For more information, check out the post at VoIP Tech Chat.

Mozilla.com released details today on a critical JavaScript vulnerability in the latest version of the popular Firefox 3.5 Web Browser. The vulnerability allows execution of code on the client (or target) system simply by visiting a website.

No patch is currently available for the flaw and several organizations (such as Scurnia, The Sans Institute, and the United States Computer Emergency Response Team) are recommending the complete disabling of JavaScript in Firefox (see below). Additionally, The Sans Institute is recommending the use of the NoScript Firefox plugin (that enables javascript only from white-listed sites).

Additional information:

• Mozilla Security Blog Post
• Secunia.com Advisory
• United States Computer Emergency Response Team
• NoScript Plugin

How to Disable the Javascript Engine in Firefox:

1. Enter about:config in the browser’s location bar.
2. Type jit in the Filter box at the top of the config editor.
3. Double-click the line containing javascript.options.jit.content setting the value to false.

Mozilla advises that disabling the JIT will result in decreased JavaScript performance and is only recommended as a temporary security measure.  Once users have been received the security update containing the fix for this issue, they should restore the JIT repeating the process above and setting the javascript.options.jit.content value to true.

Update — 7/16/2009

Firefox has introduced version 3.5.1 to address the security risk, as posted on their developer blog:

Firefox 3.5.1 update is now available for download

As part of the Mozilla Corporation’s ongoing security and stability process, Firefox 3.5.1 is now available for Windows, Mac, and Linux users as a free download from www.firefox.com.

We strongly recommend that all Firefox 3.5 users upgrade to this latest release. If you already have Firefox 3.5, you will receive an automated update notification within 24 to 48 hours. This update can also be applied manually by selecting “Check for Updates…” from the Help menu.

For a list of changes and more information, please see the Firefox 3.5.1 release notes.

Please note: If you’re still using Firefox 2.0.0.x, this version is no longer supported and contains known security vulnerabilities. Please upgrade to Firefox 3.5 by downloading Firefox 3.5.1 from www.firefox.com.

This entry was posted by beltzner on Thursday, July 16th, 2009 at 6:34 pm.