You may have seen the recent news about a new 0-day exploit against Firefox via javascript being revealed in the wild. It is a nasty one, with the intention of taking over your machine if you visit the wrong web site with Javascript enabled.

Firefox 3.5.1, which fixes the problem, is now available. In Firefox select "check for updates" in the Help menu to get it.

Thanks for the heads-up on this, Sidney. Off to update...

You may have seen the recent news about a new 0-day exploit against Firefox via javascript being revealed in the wild. It is a nasty one, with the intention of taking over your machine if you visit the wrong web site with Javascript enabled.

Firefox 3.5.1, which fixes the problem, is now available. In Firefox select "check for updates" in the Help menu to get it.

Sidney,

Excellent update, should have been included in FF 3.5 instead. There was a fix for FF 3.5 that meant disabiling a setting in ABOUT:CONFG, but this is better by far.

Excellent update, should have been included in FF 3.5 instead.

"0-day" means that's how many day's notice the Mozilla developers had before the exploit was made public -- They learned about it when everyone else did, on July 14, announced the about:config workaround on July 15, and released FF 3.5.1 on July 16.

-- sidney

Vulnerability in FireFox 3.5.1 confirmed, exploit PoC, no patch (http://isc.sans.org/diary.html?storyid=6829)

More detailed report here: Buffer overflow in Firefox 3.5.1 (http://www.h-online.com/open/Buffer-overflow-in-Firefox-3-5-1--/news/113792)

The only workaround reported so far is to disable Javascript. That's where the NoScript extension comes in handy, letting you enable Javascript only for specific sites where it is necessary and that you trust.

I don't have any other information about this one yet. Expect Firefox 3.5.2 very soon :p

Expect Firefox 3.5.2 very soon :pSigh...

Vulnerability in FireFox 3.5.1 confirmed, exploit PoC, no patch (http://isc.sans.org/diary.html?storyid=6829)

More detailed report here: Buffer overflow in Firefox 3.5.1 (http://www.h-online.com/open/Buffer-overflow-in-Firefox-3-5-1--/news/113792)

The only workaround reported so far is to disable Javascript. That's where the NoScript extension comes in handy, letting you enable Javascript only for specific sites where it is necessary and that you trust.

I don't have any other information about this one yet. Expect Firefox 3.5.2 very soon :p
"We [Mozilla] do not believe this is any kind of boundary condition, but a
non-exploitable denial-of-service due to memory exhaustion."
http://isc.sans.org/diary.html?storyid=6838&rss

If such is in fact the case, then doing a workaround may not be a high priority. So, for now, I'm just patiently waiting for the patch. I use NoScript, anyway.

DH

but a
non-exploitable denial-of-service due to memory exhaustion.

Yes, the details are now in the Mozilla bug report (https://bugzilla.mozilla.org/show_bug.cgi?id=504342) and it appears to crash Firefox but not be exploitable. The javascript proof of concept code appears to similarly crash IE 8 and Safari too. That's not a big deal. If a web page crashes my browser whenever I go to it, I stop going to it :)

Yes, the details are now in the Mozilla bug report (https://bugzilla.mozilla.org/show_bug.cgi?id=504342) and it appears to crash Firefox but not be exploitable. The javascript proof of concept code appears to similarly crash IE 8 and Safari too. That's not a big deal. If a web page crashes my browser whenever I go to it, I stop going to it :)
IIRC, I think the link I posted mentioned the difference between security guys and system admin guys , with reference to the finding that IE8 crashed too. Namely that the security guys like to play around and break things.

Does that mean that the admins like bailing wire and duct tape and reliance on divine providence? :)

Does that mean that the admins like bailing wire and duct tape and reliance on divine providence? :)

I thought the admins are divine providence! The duct tape is pretty good though, useful on the machines and the users.

Bruce Schneier tells a story from his childhood to illustrate this difference between security researchers and ordinary mortals, and how it starts young. He got an ant farm as a present, which included the box and instructions and a coupon to mail in to get the live ants. Most kids would have thought "Cool, I can get ants for my ant farm." He thought, "Wow, I can get a package of live ants delivered to anyone just by sending in this coupon!"