FireFox may need asbestos suit

There’s been quite a bit of buzz about the latest zero-day FireFox exploit. For those not in the know, it’s a vulnerability in how JavaScript code is handled by their new TraceMonkey component. So this exploit only works in 3.5.x. Mozilla has confirmed that this bug doesn’t affect 3.0.x.

There’s two ways to work around this until a patch is released. The first: Use NoScript. This add-on blocks Java, JavaScript, Flash, IFrames and other potential sources of malicious code. You can whitelist trusted sites and can also temporarily allow sites. Now the potential downside is that it can behave like a “click nanny” and it may take several clicks on “Allow …” or “Temporarily allow …” to get the page you want to see to work. However, it really doesn’t take long to balance security and usability.

The second workaround is to disable the vulnerable component. These instructions were posted here and are pretty straightforward. Remember, this is only for FireFox 3.5.x:

open up a new Firefox window and type “about:config” (without the quotes) in the browser’s address bar. In the “filter” box, type “jit” and you should see a setting called “javascript.options.jit.content”. You should notice that beside that setting it reads “true,” meaning the setting is enabled. If you just double-click on that setting, it should disable it, changing the option to “false.”

One thing to remember is that the main feature of TraceMonkey was to speed up scripts, so the second workaround will slow script rendering a bit.

It’s unfortunate this came to light when there are two Microsoft Internet Explorer exploits also making news – as a result Mozilla seems to be getting more flak than usual about it. Sophos is detecting the exploit code as Mal/JSShell-B.