Zero-day flaw found in Firefox 3.5

Zero-day flaw found in Firefox 3.5

Summary: The critical vulnerability in the two-week-old version of the browser opens users up to drive-by attacks, Mozilla has warned

SHARE:
TOPICS: Security
2

There is a critical JavaScript vulnerability in the Firefox 3.5 web browser, Mozilla has warned.

The zero-day flaw lies in Firefox 3.5's Just-in-time (JIT) JavaScript compiler. Proof-of-concept code to exploit the vulnerability has been posted online by a security research group, Mozilla said in a post on its security blog on Wednesday. Security company Secunia rated the vulnerability as 'highly critical' on Wednesday.

The hole could allow a hacker to launch a 'drive-by' attack, according to Mozilla. That means an attacker may be able to execute malicious code on a target machine, if the victim visits a website containing an exploit.

No patch is currently available, but Mozilla developers are working on a fix. A workaround suggested in the blog post is to disable the Firefox 3.5 JIT compiler. However, Mozilla warned this would result in decreased JavaScript performance in Firefox.

The JIT compiler is part of TraceMonkey, which was added to Firefox for its 3.5 update released at the end of June. TraceMonkey is meant to optimise the browser, which is faster than previous iterations of Firefox, according to Mozilla.

On Wednesday, the US Computer Emergency Response Team said users and administrators should completely disable JavaScript functionality in Firefox 3.5.

The Sans Institute also said people could disable JavaScript, and suggested using NoScript, an open-source Firefox plug-in that only allows script to be executed by trusted websites.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • Zero-day flaw found in Firefox 3.5

    Is this only on windows based machines, or does it affect Linux also?
    ator1940
  • Vulnerable OSs

    Hi Ator,

    According to Bugzilla https://bugzilla.mozilla.org/show_bug.cgi?id=503286 , at the time of writing vulnerable operating systems included Vista, XP, and OSX. I couldn't see any references to Linux there, but you might want to have a bit more of a dig.
    Tom Espiner