ENUM (read the wiki) refers to the mapping of telephone numbers to internet addresses. Think of it almost as reverse DNS for your phone number. Although there are many methods of integrating ENUM into your system, our current “favorite” is ENUMPlus.org.

From their website:

ENUM sources are very segregated and there was no global repository – until now. ENUMPlus queries all of the top ENUM lookup sources and returns the most accurate result with minimal overhead; meaning you only need to specify one source. ENUMPlus allows you to offload all of the query processing to our powerful servers so you don’t have to waste time and precious resources.

Integrating ENUMplus into Asterisk can be very quick and there’s a few choices/methods of going about it. You can choose to use their php scripts, go direct from the dialplan, or run your own lookup script. Here, we’ve chosen to write our own lookup script that basically does the following:

1. Checks ENUMplus.org for a result (with a 2 second timeout)
2. Sets a variable of ENUMRESULT and returns to dialplan
3. The dialplan then evaluates that variable, and if a sip value is provided calls the number directly via SIP.

Here’s an example dialplan:

exten => _X.,1,Set(CALLTO=${EXTEN})
exten => _X.,n,Goto(out,1)
exten => out,1,AGI(enumcheck.pl,${CALLTO})
exten => out,n,GotoIf($["${ENUMRESULT}" = "FAIL"]?pstn)
exten => out,n,GotoIf($[${ISNULL(${ENUMRESULT})}]?pstn)
exten => out,n,Dial(${ENUMRESULT},55)
exten => out,n,GotoIf($["${DIALSTATUS}" = "CHANUNAVAIL" ]?pstn)
exten => out,n,GotoIf($["${DIALSTATUS}" = "CONGESTION" ]?pstn)
exten => out,n,GotoIf($["${DIALSTATUS}" = "BUSY" ]?busy)
exten => out,n,Hangup()
exten => out,n(pstn),Dial(SIP/${CALLTO}@yourprovider); or DAHDI, etc.
exten => out,n,GotoIf($["${DIALSTATUS}" = "CHANUNAVAIL" ]?busy)
exten => out,n,GotoIf($["${DIALSTATUS}" = "CONGESTION" ]?busy)
exten => out,n,GotoIf($["${DIALSTATUS}" = "BUSY" ]?busy)
exten => out,n,Hangup()
exten => out,n(busy),Busy(5)
exten => out,n,Hangup()

And here’s the script:

#!/usr/bin/perl -w
use strict;
$|=1;
my ($phone, $url, $apikey, $result, @sip);

while(<STDIN>) {
	chomp;
	last unless length($_);
}

if ($ARGV[0]) {
	$phone = &URLEncode($ARGV[0]);
} else {
	&setvar("ENUMRESULT", "FAIL");
	&printverbose("enumlookup: No CALLTO received.",2);
	exit(0);
}

#Get via WEB
$apikey = "REPLACE WITH YOUR KEY";
$url = "http://enumplus.org/api";

$result = qx(curl -m 2 -s -d 'key=$apikey' $url/$phone);

if ($result) {
	if ($result =~ /SIP/i) {
		@sip = split(/\|/, $result);
		&setvar("ENUMRESULT", $sip[0]);
		&printverbose("enumlookup: $sip[0]",2);
	} else {
		&setvar("ENUMRESULT", "FAIL");
		&printverbose("enumlookup: No sip address found.",2);
	}
} else {
	&setvar("ENUMRESULT", "FAIL");
	&printverbose("enumlookup: Timeout or error",2);
}

sub URLEncode {
   my $theURL = $_[0];
   $theURL =~ s/([\W])/"%" . uc(sprintf("%2.2x",ord($1)))/eg;
   return $theURL;
}

sub setvar {
	my ($var, $val) = @_;
	print STDOUT "SET VARIABLE $var \"$val\" \n";
	while(<STDIN>) {
		m/200 result=1/ && last;
	}
	return;
}

sub printverbose {
	my ($var, $val) = @_;
	print STDOUT "VERBOSE \"$var\" $val\n";
	while(<STDIN>) {
		m/200 result=1/ && last;
	}
	return;
}

Happy Coding!

Set up IP Tables

We will not be discussing the intricacies of iptables in this post. There are excellent tutorials on iptables, and with most things linux, help is only a google away. To help identify the traffic blocked as asterisk related, a new chain will be created appropriately called… asterisk.

Here’s how to add the new chain:

iptables -N asterisk
iptables -A INPUT -j asterisk
iptables -A FORWARD -j asterisk

This will help identify hosts blocked for failed registrations.

Asterisk’s Log for Failed Registrations

In most cases of a sip flood attack, the host attempts registration to Asterisk. These hosts are identified in the Asterisk log (/var/log/messages) as “No matching peer found.” The following perl script scans /var/log/messages for these patterns, strips the IP address, and puts the IP address into an array.

After the file has been read, the IP addresses are counted (each count is a failed attempt), compared against the existing blocked hosts, and new occurrences are blocked. With this script we are blocking any host after the 4th failed attempt.

Here’s the script (last updated 21 APR 2010):

#!/usr/bin/perl -w
use strict;
use warnings;
my (@failhost);
my %currblocked;
my %addblocked;
my $action;

open (MYINPUTFILE, "/var/log/asterisk/messages") or die "\n", $!, "Does log file file exist\?\n\n";

while (<MYINPUTFILE>) {
	my ($line) = $_;
	chomp($line);
	if ($line =~ m/\' failed for \'(.*?)\' - No matching peer found/) {
		push(@failhost,$1);
	}
}

my $blockedhosts = `/sbin/iptables -n -L asterisk`;

while ($blockedhosts =~ /(.*)/g) {
	my ($line2) = $1;
	chomp($line2);
	if ($line2 =~ m/(\d+\.\d+\.\d+\.\d+)(\s+)/) {
		$currblocked{ $1 } = 'blocked';
	}
}

while (my ($key, $value) = each(%currblocked)){
	print $key . "\n";
}

if (@failhost) {
	&count_unique(@failhost);
	while (my ($ip, $count) = each(%addblocked)) {
		if (exists $currblocked{ $ip }) {
			print "$ip already blocked\n";
		} else {
			$action = `/sbin/iptables -I asterisk -s $ip -j DROP`;
			print "$ip blocked. $count attempts.\n";
		}
	}
} else {
	print "no failed registrations.\n";
}

sub count_unique {
    my @array = @_;
    my %count;
    map { $count{$_}++ } @array;
    map {($addblocked{ $_ } = ${count{$_}})} sort keys(%count);
}

Schedule the script with cron

The final step is to schedule your script to run every X minutes in cron. We’ve chosen to run our script every 2 minutes, but you can change this to 1 minute or any other time period you choose. Just remember… you can receive thousands of attempts within 2 minutes.

If you have named your script check-failed-regs.pl and placed it in your /usr/local/bin directory, your cron statement would look like this:

*/2 * * * * perl /usr/local/bin/check-failed-regs.pl &> /dev/null

Questions? Comments? We love feedback. Or, contact us for more information.

#!/usr/bin/perl -w
use strict;
use warnings;
my (@failhost);

open (MYINPUTFILE, "/var/log/asterisk/$ARGV[0]") or die "\n", $!, "Does log file file exist\?\n\n";

while (<MYINPUTFILE>) {
	my ($line) = $_;
	chomp($line);
	if ($line =~ m/\' failed for \'(.*?)\' - No matching peer found/) {
		push(@failhost,$1);
	}
}

if (@failhost) {
	&count_unique(@failhost);
} else {
	print "no failed registrations.\n";
}

sub count_unique {
    my @array = @_;
    my %count;
    map { $count{$_}++ } @array;

	#print them out:

    map {print "$_ = ${count{$_}}\n"} sort keys(%count);

}

And while we duck from @Merlyn’s criticisms (although we love his criticism), the basic usage is:

perl [Whatever you named it].pl messages
or perl [Whatever you named it].pl messages.1

Results look like:

184.73.53.22 = 13586
64.76.45.100 = 9895
78.46.87.14 = 9960

Or “no failed registrations.” if you have no failed attempts.

