WXforum.net

Miscellaneous Debris => Tech Corner => Topic started by: saratogaWX on July 15, 2009, 04:48:27 PM

Title: Firefox 3.5 JavaScript 0-day vulnerability + Microsoft OfficeWeb ActiveX patch
Post by: saratogaWX on July 15, 2009, 04:48:27 PM
As reported in various security postings, there's a vulnerability in Firefox 3.5 in processing JavaScript that is yet unpatched, and exploit code has been posted.

See http://voices.washingtonpost.com/securityfix/2009/07/stopgap_fix_for_critical_firef.html for more info.

Meanwhile, I suggest that you follow Brian Krebs instructions below to mitigate this (if you are a Firefox 3.5 user)

Quote
Fortunately, there is a relatively easy fix for this that can be reversed once Mozilla issues a patch.
To disable the vulnerable component, open up a new Firefox window and type "about:config" (without the quotes) in the browser's address bar.
In the "filter" box, type "jit" and you should see a setting called "javascript.options.jit.content".
You should notice that beside that setting it reads "true," meaning the setting is enabled.
If you just double-click on that setting, it should disable it, changing the option to "false." That's it.

Note that making this change will slow down Javascript rendering in Firefox 3.5 to 3.0 speeds, but that may be a worthwhile trade-off for readers concerned about the availability of exploit code for this flaw.

Not to be outdone, Microsoft issued an update of Killbits to fix an IE ActiveX vulnerability (http://www.microsoft.com/technet/security/advisory/973472.mspx) that had active exploit code in the wild.  That fix is available on Microsoft/Windows Update.

Lets be careful out there...

Best regards,
Ken

Title: Re: Firefox 3.5 JavaScript 0-day vulnerability + Microsoft OfficeWeb ActiveX patch
Post by: Cienega32 on July 16, 2009, 01:39:28 AM
Nice - thank you, Sir!
Title: Re: Firefox 3.5 JavaScript 0-day vulnerability + Microsoft OfficeWeb ActiveX patch
Post by: port1 on July 16, 2009, 02:18:10 AM
Thanks, Ken.  :-)
Always good to have you watching our backs...especially us FireFox users.
Much obliged, sir!  =D>

Henry
Title: Re: Firefox 3.5 JavaScript 0-day vulnerability + Microsoft OfficeWeb ActiveX patch
Post by: saratogaWX on July 16, 2009, 11:20:11 AM
You're welcome!

Active exploit (via SQL Injection attack) for the Microsoft vulnerability in OWC (ActiveX control) is in the wild now according to SANS Incident Center (http://isc.sans.org/diary.html?storyid=6811&rss).  Make sure you've run Microsoft/Windows Update on your XP/Vista systems.

Edit: sorry.. had wrong link for SANS.  Now corrected.
Title: Re: Firefox 3.5 JavaScript 0-day vulnerability + Microsoft OfficeWeb ActiveX patch
Post by: port1 on July 16, 2009, 06:04:19 PM
Did the Windows update too.
Thanks! 8-)

Henry
Title: Re: Firefox 3.5 JavaScript 0-day vulnerability + Microsoft OfficeWeb ActiveX patch
Post by: Mark / Ohio on July 16, 2009, 10:03:10 PM
Thanks Ken for the heads up.   :grin:

Just made the changes on my laptop and run windows update last night on it.  Sounds like I should break down and reboot and patch the ole weather computer in the near future as well.
Title: Re: Firefox 3.5 JavaScript 0-day vulnerability + Microsoft OfficeWeb ActiveX patch
Post by: TorH on July 17, 2009, 04:25:07 AM
I got my machines updated here, the killbits update came automatic for a few days ago here along with some others updates.
I always has the automatic updates on, to download, but to ask for installing. Then i have a little control over the updates from MS  :-|

Better safe, than sorry!
Title: Re: Firefox 3.5 JavaScript 0-day vulnerability + Microsoft OfficeWeb ActiveX pat
Post by: ncpilot on July 17, 2009, 09:20:12 AM
Mozilla issued a patch yesterday...

http://news.cnet.com/8301-1009_3-10289205-83.html?tag=newsEditorsPicksArea.0

Title: Re: Firefox 3.5 JavaScript 0-day vulnerability + Microsoft OfficeWeb ActiveX patch
Post by: saratogaWX on July 17, 2009, 11:31:30 AM
And issued an update to Firefox 3.5.1 -- just use Help, Check for updates... to do the update.

After that, you can reverse the tweak in the first post to re-enable the JIT JavaScript function with it's improved performance.

about:config
search for jit
Doubleclick on the 'false' for javascript.options.jit.content (so it changes to 'true' again)

Best regards,
Ken

ref: http://www.mozilla.org/security/announce/2009/mfsa2009-41.html
Title: Re: Firefox 3.5 JavaScript 0-day vulnerability + Microsoft OfficeWeb ActiveX pat
Post by: Garth Bock on July 17, 2009, 02:49:48 PM
All the kiddie techs here at work were all enthused about 3.5 and I told them being new it might be good to wait awhile before recommending it to anyone at the university. I am still on 2.0. When I showed them the link about the vulnerability, they were all surprise. 
Title: Re: Firefox 3.5 JavaScript 0-day vulnerability + Microsoft OfficeWeb ActiveX patch
Post by: sam2004gp on July 17, 2009, 06:51:40 PM
Just installed the FF 3.5.1 update, I bet that fixes the vulnerability.
Title: Re: Firefox 3.5 JavaScript 0-day vulnerability + Microsoft OfficeWeb ActiveX patch
Post by: SlowModem on July 17, 2009, 07:00:44 PM
Just installed the FF 3.5.1 update, I bet that fixes the vulnerability.

So how does one prove a negative?  If it never happens, is it because of the fix?

 :roll:
Title: Re: Firefox 3.5 JavaScript 0-day vulnerability + Microsoft OfficeWeb ActiveX patch
Post by: SlowModem on July 18, 2009, 01:24:59 AM
Just installed the FF 3.5.1 update, I bet that fixes the vulnerability.

So how does one prove a negative?  If it never happens, is it because of the fix?

 :roll:

That about:config is a scary place.  It seems a person could really screw things up there if they tinkered too much in there.