Network News

X My Profile
View More Activity

Firefox Update Plugs Critical Security Hole

Mozilla has pushed out an update to Firefox 3.5 to plug a critical security hole that Security Fix warned about this week. According to the SANS Internet Storm Center, there have been reports of public exploits for this flaw being used in the wild.

The update brings Firefox 3.5 to version 3.5.1, and can be installed by selecting "Help," and then "Check for Updates," (3.5 users may also have the update auto-installed upon restarting the browser). This update appears to fix a number of other stability and security issues as well.

If you took my advice to blunt the threat from the public exploit for this flaw, take a moment to undo the setting you changed earlier. That's because my advice was disable the vulnerable component -- Tracemonkey -- which dramatically speeds up the rendering of Javascript in Web pages, and is among the most-touted improvements in Firefox 3.5.

To do this, open up a new Firefox window and type "about:config" (without the quotes) in the browser's address bar. In the "filter" box, type "jit" and you should see a setting called "javascript.options.jit.content". If you took my advice earlier and disabled this component, you should notice that beside that setting it reads "false," meaning the setting is disabled. If you just double-click on that setting, it should re-enable it, changing the option to "true."

Got a question about security, privacy, or anything tech-related? Join me for Security Fix Live, a live online discussion that I'll be hosting at 11 a.m. ET today.

By Brian Krebs  |  July 17, 2009; 9:55 AM ET
Categories:  New Patches , Safety Tips  | Tags: 0day, firefox 3.5, tracemonkey  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: PC Infections Often Spread to Web Sites
Next: The Growing Threat to Business Banking Online

Comments

Thanks for your earlier advice and for this reminder. I came over here to see if you confirmed the fix had been made in the 3.5.1 update.

Posted by: stimb | July 17, 2009 2:14 PM | Report abuse

The Help | Check for Updates menu item is grayed out in my Firefox; perhaps because I'm running in Vista and I'm not the Admin. Rats, gotta login as Admin...

Posted by: mcswell | July 17, 2009 10:25 PM | Report abuse

What about Firefox 3.0 (specifically, 3.0.11)? Can I still run that securely or do I have to upgrade to 3.5.1?

Posted by: grant5 | July 18, 2009 8:23 AM | Report abuse

Avoid Firefox 3.5. FF 3.5 is a mess. Lost the right-mouse button and spell check. Caution advised.

Posted by: tchtic | July 18, 2009 11:56 AM | Report abuse

mozilla should not be pushing 3.5 as an upgrade from 3.0. Many corporate web sites are only tested and certified on 3.0. Say what you will about compatibility, but the certification process often reveals subtle browser bugs that must be compensated for on the server. Newer browsers may or may not suffer from these problems, and may or may not behave correctly.

Make sure all your web sites work with 3.5 before you commit yourself (and your organization) to it.

Posted by: frantaylor | July 18, 2009 8:43 PM | Report abuse

Mozilla has had a lot of problems with the entire v3 release. They pushed 3.5 which eliminated a lot of the problems... not it turns out they have a hole to patch. Still a heck of a lot safer than IE (also check out mozilla.org for Thunderbird alternative to the unsafe Outlook).

Posted by: kkrimmer | July 18, 2009 9:37 PM | Report abuse

What about Firefox 3.0 (specifically, 3.0.11)? Can I still run that securely or do I have to upgrade to 3.5.1?

Posted by: grant5 | July 18, 2009 8:23 AM

I'm running Vista and Ubuntu (linix) on the same laptop. So, I have the ver. 3.0.11 maintained by mentioned above.

Same question, but I thought you might like the background ...

Posted by: gannon_dick | July 20, 2009 10:29 AM | Report abuse

Impressive turnaround for 3.5.1!!! I've not seen reports of problems with 3.5.1, are folk here seeing the same?

I ask because we advised our customers to delay implementation of 3.5.1 for a little while to see how it fares, given how rapidly it was cranked out.

BTW, AppGuard and EdgeGuard users, you do not need the 3.5.1 patch to be protected from an attack on the vulnerability in Firefox 3.5. More here on that point:

http://www.blueridgenetworks.com/securitynowblog/endpoint_security/mozilla-firefox-zero-day-exploit-attack-july-2009-protect-antivirus

Likewise, you're good for the Microsoft ActiveX attacks too:

http://www.blueridgenetworks.com/securitynowblog/endpoint_security/attack-exploit-internet-explorer-video-activex-windows-xp-antivirus-fails

BTW, the actual attacks on these web browsers tend to be drive-by download attacks. I wrote the following regarding inability of a limited user account (LUA) in Windows to protect a computer from a drive-by download attack:

http://www.blueridgenetworks.com/securitynowblog/endpoint_security/limited-user-account-does-not-protect-from-drive-by-download-attack

Posted by: eiverson1 | July 20, 2009 12:26 PM | Report abuse

eiverson1's posts read like ads for his blog.

Posted by: Heron | July 21, 2009 12:41 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company