Network News

X My Profile
View More Activity

Stopgap Fix for Critical Firefox 3.5 Security Hole

Instructions showing hackers how to exploit an unpatched, critical security hole in Mozilla's new Firefox 3.5 Web browser have been posted online. So, until Mozilla can ship an update to quash this bug, Security Fix is posting instructions to help readers protect themselves from this vulnerability.

The security hole has to do with a flaw in the way Firefox 3.5 handles Javascript, a powerful programming language heavily used on popular Web sites. Specifically, the vulnerability was introduced with the addition of the Tracemonkey, a new feature in 3.5 that is designed to dramatically speed up the rendering of Javascript.

Vulnerability watcher Secunia rates this flaw "highly critical," noting that it is the type of flaw that criminals could use to remotely install rogue software, merely by convincing users to visit a hacked or booby-trapped Web site.

Fortunately, there is a relatively easy fix for this that can be reversed once Mozilla issues a patch. To disable the vulnerable component, open up a new Firefox window and type "about:config" (without the quotes) in the browser's address bar. In the "filter" box, type "jit" and you should see a setting called "javascript.options.jit.content". You should notice that beside that setting it reads "true," meaning the setting is enabled. If you just double-click on that setting, it should disable it, changing the option to "false." That's it.

Note that making this change will slow down Javascript rendering in Firefox 3.5 to 3.0 speeds, but that may be a worthwhile trade-off for readers concerned about the availability of exploit code for this flaw.

By Brian Krebs  |  July 14, 2009; 11:25 AM ET
Categories:  Latest Warnings , New Patches , Safety Tips  | Tags: 0day, exploit, firefox 3.5  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft: Newly Discovered MS Office/IE Flaw
Next: Microsoft Patches Nine Security Flaws


OK, Brian. I entered about:config in the browser list. No filter box, but it came up with a long list, one of which was the jit. I dblclkd and it went to false. Very easy, any clue as to when there'll be a patch?

Posted by: jimbo1949 | July 14, 2009 11:56 AM | Report abuse

@Jimbo - Probably fairly soon on the patch. Mozilla is aware of the exploit code of course, and usually acts pretty nimbly in such cases.

Re: about:config: the long white "filter" form should extend almost the length of the browser window, directly below where Firefox's tabs appear.

Posted by: BTKrebs | July 14, 2009 12:00 PM | Report abuse

If you're running NoScript in FF 3.5, is that enough?

Posted by: WashingtonDame | July 14, 2009 12:20 PM | Report abuse

It is possible that noscript would protect against this vulnerability. But then again, we all know you have to enable Javascript on some sites, otherwise they won't work. If that site you trust to run JS is hacked, it's game over.

I'm not trying to say the sky is falling, here, because I'm not aware of any sites using this vulnerability yet. Just trying to answer your question.

Posted by: BTKrebs | July 14, 2009 12:28 PM | Report abuse

I followed the instructions but I do not seem to have that Javascript line. The only Javascript options I have listed are: relimit, showInConsole, and strict.

Am I missing it and if so is that good?

Posted by: rcasarez | July 14, 2009 12:50 PM | Report abuse

Bah! Nevermind, thank you for the help. I forgot I still have FF 3.0 at work.

Posted by: rcasarez | July 14, 2009 12:52 PM | Report abuse

Hm, got the long list but don't see any "jit", now what ?

Posted by: trawler | July 14, 2009 12:53 PM | Report abuse

You'll remind us to roll this back when the batch comes out? 'Cause otherwise, I'll never remember... :)

Posted by: news5 | July 14, 2009 1:00 PM | Report abuse

Err, patch, that is....

Posted by: news5 | July 14, 2009 1:01 PM | Report abuse

@trawler -- are you sure you're using FF3.5? Check Help, About FF

Posted by: BTKrebs | July 14, 2009 1:06 PM | Report abuse

Dear Brian,
Re: Stopgap Fix for Critical Firefox 3.5 Security Hole

I've followed your instructions about making "javascript.options.jit.content false. Am I still vulnerable?

I also have noscript, but would I be better off disabling Javascript until I get to a site that I "trust" and then disabling it again after I leave that site?