Utilizing a variety of techniques, applications, and tools, Team Forrest remotely examines your network over the public Internet. identified weaknesses and vulnerabilities are assessed for risk and detailed, with recommendations, to the customer.

What is a Vulnerability Scan?

A vulnerability scan assesses computer systems, networks, and applications for weaknesses. Vulnerability Scans are recommended (and may be required) for any business conducting e-commerce, hosting a server with a publicly accessible IP Address, or allowing remote access to company assets. Team Forrest recommends a comprehensive scan, including:

1. Checking for vulnerabilities of remote systems
2. Checking for misconfiguration of remote systems, software, and services
3. Checking commonly used passwords
4. Checking Denial of Service sensitivity
5. Checking for Web Vulnerability (such as SQL Injection)

How does a Vulnerability Assessment Work?

Team Forrest performs the scan remotely, accessing your network over the Public Internet. There is nothing for you to do and no software will need to be installed. Our servers will simply assess your network remotely.

Once the scan completes, Team Forrest provides a detailed assessment including identified risks and vulnerabilities, as well as their severity level. Team Forrest also provides recommendations and assisting in correcting any identified flaws or vulnerabilities.

For more information on a Team Forrest Vulnerability Scan / Assessment, please call 888-295-0025 or contact us for details.

For more information, check out the post at VoIP Tech Chat.

Following is a list of SIP Response Codes:

Information SIP Responses – 1xx

Informational responses, indicate that the server contacted is performing some further action and does not yet have a definitive response. A server sends a 1xx response if it expects to take more than 200 ms to obtain a final response.

• 100 Trying
• 180 Ringing
• 181 Call Is Being Forwarded
• 182 Queued
• 183 Session Progress

Successful SIP Responses – 2xx

The action was successfully received, understood, and accepted.

• 200 OK
• 202 Accepted (request understood, but cannot be processed)

Redirection SIP Responses – 3xx

Further action needs to be taken in order to complete the request.

• 300 Multiple Choices
• 301 Moved Permanently
• 302 Moved Temporarily
• 305 Use Proxy
• 380 Alternative Service

Client Error SIP Responses – 4xx

The request contains bad syntax or cannot be fulfilled at the server.

• 400 Bad Request
• 401 Unauthorized (Used only by registrars or user agents. Proxies will/should use 407)
• 402 Payment Required
• 403 Forbidden
• 404 Not Found
• 405 Method Not Allowed
• 406 Not Acceptable
• 407 Proxy Authentication Required
• 408 Request Timeout
• 409 Conflict
• 410 Gone (The user is not available here but once was)
• 412 Conditional Request Failed
• 413 Request Entity Too Large
• 414 Request-URI Too Long
• 415 Unsupported Media Type
• 416 Unsupported URI Scheme
• 417 Unknown Resource-Priority
• 420 Bad Extension
• 421 Extension Required
• 422 Session Interval Too Small
• 423 Interval Too Brief
• 424 Bad Location Information
• 428 Use Identity Header
• 429 Provide Referrer Identity
• 433 Anonymity Disallowed
• 436 Bad Identity-Info
• 437 Unsupported Certificate
• 438 Invalid Identity Header
• 480 Temporarily Unavailable
• 481 Call Leg/Transaction Does Not Exist
• 482 Loop Detected
• 483 Too Many Hops
• 484 Address Incomplete
• 485 Ambiguous
• 486 Busy Here
• 487 Request Terminated
• 488 Not Acceptable Here
• 489 Bad Event
• 491 Request Pending
• 493 Undecipherable (Could not decrypt S/MIME body part)
• 494 Security Agreement Required

Server Error SIP Responses – 5xx

The server failed to fulfill an apparently valid request.

• 500 Server Internal Error
• 501 Not Implemented (SIP request method is not implemented at the server)
• 502 Bad Gateway
• 503 Service Unavailable
• 504 Server Time-out
• 505 Version Not Supported (The server does not support the version of the SIP protocol used)
• 513 Message Too Large
• 580 Precondition Failure

Global Failure SIP Responses – 6xx

The request cannot be fulfilled at any server.

• 600 Busy Everywhere
• 603 Decline
• 604 Does Not Exist Anywhere
• 606 Not Acceptable

Benefits

• Store faxes electronically
• Reduce printing costs
• Share faxes via email

Requirements

• Server running Asterisk (32 bit compatibility needed)
• Fax for Asterisk Software Add-on

Step One: Get the Fax for Asterisk Software License

First, choose the licensing based on your needs. If you will only need to support 1 simultaneous fax “session,” you may be interested in the Free Fax For Asterisk License. Digium provides the Free Fax for Asterisk software at no cost, limited one per installation of Asterisk. You can combine the Free Fax for Asterisk license with the paid Fax for Asterisk licensing if you will need additional simultaneous fax sessions.

For example, you can download and install Free Fax for Asterisk providing your system one (1) fax session. If you find you need additional simultaneous sessions, simply purchase a paid license (currently $39.99 per session).

To get the Fax for Asterisk software, go to the Digium Store. Once “purchased” you will receive your license via email.

Step Two: Download and Install the Fax for Asterisk Software

Once you’ve received your license, there are many small steps needed to download, register, and install the software.

• Download and run the registration software (outgoing network traffic to TCP port 443 (SSL) must be allowed)

cd /root
wget http://downloads.digium.com/pub/register/x86-32/register
chmod 500 /root/register
/root/register

• Complete the registration
• Go to http://www.digium.com/en/docs/FAX/faa-download.php and discover which files to download
• Download both the res_fax and res_fax_digium files
• Untar the res_fax file and copy it to the source file directory (example res_fax-1.6.0_1.0.3-x86_32.tar.gz)

tar xzvf res_fax-1.6.0_1.0.3-x86_32.tar.gz
cp /root/res_fax-1.6.0_1.0.3-x86_32/res_fax.so /usr/lib/asterisk/modules

• Untar and install the res_fax_digium software (example res_fax_digium-1.6.0_1.0.3-pentium4m_32.tar.gz)

tar xzvf res_fax_digium-1.6.0_1.0.3-pentium4m_32.tar.gz
cp /root/res_fax_digium-1.6.0_1.0.3-pentium4m_32/res_fax_digium.so /usr/lib/asterisk/modules

• Make a directory for your fax files

mkdir /var/spool/asterisk/fax

Step Three: Test if the Software Installed Correctly

Restart asterisk and test if that the fax module has loaded:

asterisk -rx "restart now"
asterisk -r
*CLI> fax show stats

If the software installed successfully, you should see something similar to:

Fax Statistics:
---------------

Current Sessions     : 0
Transmit Attempts    : 0
Receive Attempts     : 0
Completed Faxes      : 0
Failed Faxes         : 0
*CLI>
Digium T.38
Licensed Channels    : 1
Max Concurrent       : 0
Success              : 0
Canceled             : 0
No Fax               : 0
Partial              : 0
Negotiation Failed   : 0
Train Failure        : 0
Protocol Error       : 0
IO Partial           : 0
IO Fail              : 0
*CLI>
Digium G.711
Licensed Channels    : 1
Max Concurrent       : 1
Success              : 0
Switched to T.38     : 0
Canceled             : 0
No Fax               : 0
Partial              : 0
Negotiation Failed   : 0
Train Failure        : 0
Protocol Error       : 0
IO Partial           : 0
IO Fail              : 0

