Firefox 3.5 Vulnerability

Brian Krebs at the Washington Post is reporting, in his “Security Fix” blog, a newly-discovered vulnerability in the recently released Firefox 3.5 browser.  The problem is apparently connected with the new implementation of JavaScript that was introduced with version 3.5.   There is no fix available at the moment, but there is a workaround, described in Brian’s article, that should disable the affected component.  (Although I trust Brian’s work, I have not yet been able to independently confirm this.)  See update below

To set up the workaround, type into the address bar (where you would usually enter a URL) the string:

        about:config

Note there are no spaces.  You will then get a slightly tongue-in-cheek dialog box that says “This might void your warranty”.  Click on the button that says “I’ll be careful, I promise!”.  This will bring up a very long list of options, with a search box at the top of the list.  Type the string ‘jit’ into the search box; you should then have the list narrowed down to two options.  Locate the line that looks like this:

 javascript.options.jit.content ...    true

After you double-click the line, the value should change from true to false. That’s all that’s required.  You may notice some slowdown in performance on JavaScript-intensive sites, such as Google Docs or Facebook.

Users who have the NoScript extension installed should also be protected on sites where the extension disables JavaScript;  however, since so many sites today require JavaScript to function, this protection may not be all that valuable.

I’ve been running with the workaround in place for a couple of hours, and haven’t seen any real problems so far.

Update, Tuesday, July 14, 16:40

The existence of the problem, and the temporary workaround, have now been confirmed by an entry on the Mozilla Security Blog.  A more permanent fix is in the works.