Mozilla confirms new crash bug in Firefox 3.5.1 not exploitable

Mozilla has confirmed a crash bug in the latest Firefox 3.5.1 related to how its JavaScript handle certain long Unicode strings that could lead to a crash on Mac OS X, Windows and Linux.

Mozilla states that despite what several media outlets and security organizations reported over the weekend, it is not an exploitable vulnerability that could lead to malicious code execution, so it is not a critical flaw.

Continue reading Mozilla confirms new crash bug in Firefox 3.5.1 not exploitable

Mozilla confirms critical security flaw in Firefox 3.5

Mozilla has confirmed a critical security vulnerability disclosed yesterday by Milworm, that may lead to remote code execution.

As it is related to the new TraceMonkey JavaScript optimizer, users can mitigate it by temporarily disabling the optimizer. To do so:

  • Enter about:config in the location bar to access advanced preferences.
  • Look for javascript.options.jit.content and double click it to set it to false.

Mozilla reports that they are already working on a fix for the flaw and it will be released as soon as it becomes available.

Mozilla rushes Firefox 3.0.8 to address latest security bugs

It turned out Mozilla only needed a couple of days to release the needed fixes for a couple of security vulnerabilities disclosed in the last few days. One uncovered last week during the CanSecWest Pwn2Own contest; the other published a couple of days ago by an Italian hacker.

While Firefox 3.0.8 fixes only these two critical security bugs, another was already on schedule for release on mid-April. I think this release may delay Firefox 3.0.9 release a bit, but should still come out in April.

To update, in the Help menu, select Check For Updates… and follow the onscreen instructions if you are not automatically prompted before that.

Crashing bug in Firefox prompts early update next week

Guido Landi, an Italian hacker, has disclosed the details of a previously unknown crashing bug including a proof of concept consisting of  XML and XSL files that are loaded in an internal frame resulting in a Firefox 3.0.7 crash on all platforms.

There is no known exploit at this time, but since it has already been disclosed, Mozilla has decided to release the next Firefox update, 3.0.8, next week, about a week ahead of the targeted mid-April.

Mozilla’s Giorgio Maone explains a mitigation tip: “Like the vast majority of [crashing bugs, it] is not exploitable if you’ve got JavaScript and other active content disabled on the attacker site, because reliable exploitation requires scripting to “spray the heap”, i.e. to inject the malicious payload at the right places of your memory for execution.  Therefore you can easily survive until the automatic update kicks in, if you don’t mind the possibility of an annoying but not dangerous crash.”

The bug does not affect the latest Firefox 3.5 nightlies and results in an expected XML parsing error.

Mozilla already working on a Firefox 3 security fix

The same day Firefox 3 was shipping, Tipping Point, a research organization for vulnerability analysis and discovery,  released an upcoming advisory (ZDI-CAN-349) about a new security vulnerability that could allow an attacker to execute arbitrary code, affecting Firefox 2 and 3 in their Zero Day Initiative site.

Continue reading Mozilla already working on a Firefox 3 security fix