Firefox 3.5's First Vulnerability "Self-Inflicted" 156
CWmike writes "Mozilla has confirmed the first security vulnerability in Firefox 3.5, saying that the bug could be used to hijack a machine running the company's newest browser. A noted Firefox contributor called the situation 'self-inflicted' and said it was likely that the hacker who posted public exploit code Monday became aware of the flaw by rooting through Bugzilla, Mozilla's bug- and change-tracking database. The vulnerability is in the TraceMonkey JavaScript engine that debuted with Firefox 3.5, said Mozilla. '[It] can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code,' Mozilla's security blog reported Tuesday."
Foundation, Not a Company (Score:3, Informative)
Mozilla has confirmed the first security vulnerability in Firefox 3.5, saying that the bug could be used to hijack a machine running the company's newest browser.
Just a note, I think Mozilla tries to shirk any idea of "company" or "corporation" from the open source development side of things. Instead, they are a non-profit foundation [mozilla.org] and recently created a separate taxable corporation [mozilla.org] with the intent of distribution and productizing Firefox & Thunderbird.
I think the word 'company' implies commercial interests and the developing part of Mozilla--the Foundation--does not have any commercial interests. While this may seem unimportant to you, I believe it to be a pretty important concept to clarify when you're talking about open source from a non-profit and open source from a company.
Maybe off topic but... (Score:3, Informative)
Has anyone notice performance degradation in 3.5? Opening a slew of bookmarked pages into tabs tends to make it feel like my internet connection has slowed down. Yet when all the tabs load, they all respond snappily.
And sometimes certain sites act sluggish when opening the same exact site works fine in Safari.
It wasn't like this in 3.01
Re:time to close Bugzilla to the public (Score:3, Informative)
They already had a standing policy of hiding security related bugs (I.e. those that they figured were exploitable; It is even discussed in the log linked in the summary!).
Re:Nice test for the open source community (Score:5, Informative)
If you had read the bugzilla thread (I know, I know) you'd know it's already fixed ;)
Temporary fix (Score:5, Informative)
According to TFA, the temporary fix is to disable TraceMonkey (JavaScript will still work). Set 'javascript.options.jit.content' in about:config to false until the patch is released.
Re:the only browser with 0 vulnerabilities (Score:4, Informative)
is Google Chrome...
Nope:
http://chromekb.com/vulnerabilities/ [chromekb.com]
The attitude that some platforms are simply immune to attacks is foolish and counterproductive.
Why didn't you post the (simple) fix??? (Score:3, Informative)
Why not post in the summary the simple fix?
In lieu of a patch, users can protect themselves by disabling the "just-in-time" component of the TraceMonkey engine.
To do that, users should enter "about:config" in Firefox's address bar, type "jit" in the filter box, then double-click
the "javascript.options.jit.content" entry to set the value to "false." The popular NoScript add-on will also ward off attacks.
Re:Right! Quick! (Score:3, Informative)
Re:Yeah, right (Score:5, Informative)
http://www.cutekittens.com/ [milw0rm.com] how about that one? :D
Oh man, that site is AWESOME!!! I can't believe what those women were doing. I can't believe it's a free site. Thanks!
NoScript: http://noscript.net (Score:5, Informative)
The official NoScript site is http://noscript.net/ [noscript.net].
To anyone who doesn't already know: NoScript prevents Javascript scripts from running unless they are chosen from a menu. That even protects against vulnerabilities that haven't been discovered yet.
Re:Granted bugs happen and is obviously nice explo (Score:3, Informative)
fixed, but not pushed out yet. For the 'days to a fix' count, you need to count all days from the time the hole was discovered to the day a fixed version / patch is pushed out to users. (if I have to go looking for it, it's not 'fixed' yet) Most people are trained to only respond to Firefox's Update popups.
Re:This is why NoScript should be a core feature (Score:5, Informative)
NoScript got buried after the incident with it fucking around with AdBlock's settings, then once that was discovered and pointed out, them adding an AdBlock filter set to bypass blocking on NoScript's author's site.
As far as I know, it does neither any more, but it pissed off a lot of users, myself included, and its author's reputation went through the floor.
Re:NoScript: http://noscript.net (Score:3, Informative)
And how are readers to know that your link is any more valid than mine?
Actually, the safest way to link to extensions would be through Mozilla's Own Site [mozilla.org]. That page should have the actual category.