Firefox 3.5 JavaScript 0-day vulnerability + Microsoft OfficeWeb ActiveX patch

[saratogaWX]

As reported in various security postings, there's a vulnerability in Firefox 3.5 in processing JavaScript that is yet unpatched, and exploit code has been posted.

See http://voices.washingtonpost.com/securityfix/2009/07/stopgap_fix_for_critical_firef.html for more info.

Meanwhile, I suggest that you follow Brian Krebs instructions below to mitigate this (if you are a Firefox 3.5 user)

Fortunately, there is a relatively easy fix for this that can be reversed once Mozilla issues a patch.
To disable the vulnerable component, open up a new Firefox window and type "about:config" (without the quotes) in the browser's address bar.
In the "filter" box, type "jit" and you should see a setting called "javascript.options.jit.content".
You should notice that beside that setting it reads "true," meaning the setting is enabled.
If you just double-click on that setting, it should disable it, changing the option to "false." That's it.

Note that making this change will slow down Javascript rendering in Firefox 3.5 to 3.0 speeds, but that may be a worthwhile trade-off for readers concerned about the availability of exploit code for this flaw.

Not to be outdone, Microsoft issued an update of Killbits to fix an IE ActiveX vulnerability that had active exploit code in the wild.  That fix is available on Microsoft/Windows Update.

Lets be careful out there...

Best regards,
Ken

[Cienega32]

Nice - thank you, Sir!

[port1]

Thanks, Ken. 
Always good to have you watching our backs...especially us FireFox users.
Much obliged, sir! 

Henry

[saratogaWX]

You're welcome!

Active exploit (via SQL Injection attack) for the Microsoft vulnerability in OWC (ActiveX control) is in the wild now according to SANS Incident Center.  Make sure you've run Microsoft/Windows Update on your XP/Vista systems.

Edit: sorry.. had wrong link for SANS.  Now corrected.

[port1]

Did the Windows update too.
Thanks!

Henry

[Mark / Ohio]

Thanks Ken for the heads up.   

Just made the changes on my laptop and run windows update last night on it.  Sounds like I should break down and reboot and patch the ole weather computer in the near future as well.

[TorH]

I got my machines updated here, the killbits update came automatic for a few days ago here along with some others updates.
I always has the automatic updates on, to download, but to ask for installing. Then i have a little control over the updates from MS 

Better safe, than sorry!

[ncpilot]

Mozilla issued a patch yesterday...

http://news.cnet.com/8301-1009_3-10289205-83.html?tag=newsEditorsPicksArea.0

[saratogaWX]

And issued an update to Firefox 3.5.1 -- just use Help, Check for updates... to do the update.

After that, you can reverse the tweak in the first post to re-enable the JIT JavaScript function with it's improved performance.

about:config
search for jit
Doubleclick on the 'false' for javascript.options.jit.content (so it changes to 'true' again)

Best regards,
Ken

ref: http://www.mozilla.org/security/announce/2009/mfsa2009-41.html

[Garth Bock]

All the kiddie techs here at work were all enthused about 3.5 and I told them being new it might be good to wait awhile before recommending it to anyone at the university. I am still on 2.0. When I showed them the link about the vulnerability, they were all surprise. 

[sam2004gp]

Just installed the FF 3.5.1 update, I bet that fixes the vulnerability.

[SlowModem]

Just installed the FF 3.5.1 update, I bet that fixes the vulnerability.

So how does one prove a negative?  If it never happens, is it because of the fix?

 

[SlowModem]

Just installed the FF 3.5.1 update, I bet that fixes the vulnerability.

So how does one prove a negative?  If it never happens, is it because of the fix?

 

That about:config is a scary place.  It seems a person could really screw things up there if they tinkered too much in there.