Step Four: Make a dialplan

Make a dialplan that fits your needs. Here’s an example for sending and receiving:

[inboundfax]
exten => s,1,NoOp(**** FAX RECEIVED from ${CALLERID(num)} ${STRFTIME(${EPOCH},,%c)} ****)
exten => s,n,Set(FAXOPT(ecm)=yes)
exten => s,n,Set(FILENAME=fax-${STRFTIME(${EPOCH},,%Y%m%d-%H%M%S)})
exten => s,n,Set(FAXFILE=${FILENAME}.tif)
exten => s,n,Set(FAXOPT(ecm)=yes)
exten => s,n,Set(FAXOPT(headerinfo)=Received by MYCOMPANY ${STRFTIME(${EPOCH},,%Y-%m-%d %H:%M)})
exten => s,n,Set(FAXOPT(localstationid)=5555551212)
exten => s,n,Set(FAXOPT(maxrate)=14400)
exten => s,n,Set(FAXOPT(minrate)=2400)
exten => s,n,NoOp(FAXOPT(ecm) : ${FAXOPT(ecm)})
exten => s,n,NoOp(FAXOPT(headerinfo) : ${FAXOPT(headerinfo)})
exten => s,n,NoOp(FAXOPT(localstationid) : ${FAXOPT(localstationid)})
exten => s,n,NoOp(FAXOPT(maxrate) : ${FAXOPT(maxrate)})
exten => s,n,NoOp(FAXOPT(minrate) : ${FAXOPT(minrate)})
exten => s,n,NoOp(**** RECEIVING FAX : ${FAXFILE} ****)
exten => s,n,ReceiveFAX(/var/spool/asterisk/fax/${FAXFILE})
exten => s,n,Hangup()
exten => h,1,NoOp(FAXOPT(ecm) : ${FAXOPT(ecm)})

[outboundfax]
exten => s,1,NoOp(send a fax)
exten => s,n,Set(FAXOPT(filename)=${FAXFILE})
exten => s,n,Set(FAXOPT(ecm)=yes)
exten => s,n,Set(FAXOPT(headerinfo)=Fax from MYCOMPANY +1 555 555 1212)
exten => s,n,Set(FAXOPT(localstationid)=15555551212)
exten => s,n,Set(FAXOPT(maxrate)=14400)
exten => s,n,Set(FAXOPT(minrate)=2400)
exten => s,n,SendFAX(/tmp/${FAXFILE},d)
exten => h,1,NoOp(FAXOPT(ecm) : ${FAXOPT(ecm)})

Step Five: Test

How do you test? Simple point an incoming number to inboundfax,s,1 and watch the magic happen. Faxes will be saved to /var/spool/asterisk/fax/ in tiff format.

But Wait! There’s More!

Sure, you could stop there, but wouldn’t it be neat to automatically email the received fax in pdf format? Using an AGI script, you can simply convert the tiff file into pdf format, attach it to an email, and off it goes!

Now, there are literally a thousand ways to do this. You can write your AGI scripts in the programming language of your choice; every language has it’s pros and cons. In our example, we’re going to demonstrate this process using a Perl script.

Install the Pre-reqs

You will want to install ghostscript to help convert the graphic files. On a centos install, this is as easy as typing yum -y install ghostscript. If you are using a different build you can install how you like or download the code directly from http://www.ghostscript.com/.

For the Perl pre-reqs, you will want to install a few packages from CPAN (to send mail and use smtp authentication):

perl -MCPAN -e shell
install MIME::Lite
install MIME::Base64
install Authen::SASL

Next create your perl script. In this case, call it receivedfax.pl and place it in /var/lib/asterisk/agi-bin:

#!/usr/bin/perl
use strict;
use MIME::Lite;

my ($msg,$stdinresult);