I'm also curious if this vulnerability affects all operating systems such as Linux, Mac os x and windows.

Thank you

Posted by: securequest | July 14, 2009 1:08 PM | Report abuse

Brian, the part of this post referring to the MS flaw contains this instruction:

"Affected users can grab an interim fix from Redmond that disables the vulnerable component, by visiting this link, clicking the "Fix It" icon under "Enable workaround," and following the installation prompts from there. Microsoft says it is working on an official patch to plug the flaw."

Not correct; there is no "Fix It" icon at this link and no clear path to an interim fix of any kind...

Posted by: realworld51 | July 14, 2009 1:34 PM | Report abuse

Oops, sorry, posted in wrong thread.

Posted by: realworld51 | July 14, 2009 1:36 PM | Report abuse

Does this vulnerability affect all operating systems, or just Windows?

Posted by: Gallenod | July 14, 2009 2:41 PM | Report abuse

Thanks for the heads up, Brian, I'm running 3.0.11. I'm about as cyber savvy as 2 day old road kill.

Posted by: trawler | July 14, 2009 2:58 PM | Report abuse

MS is a little confused today in shipping patches on Patch Tuesday. They claim in one statement to have fixed this flaw with an official patch, but that is not the case, from what I can tell looking at today's advisories. I have asked Microsoft where the "Fix It" icon/instructions have gone and when they'll be put back. Will let you know when/if I get a response.

Posted by: BTKrebs | July 14, 2009 2:59 PM | Report abuse

@Gallenrod: The exploit released this week to attack this vulnerability is designed to work on Windows systems. The vulnerability in Firefox 3.5 I extends across all of the
OS platforms Mozilla supports (so, OS X, et. al)

Posted by: BTKrebs | July 14, 2009 3:16 PM | Report abuse

For what it's worth, I've been running Firefox 3.5 with the work-around (on Ubuntu Linux 8.04) for about three hours now. The slow-down in JavaScript is perceptible on JS-intensive sites, but it's certainly not a show-stopper, IMO.

Has anyone seen any "official" comments from Mozilla on this?

Posted by: richg74 | July 14, 2009 3:58 PM | Report abuse

To answer my own question, there is a post on the Mozilla Security blog on this:

Posted by: richg74 | July 14, 2009 4:44 PM | Report abuse

A long and winding road today.
Fixed and unfixed Firefox because between it, and, I assume, all the windows updates, half my programs would not work.
Windows hotmail froze, Secunia had to be uninstalled and reinstalled, Yahoo mail wouldn't accept sign-in, etc.
Thanks to Brian for staying with me. Just hoping I can be carefull enough browsing to stay afloat.

Posted by: djtscoop | July 14, 2009 6:12 PM | Report abuse


Hard to see that : in the article.

Posted by: | July 15, 2009 5:55 AM | Report abuse

Thanks for posting this important information, Brian ! I assume that, as always, you'll stay on top of the matter and post back as soon as the good folks at Mozilla have released a patch. In the meantime, it might not be a bad idea for readers who've been waiting to test the Google Chrome browser to take this as a signal to dip their toes in the water....


Posted by: mhenriday | July 15, 2009 11:28 AM | Report abuse

The other workaround is to stick with Firefox version 3. I generally avoid major version increments until after several updates have come out. I'm waiting for v3.5.0.6 or so, before going to version 3.5

You can get older versions of browsers from

Posted by: taskforceken | July 15, 2009 4:16 PM | Report abuse

At least we know of the vulnerability/exploit so those without security software that blocks these attacks can implement workarounds:

Posted by: eiverson1 | July 15, 2009 4:35 PM | Report abuse

I want to thank Brian Krebs for being so up to date on security issues that seem to arise daily. I depend on my Technology page e-mails to help me stay secure. I trust your advice.

Posted by: pfedup | July 15, 2009 5:25 PM | Report abuse

Brian, I have no idea what I just did but your instructions were perfect. Thanks for your work.

Posted by: MatterLaw | July 15, 2009 8:41 PM | Report abuse


Is this issue resolved in the 3.5.1 release that just came out? It's hard to tell from looking at the release notes.

Posted by: dstark001 | July 17, 2009 9:47 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company