non-default settings I've set in about:config. What's one more?

at least a baker's dozen?