Mozilla releases patch for JavaScript vulnerability

by Steve Ragan - Jul 17 2009, 09:10

By the time you read these lines, Firefox has an update it wants to install. Earlier this week, Secunia issued an advisory warning of a memory corruption vulnerability discovered in Firefox 3.5. Three days worth of testing later, Mozilla has pushed out Firefox 3.5.1, with a fix for this error as well as corrections for several other bugs.

“Firefox user zbyte reported a crash that we determined could result in an exploitable memory corruption problem. In certain cases after a return from a native function, such as escape(), the Just-in-Time (JIT) compiler could get into a corrupt state,” said Mozilla’s security advisory, adding that if the vulnerability was exploited it could be used by an attacker to run arbitrary code such as installing Malware.

Secunia warned of the flaw after a person going by the name SBerry released proof-of-code on Milw0rm. SBerry’s posted code exploits the way Firefox 3.5 processes JavaScript code when handling FONT tags in HTML.

The vulnerability was introduced in TraceMonkey, the JavaScript engine used in Firefox 3.5 that actually offers a decent speed boost to the browser. Oddly enough, TraceMonkey was already set to be patched this month by Mozilla, as bugs in the newest engine were listed in a July 1 meeting as the sole topcrash issue for Firefox 3.5. In other words, while vulnerabilities like this are horrible, this one came at a perfect time as developers were already giving TraceMonkey a thorough cleaning.

Before this patch was released, the general advice, started by Washington Post reporter Brian Krebs, was to disable "javascript.options.jit.content" in about:config.

You can download Firefox 3.5.1 now from the normal places. Existing users should use the automatic update feature, but the odds are that it’s already downloaded and you just need a browser restart to apply it.

Around the Web