New heap spray vulnerability- does NoScript protect?

[therube]

FF 3.5.1 looks to have taken care of this problem.
(As it is also fixed in the latest nightlies of SeaMonkey 2 too.)

[Alan Baxter]

Thank you. I just installed it and reset the jit pref.

[luntrus]

Hi Alan,

It is water under the bridge now anyway for it is fixed, but I really thought I have read that disabling "just-in-time" would slow down the browser:

Note that disabling the JIT will result in decreased JavaScript performance and is only recommended as a temporary security measure. Once users have been received the security update containing the fix for this issue, they should restore the JIT setting to true by

http://blog.mozilla.com/security/2009/0 ... irefox-35/
I think mozilla's security blog is a good reference, isn't it?

luntrus

[therube]

Sure.

It has been shown that JIT benchmarks better then non-JIT.
Now that's fine & dandy when you need to compare (brag about) your browser against the competition.
And yes, overall, it will make for a better browsing experience in your browser.

But, in the real world, you load a page on Youtube to view a video, you wouldn't have a clue as to whether JIT was enabled or not. There are for too many variables between you & Youtube's servers, that you would not notice the difference. Now on certain sites, perhaps things would be more apparent. But overall ...

So yes, you want JIT enabled. Will then Internet end if you don't have it enabled, no.

Lifehacker Speed Tests: Safari 4, Chrome 2 And More

performance, chrome, mozilla and tracemonkey

[Alan Baxter]

I think mozilla's security blog is a good reference, isn't it?

Yes. I've added it to my feeds.

[Grumpy Old Lady]

So yes, you want JIT enabled. Will then Internet end if you don't have it enabled, no.

Agreed.
I've left JIT off . . . until either I notice a degradation in performance that it can fix, or until there's a certainty that no more exploits can use it.

[Giorgio Maone]

I've left JIT off . . . until either I notice a degradation in performance that it can fix, or until there's a certainty that no more exploits can use it.

You can't have any "certainty" about that.
At this moment, though, there are no publicly know JIT exploits for 3.5.1, so I guess you can enable it back.

[Grumpy Old Lady]

Quoth Giorgio Maone

At this moment, though, there are no publicly know JIT exploits for 3.5.1, so I guess you can enable it back.

I forgot to add the ;-) after "certainty", forgive my poor attempt at irony.

[Grumpy Old Lady]

Hi Giorgio again,

Just considering your advice again, is your advice more pointed than it's ok to enable jit.content?
In other words, is NS functionality improved with it turned ON? In this home computing scenario, I mean, with medium and low-powered hardware on a laggy dsl line - all other things assumed equal?

[Giorgio Maone]

In other words, is NS functionality improved with it turned ON?

No, NoScript will work the same.

In this home computing scenario, I mean, with medium and low-powered hardware on a laggy dsl line - all other things assumed equal?

Laggy dsl line - no benefit.
Low powered hardware - the obvious benefit of the increased speed.
However, since you come straight from Firefox 2, upgrading Fx 3.5, even with JIT disabled (which "downgrades" its JS performance about at the same level as Fx 3.0) is already a very noticeable progress.

[Grumpy Old Lady]

Well, I have had quite a few months now with 3.0 on this machine (after abandoning 2 on the old PPC 10.3.9 when I couldn't justify the spend to upgrade the system to host 3) and 3.0 has been not much different in "feel" on this little portable with the famously flat T2080 - despite linux claims otherwise. Not that I want flashy speeds, I just want a machine that I can use for the most secure work online, one that I have a chance of learning all the processes on so that I can get good warning if something is futzing around with it.
But you're so right. The 3.5.1 is at least another factor better in feel - either with or without jit.content ON.
On the other hand, on the relatively well-equipped XP system, I get occasional flashes of acceleration with 3.5.1 (probably when the backhaul is momentarily not going all around the world to get back here), but most of the time I couldn't pick the difference between 3.0 and the new baby on that one.

[Alan Baxter]

but most of the time I couldn't pick the difference between 3.0 and the new baby on that one.

I'm afraid I rarely notice when something's faster. Counter-intuitively, it might be because my machine is so old and slow and I have only a 256kbps DSL connection. I'm used to everything taking a long time. A couple of exceptions that I can recall:
- Fx 2 was so slow opening up a new window that I finally changed my settings to open everything in tabs. Fx 3 is so much faster that opening a page in a new window is now a viable option.
- It would take many seconds for Fx 3.0 to shutdown. Fx 3.5 is much quicker than that.

[therube]

Don't forget The Power of Persuasion.

I "knew" that FF 3.5.1 would include a fix for extremely slow startups that some had seen.
I had not seen that.

So I put put 351 on my computer at work.
Noticed no difference.

Now a number of days later, on my home computer, & even though I've never had a problem with startup, I think to myself, it does seem to be loading a bit faster!

Then I came to realize that I had not yet even installed 351 at home .

[Grumpy Old Lady]

Don't forget The Power of Persuasion.

aka vitamin/placebo/new/red paint effect.

Then I came to realize that I had not yet even installed 351 at home :shock:.

True? Ha ha ha ha.

Quoth Alan Baxter

I have only a 256kbps DSL connection.

Oh it's a supposedly 1500 killer-bits here (asymmetric - - 256 up), however the latency rather than the bandwidth is the log on the road.
I began using NS when on dialup, and, with tabs, I experienced a great boost in session productivity when I was able to allow on-the-fly. It remains the single biggest difference I've noticed in Fx. Since Phoenix.

Funny about startups, I've never paid attention to that - either with system boots or app starts.

Edit: Removed irrelevant detail.

[tlu]

Now that might be a clue why still the delay in pushing 3.5 through the Ubuntu officials?

EDIT: No. The Ubuntu Fx upgrade policy is to run new numbers in parallel to the "top-level UI" browser - ie the Fx number that is fully supported - in their "stable, security" updates. The stable security updates are the x.04 numbers at the moment, with the x.10 intermediate numbers being the virtual betas of the x.04 releases.

FYI: v. 3.5 is available in the universe repository, or add the mozilla-daily ppa - here you also get Firefox 3.6 Minefield.