# $ARGV[0] = msgfrom, $ARGV[1] = msgto, $ARGV[2] = cidnum, $ARGV[3] = filename,
chomp($stdinresult = );

if ($#ARGV != 3) {
	print qq(VERBOSE "FAIL: 4 Arguments needed" 2\n);
	chomp($stdinresult = );
	exit(0);
}

system("tiff2ps -a /var/spool/asterisk/fax/$ARGV[3].tif | ps2pdf13 -sPAPERSIZE=letter - > /var/spool/asterisk/fax/$ARGV[3].pdf");

$msg = MIME::Lite->new(
	From => "$ARGV[0]",
	To => "$ARGV[1]",
	Subject => "FAX from $ARGV[2]",
	Type => 'multipart/mixed'
);

$msg->attach(
	Type => 'TEXT',
	Data => "Greetings.\n\nYou have received a fax from $ARGV[2]. (attached)\n\nSincerely,\nCOMPANY NAME\n\n"
);

$msg->attach(
	Type => 'image/pdf',
	Path => "/var/spool/asterisk/fax/$ARGV[3].pdf",
	Filename => "$ARGV[3].pdf",
	Disposition => 'attachment'
);

MIME::Lite->send('smtp', 'SMTP.SERVER.COM', Timeout=>60,
	AuthUser=>'MAILUSER', AuthPass=>'PASSWORD');

$msg->send;

system("rm -f /var/spool/asterisk/fax/$ARGV[3].pdf");

#example: receivedfax.pl "asterisk@mydomain.com" "JohnDoe@mydomain.com" 55512345678 fax-20091115-170217

Then, modify your dialplan to run the AGI script:

[inboundfax]
exten => s,1,NoOp(**** FAX RECEIVED from ${CALLERID(num)} ${STRFTIME(${EPOCH},,%c)} ****)
exten => s,n,Set(FAXOPT(ecm)=yes)
exten => s,n,Set(FILENAME=fax-${STRFTIME(${EPOCH},,%Y%m%d-%H%M%S)})
exten => s,n,Set(FAXFILE=${FILENAME}.tif)
exten => s,n,Set(FAXOPT(ecm)=yes)
exten => s,n,Set(FAXOPT(headerinfo)=Received by MYCOMPANY ${STRFTIME(${EPOCH},,%Y-%m-%d %H:%M)})
exten => s,n,Set(FAXOPT(localstationid)=5555551212)
exten => s,n,Set(FAXOPT(maxrate)=14400)
exten => s,n,Set(FAXOPT(minrate)=2400)
exten => s,n,NoOp(FAXOPT(ecm) : ${FAXOPT(ecm)})
exten => s,n,NoOp(FAXOPT(headerinfo) : ${FAXOPT(headerinfo)})
exten => s,n,NoOp(FAXOPT(localstationid) : ${FAXOPT(localstationid)})
exten => s,n,NoOp(FAXOPT(maxrate) : ${FAXOPT(maxrate)})
exten => s,n,NoOp(FAXOPT(minrate) : ${FAXOPT(minrate)})
exten => s,n,NoOp(**** RECEIVING FAX : ${FAXFILE} ****)
exten => s,n,ReceiveFAX(/var/spool/asterisk/fax/${FAXFILE})
exten => s,n,Hangup()
exten => h,1,GotoIf($["${FAXOPT(ecm)}" = "no" ]?end)
exten => h,n,AGI(receivedfax.pl,from@domain.com,to@domain.com,${CALLERID(num)},${FILENAME})
exten => h,n(end),NoOp(FAXOPT(ecm) : ${FAXOPT(ecm)}) 

You can even create a similar script to transform a pdf into a tiff file and send via outbound fax:

#!/usr/bin/perl -w
use strict;
use warnings;
sub random_name_generator($);

# usage: faxout.pl number filename
# example: faxout.pl 5555551212 myfax.pdf

if ($#ARGV != 1) {
	print qq(FAIL: 2 Arguments needed\n);
	exit(0);
}

my ($callto,$pdfname,$callfile,$filename);

