Overclock.net banner

1 - 20 of 24 Posts

·
Premium Member
Joined
·
8,252 Posts
Discussion Starter #1
Quote:


Stopgap Fix for Critical Firefox 3.5 Security Hole

Instructions showing hackers how to exploit an unpatched, critical security hole in Mozilla's new Firefox 3.5 Web browser have been posted online. So, until Mozilla can ship an update to quash this bug, Security Fix is posting instructions to help readers protect themselves from this vulnerability.

The security hole has to do with a flaw in the way Firefox 3.5 handles Javascript, a powerful programming language heavily used on popular Web sites. Specifically, the vulnerability was introduced with the addition of the Tracemonkey, a new feature in 3.5 that is designed to dramatically speed up the rendering of Javascript.

Vulnerability watcher Secunia rates this flaw "highly critical," noting that it is the type of flaw that criminals could use to remotely install rogue software, merely by convincing users to visit a hacked or booby-trapped Web site.

Fortunately, there is a relatively easy fix for this that can be reversed once Mozilla issues a patch. To disable the vulnerable component, open up a new Firefox window and type "about:config" (without the quotes) in the browser's address bar. In the "filter" box, type "jit" and you should see a setting called "javascript.options.jit.content". You should notice that beside that setting it reads "true," meaning the setting is enabled. If you just double-click on that setting, it should disable it, changing the option to "false." That's it.

Note that making this change will slow down Javascript rendering in Firefox 3.5 to 3.0 speeds, but that may be a worthwhile trade-off for readers concerned about the availability of exploit code for this flaw.

WaPo http://voices.washingtonpost.com/sec...ss=securityfix


Quote:


Title: Mozilla Firefox 3.5 Remote Code Execution Vulnerability
Severity: HIGH
Description:

Mozilla Firefox is a web browser available for various platforms.

Firefox is prone to a remote code-execution vulnerability due to an unspecified error. This issue arises during the processing of JavaScript and may present itself when certain string characters are escaped and subsequently copied to a buffer.

Successful exploits may allow an attacker to execute arbitrary code in the context of the user running the affected application. Failed attempts will likely result in denial-of-service conditions.

The issue affects Firefox 3.5; other versions may also be vulnerable.

The remote code execution was confirmed in Firefox 3.5 running on Microsoft Windows XP SP2. A crash was observed in Firefox 3.5 on Microsoft Windows XP SP3.
Affected Products:

* Mozilla Firefox 3.5.0

Source

Got this warning just a short time ago from a co-work, and found some sites to link about it; so do watch what your logged in as, and where you go.
 

·
Premium Member
Joined
·
8,252 Posts
Discussion Starter #3
Quote:


Originally Posted by TFL Replica
View Post

Well if anyone with XP is still on SP2 AND they forgo using noscript then they deserve all the remote execution in the world.

I didn't hear about it though this source, but through more official channels, but it does effect SP3 as well as SP2.

While Noscript is great, not everyone uses it (if you are dumb enough to go to bad sites, chances are your not using something safe like up-to-date AV/Noscript). Though I don't know if Noscript would block it.. mind if I borrow your computer for a little bit to test?
 

·
Registered
Joined
·
234 Posts
Quote:


Originally Posted by trueg50
View Post

I didn't hear about it though this source, but through more official channels, but it does effect SP3 as well as SP2.

While Noscript is great, not everyone uses it (if you are dumb enough to go to bad sites, chances are your not using something safe like up-to-date AV/Noscript). Though I don't know if Noscript would block it.. mind if I borrow your computer for a little bit to test?


Yes, common sense can cure many a problems.
 

·
Banned
Joined
·
10,581 Posts
Quote:


Originally Posted by TFL Replica
View Post

Well if anyone with XP is still on SP2 AND they forgo using noscript then they deserve all the remote execution in the world.

Do you really think the average user knows about noscript?
 

·
PC Gamer
Joined
·
1,776 Posts
well i don't use Firefox for the security reason, never have, i use it because i like the user interface, i like how it has a good range of addons, highly customizable, very fast speeds

this is more a issue with Java then it is firefox tbh
 

·
Registered
Joined
·
3,746 Posts
Quote:


Originally Posted by TFL Replica
View Post

Also don't troll, chrome will never match firefox.

I like chrome better. Stop trolling.
 

·
Registered
Joined
·
3,746 Posts
Quote:

Originally Posted by TFL Replica View Post
Come on now, be reasonable, it's a Firefox related thread. Instead of using the word troll as a weapon, get back on topic.
If you hadn't noticed, you used the word troll first.

They did not say anything about Vista or 7. Is this an example of security being better on Vista/7?
 

·
Registered
Joined
·
3,741 Posts
Quote:


Originally Posted by ElMikeTheMike
View Post

Do you really think the average user knows about noscript?

Unfortunately, no.

But I'm not sure how much it would help, as no amount of technology can save idiots from themselves.
 

·
Registered
Joined
·
3,746 Posts
Quote:


Originally Posted by vtech1
View Post

people have there own opinions on what browser to use and it is there own choice ,if everyone keeps saying this or that is better i can tell u that this thread will become locked in minutes, GROW UP!!

One thing though that isn't my opinion.
Chrome doesn't have this vulnerability, Firefox does.
 

·
Registered
Joined
·
577 Posts
hmm I always seem to have firefox crash when I try and log into paypal...

Weird.
 
1 - 20 of 24 Posts
Top