First Zero-Day Exploit Released For Firefox 3.5

Patch is in the works, exploit code and Metasploit attack module are released
The race is on: Mozilla is scrambling to finish a patch for a now-public bug in its Firefox 3.5 browser, while exploit code is circulating and Metasploit has released a new module for the attack.

The vulnerability, which was initially discovered by Mozilla last week in the Firefox 3.5 Just-in-Time (JIT) JavaScript compiler, is considered "critical" in that it can be used to execute malicious code, according to Mozilla. A researcher posted his attack code on mil0rm on Monday. The flaw lets an attacker infect the machine of a victim duped into visiting a malicious Web page.

Disabling JIT in the JavaScript engine is one way to protect against such an attack, but that's only a temporary solution because without JIT, Firefox's performance decreases, Mozilla warned in its blog. Another option is to run Firefox in Safe Mode, which disables the JIT, or to use the NoScript add-on for Firefox.

Here's how to disable JIT in JavaScript, according to Mozilla:

    1. Enter about:config in the browser's location bar.