$callto = $ARGV[0];
$pdfname = $ARGV[1];

my $tifname = $pdfname;
$tifname =~ s/.pdf/.tif/i;

system("gs -q -dNOPAUSE -dBATCH -sDEVICE=tiffg4 -sOutputFile=$tifname $pdfname");

if ($callto) {
	$filename = &random_name_generator(12).".call";
	open (MYFILE, ">>/tmp/$filename") or die $!;
	$callfile = "Channel: Local/$callto\@outboundialcontext\n";
	$callfile = $callfile . "MaxRetries: 1\n";
	$callfile = $callfile . "RetryTime: 60\n";
	$callfile = $callfile . "WaitTime: 60\n";
	$callfile = $callfile . "Archive: yes\n";
	$callfile = $callfile . "Context: outboundfax\n";
	$callfile = $callfile . "Extension: s\n";
	$callfile = $callfile . "Priority: 1\n";
	$callfile = $callfile . "Set: FAXFILE=$tifname\n";
	print MYFILE $callfile;
	close (MYFILE);
	system("mv /tmp/$filename /var/spool/asterisk/outgoing");
}

sub random_name_generator($) {
	my ($namelength, $randomstring, @chars);
	$namelength = shift;
	@chars = ('a'..'z','A'..'Z','0'..'9');
	foreach (1..$namelength) {
		$randomstring .= $chars[rand @chars];
	}
	return $randomstring;
}

Happy Coding!

Human Resources Consulting

Strong Human resources policies and procedures provides a great defense against expensive lawsuits and complaints. Our professional HR Consultants use their experience and knowledge to evaluate your existing procedures and correct potential liability. From training to policy development, strong Human Resources policies provide a level of protection for both your employees and company.

We look forward to working with you and helping your business.

For more information about our new services, please visit the Human Resources page or contact us.

They wrote the article in a Billy Mays style:

Limited Time Offer – Skype for Asterisk Public Beta

Mozilla.com released details today on a critical JavaScript vulnerability in the latest version of the popular Firefox 3.5 Web Browser. The vulnerability allows execution of code on the client (or target) system simply by visiting a website.

No patch is currently available for the flaw and several organizations (such as Scurnia, The Sans Institute, and the United States Computer Emergency Response Team) are recommending the complete disabling of JavaScript in Firefox (see below). Additionally, The Sans Institute is recommending the use of the NoScript Firefox plugin (that enables javascript only from white-listed sites).

Additional information:

• Mozilla Security Blog Post
• Secunia.com Advisory
• United States Computer Emergency Response Team
• NoScript Plugin

How to Disable the Javascript Engine in Firefox:

1. Enter about:config in the browser’s location bar.
2. Type jit in the Filter box at the top of the config editor.
3. Double-click the line containing javascript.options.jit.content setting the value to false.

Mozilla advises that disabling the JIT will result in decreased JavaScript performance and is only recommended as a temporary security measure.  Once users have been received the security update containing the fix for this issue, they should restore the JIT repeating the process above and setting the javascript.options.jit.content value to true.

Update — 7/16/2009

Firefox has introduced version 3.5.1 to address the security risk, as posted on their developer blog:

Firefox 3.5.1 update is now available for download

As part of the Mozilla Corporation’s ongoing security and stability process, Firefox 3.5.1 is now available for Windows, Mac, and Linux users as a free download from www.firefox.com.

We strongly recommend that all Firefox 3.5 users upgrade to this latest release. If you already have Firefox 3.5, you will receive an automated update notification within 24 to 48 hours. This update can also be applied manually by selecting “Check for Updates…” from the Help menu.

For a list of changes and more information, please see the Firefox 3.5.1 release notes.

Please note: If you’re still using Firefox 2.0.0.x, this version is no longer supported and contains known security vulnerabilities. Please upgrade to Firefox 3.5 by downloading Firefox 3.5.1 from www.firefox.com.

This entry was posted by beltzner on Thursday, July 16th, 2009 at 6:34 pm.