First Zero-Day Exploit Released For Firefox 3.5

Patch is in the works, exploit code and Metasploit attack module are released

Dark Reading Staff, Dark Reading

July 15, 2009

1 Min Read

The race is on: Mozilla is scrambling to finish a patch for a now-public bug in its Firefox 3.5 browser, while exploit code is circulating and Metasploit has released a new module for the attack.

The vulnerability, which was initially discovered by Mozilla last week in the Firefox 3.5 Just-in-Time (JIT) JavaScript compiler, is considered "critical" in that it can be used to execute malicious code, according to Mozilla. A researcher posted his attack code on mil0rm on Monday. The flaw lets an attacker infect the machine of a victim duped into visiting a malicious Web page.

Disabling JIT in the JavaScript engine is one way to protect against such an attack, but that's only a temporary solution because without JIT, Firefox's performance decreases, Mozilla warned in its blog. Another option is to run Firefox in Safe Mode, which disables the JIT, or to use the NoScript add-on for Firefox.

Here's how to disable JIT in JavaScript, according to Mozilla:

  • 1. Enter about:configin the browser's location bar.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights