Loading
JITter Bug
Bugs are a fact of life in the technology world, and the Open Source community is no exception. What is exceptional, however, is the open way these vulnerabilities are handled, as the developers behind Mozilla's Firefox browser have aptly demonstrated.
Two weeks ago, Mozilla was celebrating the triumphant release of the much-delayed Firefox 3.5. The browser brings its users a pantheon of new features, with perhaps the most celebrated being the TraceMonkey JavaScript engine, said to provide speed enhancements twice as fast as Firefox 3.0 and up to ten times that of Firefox 2.0.
One element of the acclaimed performance booster is giving its developers something of a headache this week, however. The first zero-day exploit for Firefox 3.5 was revealed publicly on Monday, in the form of a vulnerability in the browser's Just-in-time compiler. Unlike older methods of execution, which interpret the bytecode created from the browser's source code, a Just-in-time compiler transforms the bytecode into native machine code just before executing it, resulting in significant performance improvements. Attackers can utilize the vulnerability to execute malicious code on the user's system by luring them to a website containing the exploit code.
A patch for the exploit has yet to be released, though Firefox developers are on the case. Mozilla has indicated that once developers have prepared and tested the patch, it will be pushed out to users via the normal update channels. Linux users may wish to make special note of the update — because it was released so recently, users are likely to have installed Firefox 3.5 manually rather than via their distribution's repositories, and thus may not receive updates in the manner they are accustomed to.
Pending a final patch, Mozilla is recommending that users disable the JIT through the about:config dialog in order to circumvent the exploit. After entering about:config in the browser's address bar and clicking through the "This may void your warranty" screen, locate the javascript.options.jit.content setting via the filter box and set its value to false.
Developers stress that this is only a temporary fix, and as it will result in significantly decreased browser performance, should be returned to its original setting as soon as the patch is installed. Users uncomfortable with altering about:config settings can achieve the same result by running the browser in Safe Mode, though this will result in additional components being disabled.
______________________
Justin Ryan is a Contributing Editor for Linux Journal.
Webcast
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Sponsored by AMD
White Paper
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy
Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6
Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.
Learn more about catching the bad guy in this free white paper.
Sponsored by DLT Solutions
- Dynamic DNS—an Object Lesson in Problem Solving
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- Using Salt Stack and Vagrant for Drupal Development
- New Products
- A Topic for Discussion - Open Source Feature-Richness?
- Drupal Is a Framework: Why Everyone Needs to Understand This
- Validate an E-Mail Address with PHP, the Right Way
- RSS Feeds
- Readers' Choice Awards
- Tech Tip: Really Simple HTTP Server with Python
- DynDNS
2 hours 15 min ago - Reply to comment | Linux Journal
2 hours 48 min ago - All the articles you talked
5 hours 11 min ago - All the articles you talked
5 hours 14 min ago - All the articles you talked
5 hours 16 min ago - myip
9 hours 40 min ago - Keeping track of IP address
11 hours 31 min ago - Roll your own dynamic dns
16 hours 45 min ago - Please correct the URL for Salt Stack's web site
19 hours 56 min ago - Android is Linux -- why no better inter-operation
22 hours 12 min ago
Enter to Win an Adafruit Pi Cobbler Breakout Kit for Raspberry Pi
It's Raspberry Pi month at Linux Journal. Each week in May, Adafruit will be giving away a Pi-related prize to a lucky, randomly drawn LJ reader. Winners will be announced weekly.
Fill out the fields below to enter to win this week's prize-- a Pi Cobbler Breakout Kit for Raspberry Pi.
Congratulations to our winners so far:
- 5-8-13, Pi Starter Pack: Jack Davis
- 5-15-13, Pi Model B 512MB RAM: Patrick Dunn
- 5-21-13, Prototyping Pi Plate Kit: Philip Kirby
- Next winner announced on 5-27-13!
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?
Developer Poll
Comments
Not exploitable
"Attackers can utilize the vulnerability to execute malicious code on the user's system by luring them to a website containing the exploit code."
No it can't. It's a non-exploitable null pointer dereference resulting from out of memory condition (equivalent to not checking for NULL when malloc'ing). It can only cause denial of service. It's worth noting that many other browsers also crash on the proof of concept "exploit".
You could just get 3.5.1
You could just get 3.5.1 which has the bug fix... Click "check for updates"
a 0-day exploit revealed 1.5
a 0-day exploit revealed 1.5 weeks later?
0 day ain't 0-day
Yeah, great! We've seen exploits on IE come out weeks in advance, but this one comes over a week later! Thank God we're safely using Firefox. I've upgraded to 3.5.1 on Fedora 11, Ubuntu 9.10, Debian 5 and well, XP too.