Author Topic: Firefox 3.5 JavaScript 0-day vulnerability + Microsoft OfficeWeb ActiveX patch  (Read 1719 times)

0 Members and 1 Guest are viewing this topic.

Offline saratogaWX

  • Administrator
  • Forecaster
  • *****
  • Posts: 4413
  • Saratoga, CA, USA Weather - free PHP scripts
    • Saratoga-Weather.org
As reported in various security postings, there's a vulnerability in Firefox 3.5 in processing JavaScript that is yet unpatched, and exploit code has been posted.

See http://voices.washingtonpost.com/securityfix/2009/07/stopgap_fix_for_critical_firef.html for more info.

Meanwhile, I suggest that you follow Brian Krebs instructions below to mitigate this (if you are a Firefox 3.5 user)

Quote
Fortunately, there is a relatively easy fix for this that can be reversed once Mozilla issues a patch.
To disable the vulnerable component, open up a new Firefox window and type "about:config" (without the quotes) in the browser's address bar.
In the "filter" box, type "jit" and you should see a setting called "javascript.options.jit.content".
You should notice that beside that setting it reads "true," meaning the setting is enabled.
If you just double-click on that setting, it should disable it, changing the option to "false." That's it.

Note that making this change will slow down Javascript rendering in Firefox 3.5 to 3.0 speeds, but that may be a worthwhile trade-off for readers concerned about the availability of exploit code for this flaw.

Not to be outdone, Microsoft issued an update of Killbits to fix an IE ActiveX vulnerability that had active exploit code in the wild.  That fix is available on Microsoft/Windows Update.

Lets be careful out there...

Best regards,
Ken

Ken True/Saratoga, CA, USA main site: saratoga-weather.org
Davis Vantage Pro Plus - FARS, Boltek-PCI/NexStorm, GRLevel3, WD, WL, VWS, Cumulus, Meteohub
Free weather PHP scripts/website templates - update notifications on Twitter saratogaWXPHP

Offline Cienega32

  • Forecaster
  • *****
  • Posts: 2561
    • East Mesa Weather
Nice - thank you, Sir!

Pat ~ Davis VP2 6153-Weatherlink-Weather Display-StartWatch-VirtualVP-Win7 Pro-64bit
www.LasCruces-Weather.com   www.EastMesaWeather.com

Offline port1

  • Forecaster
  • *****
  • Posts: 667
Thanks, Ken.  :-)
Always good to have you watching our backs...especially us FireFox users.
Much obliged, sir!  =D>

Henry
KNYFLORA5
WMR968
VWS v14.00 p73
CoCoRaHS NY-NS-7
CWOP DW1891
SKYWARN 09-148

Offline saratogaWX

  • Administrator
  • Forecaster
  • *****
  • Posts: 4413
  • Saratoga, CA, USA Weather - free PHP scripts
    • Saratoga-Weather.org
You're welcome!

Active exploit (via SQL Injection attack) for the Microsoft vulnerability in OWC (ActiveX control) is in the wild now according to SANS Incident Center.  Make sure you've run Microsoft/Windows Update on your XP/Vista systems.

Edit: sorry.. had wrong link for SANS.  Now corrected.
« Last Edit: July 16, 2009, 01:11:08 PM by saratogaWX »
Ken True/Saratoga, CA, USA main site: saratoga-weather.org
Davis Vantage Pro Plus - FARS, Boltek-PCI/NexStorm, GRLevel3, WD, WL, VWS, Cumulus, Meteohub
Free weather PHP scripts/website templates - update notifications on Twitter saratogaWXPHP

Offline port1

  • Forecaster
  • *****
  • Posts: 667
Did the Windows update too.
Thanks! 8-)

Henry
KNYFLORA5
WMR968
VWS v14.00 p73
CoCoRaHS NY-NS-7
CWOP DW1891
SKYWARN 09-148

Offline Mark / Ohio

  • Live from Mars!
  • Forecaster
  • *****
  • Posts: 2370
    • Fairfield County Weather
Thanks Ken for the heads up.   :grin:

Just made the changes on my laptop and run windows update last night on it.  Sounds like I should break down and reboot and patch the ole weather computer in the near future as well.
Mark 
2002 Davis VP I Wireless, WeatherLink (Serial), VWS, ImageSalsa, GRLevel3, VirtualVP, VPLive, StartWatch, Windows XP (SP3)


Offline TorH

  • Forecaster
  • *****
  • Posts: 405
    • Været på Fauske
I got my machines updated here, the killbits update came automatic for a few days ago here along with some others updates.
I always has the automatic updates on, to download, but to ask for installing. Then i have a little control over the updates from MS  :-|

Better safe, than sorry!
Davis Vantage PRO2 wireless
VWS V14.00 p103, WD ver.10.37N, WL 5.8.2, VVP.
WeatherFlash
DW1549
WeatherUnderground: INORDLAN14
Location: Fauske, Northern Norway. N 67°15'41", E 15°24'41"
http://bjornli.net                     

Offline ncpilot

  • Forecaster
  • *****
  • Posts: 922
    • Monkey Junction Weather
Marc
Wilmington, NC
"Monkey Junction Weather"
Davis VP2 wireless, WeatherLink

Offline saratogaWX

  • Administrator
  • Forecaster
  • *****
  • Posts: 4413
  • Saratoga, CA, USA Weather - free PHP scripts
    • Saratoga-Weather.org
And issued an update to Firefox 3.5.1 -- just use Help, Check for updates... to do the update.

After that, you can reverse the tweak in the first post to re-enable the JIT JavaScript function with it's improved performance.

about:config
search for jit
Doubleclick on the 'false' for javascript.options.jit.content (so it changes to 'true' again)

Best regards,
Ken

ref: http://www.mozilla.org/security/announce/2009/mfsa2009-41.html
« Last Edit: July 17, 2009, 11:36:02 AM by saratogaWX »
Ken True/Saratoga, CA, USA main site: saratoga-weather.org
Davis Vantage Pro Plus - FARS, Boltek-PCI/NexStorm, GRLevel3, WD, WL, VWS, Cumulus, Meteohub
Free weather PHP scripts/website templates - update notifications on Twitter saratogaWXPHP

Offline Garth Bock

  • Bloomington, Illinois Weather
  • Forecaster
  • *****
  • Posts: 1780
    • Twin City Weather
All the kiddie techs here at work were all enthused about 3.5 and I told them being new it might be good to wait awhile before recommending it to anyone at the university. I am still on 2.0. When I showed them the link about the vulnerability, they were all surprise. 

Davis VPro2,VWS,WL,VVP,WD,WDL,Cumulus,WV32,VPLive

Offline sam2004gp

  • Mount Crawford, Virginia
  • Forecaster
  • *****
  • Posts: 2810
  • Weeeeeeeee!!!!
    • Mount Crawford Weather, VA
Just installed the FF 3.5.1 update, I bet that fixes the vulnerability.
SAM --->>> http://www.mountcrawfordweather.org
OS WMR-968 with a Dedicated PWS Weather Computer running VWS v13.01 p09


Online SlowModem

  • Weather at the speed of dialup!
  • Forecaster
  • *****
  • Posts: 5814
  • WX @ 26.4 kbs
    • Watts Bar Weather - Ten Mile, TN
Just installed the FF 3.5.1 update, I bet that fixes the vulnerability.

So how does one prove a negative?  If it never happens, is it because of the fix?

 :roll:
Greg Whitehead
Ten Mile, TN

http://www.wattsbarweather.net


Online SlowModem

  • Weather at the speed of dialup!
  • Forecaster
  • *****
  • Posts: 5814
  • WX @ 26.4 kbs
    • Watts Bar Weather - Ten Mile, TN
Just installed the FF 3.5.1 update, I bet that fixes the vulnerability.

So how does one prove a negative?  If it never happens, is it because of the fix?

 :roll:

That about:config is a scary place.  It seems a person could really screw things up there if they tinkered too much in there.

Greg Whitehead
Ten Mile, TN

http://www.wattsbarweather.net


 

anything