JITter Bug

Bugs are a fact of life in the technology world, and the Open Source community is no exception. What is exceptional, however, is the open way these vulnerabilities are handled, as the developers behind Mozilla's Firefox browser have aptly demonstrated.

Two weeks ago, Mozilla was celebrating the triumphant release of the much-delayed Firefox 3.5. The browser brings its users a pantheon of new features, with perhaps the most celebrated being the TraceMonkey JavaScript engine, said to provide speed enhancements twice as fast as Firefox 3.0 and up to ten times that of Firefox 2.0.

One element of the acclaimed performance booster is giving its developers something of a headache this week, however. The first zero-day exploit for Firefox 3.5 was revealed publicly on Monday, in the form of a vulnerability in the browser's Just-in-time compiler. Unlike older methods of execution, which interpret the bytecode created from the browser's source code, a Just-in-time compiler transforms the bytecode into native machine code just before executing it, resulting in significant performance improvements. Attackers can utilize the vulnerability to execute malicious code on the user's system by luring them to a website containing the exploit code.

A patch for the exploit has yet to be released, though Firefox developers are on the case. Mozilla has indicated that once developers have prepared and tested the patch, it will be pushed out to users via the normal update channels. Linux users may wish to make special note of the update — because it was released so recently, users are likely to have installed Firefox 3.5 manually rather than via their distribution's repositories, and thus may not receive updates in the manner they are accustomed to.

Pending a final patch, Mozilla is recommending that users disable the JIT through the about:config dialog in order to circumvent the exploit. After entering about:config in the browser's address bar and clicking through the "This may void your warranty" screen, locate the javascript.options.jit.content setting via the filter box and set its value to false.

Developers stress that this is only a temporary fix, and as it will result in significantly decreased browser performance, should be returned to its original setting as soon as the patch is installed. Users uncomfortable with altering about:config settings can achieve the same result by running the browser in Safe Mode, though this will result in additional components being disabled.

______________________

Justin Ryan is a Contributing Editor for Linux Journal.

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Not exploitable

Tweenk's picture

"Attackers can utilize the vulnerability to execute malicious code on the user's system by luring them to a website containing the exploit code."
No it can't. It's a non-exploitable null pointer dereference resulting from out of memory condition (equivalent to not checking for NULL when malloc'ing). It can only cause denial of service. It's worth noting that many other browsers also crash on the proof of concept "exploit".

You could just get 3.5.1

Anonymous's picture

You could just get 3.5.1 which has the bug fix... Click "check for updates"

a 0-day exploit revealed 1.5

Anonymous's picture

a 0-day exploit revealed 1.5 weeks later?

0 day ain't 0-day

Salvadesswaran Srinivasan's picture

Yeah, great! We've seen exploits on IE come out weeks in advance, but this one comes over a week later! Thank God we're safely using Firefox. I've upgraded to 3.5.1 on Fedora 11, Ubuntu 9.10, Debian 5 and well, XP too.

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState