New heap spray vulnerability- does NoScript protect?
Re: New heap spray vulnerability- does NoScript protect?
FF 3.5.1 looks to have taken care of this problem.
(As it is also fixed in the latest nightlies of SeaMonkey 2 too.)
(As it is also fixed in the latest nightlies of SeaMonkey 2 too.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.22) Gecko/20090605 SeaMonkey/1.1.17
-
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
Re: New heap spray vulnerability- does NoScript protect?
Thank you. I just installed it and reset the jit pref.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
Re: New heap spray vulnerability- does NoScript protect?
Hi Alan,
It is water under the bridge now anyway for it is fixed, but I really thought I have read that disabling "just-in-time" would slow down the browser:
I think mozilla's security blog is a good reference, isn't it?
luntrus
It is water under the bridge now anyway for it is fixed, but I really thought I have read that disabling "just-in-time" would slow down the browser:
http://blog.mozilla.com/security/2009/0 ... irefox-35/Note that disabling the JIT will result in decreased JavaScript performance and is only recommended as a temporary security measure. Once users have been received the security update containing the fix for this issue, they should restore the JIT setting to true by
I think mozilla's security blog is a good reference, isn't it?
luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090719 Shiretoko/3.5.1pre
Re: New heap spray vulnerability- does NoScript protect?
Sure.
It has been shown that JIT benchmarks better then non-JIT.
Now that's fine & dandy when you need to compare (brag about) your browser against the competition.
And yes, overall, it will make for a better browsing experience in your browser.
But, in the real world, you load a page on Youtube to view a video, you wouldn't have a clue as to whether JIT was enabled or not. There are for too many variables between you & Youtube's servers, that you would not notice the difference. Now on certain sites, perhaps things would be more apparent. But overall ...
So yes, you want JIT enabled. Will then Internet end if you don't have it enabled, no.
Lifehacker Speed Tests: Safari 4, Chrome 2 And More
performance, chrome, mozilla and tracemonkey
It has been shown that JIT benchmarks better then non-JIT.
Now that's fine & dandy when you need to compare (brag about) your browser against the competition.
And yes, overall, it will make for a better browsing experience in your browser.
But, in the real world, you load a page on Youtube to view a video, you wouldn't have a clue as to whether JIT was enabled or not. There are for too many variables between you & Youtube's servers, that you would not notice the difference. Now on certain sites, perhaps things would be more apparent. But overall ...
So yes, you want JIT enabled. Will then Internet end if you don't have it enabled, no.
Lifehacker Speed Tests: Safari 4, Chrome 2 And More
performance, chrome, mozilla and tracemonkey
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090716 SeaMonkey/2.0b1pre
-
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
Re: New heap spray vulnerability- does NoScript protect?
Yes. I've added it to my feeds.luntrus wrote:I think mozilla's security blog is a good reference, isn't it?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
-
- Senior Member
- Posts: 240
- Joined: Fri Jul 03, 2009 7:20 am
Re: New heap spray vulnerability- does NoScript protect?
Agreed.therube wrote:
So yes, you want JIT enabled. Will then Internet end if you don't have it enabled, no.
I've left JIT off . . . until either I notice a degradation in performance that it can fix, or until there's a certainty that no more exploits can use it.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: New heap spray vulnerability- does NoScript protect?
You can't have any "certainty" about that.Grumpy Old Lady wrote:I've left JIT off . . . until either I notice a degradation in performance that it can fix, or until there's a certainty that no more exploits can use it.
At this moment, though, there are no publicly know JIT exploits for 3.5.1, so I guess you can enable it back.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)
-
- Senior Member
- Posts: 240
- Joined: Fri Jul 03, 2009 7:20 am
Re: New heap spray vulnerability- does NoScript protect?
Quoth Giorgio Maone
I forgot to add the ;-) after "certainty", forgive my poor attempt at irony.At this moment, though, there are no publicly know JIT exploits for 3.5.1, so I guess you can enable it back.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
-
- Senior Member
- Posts: 240
- Joined: Fri Jul 03, 2009 7:20 am
Re: New heap spray vulnerability- does NoScript protect?
Hi Giorgio again,
Just considering your advice again, is your advice more pointed than it's ok to enable jit.content?
In other words, is NS functionality improved with it turned ON? In this home computing scenario, I mean, with medium and low-powered hardware on a laggy dsl line - all other things assumed equal?
Just considering your advice again, is your advice more pointed than it's ok to enable jit.content?
In other words, is NS functionality improved with it turned ON? In this home computing scenario, I mean, with medium and low-powered hardware on a laggy dsl line - all other things assumed equal?
Mozilla/5.0 (X11; U; Linux i686; en-AU; rv:1.9.1.1) Gecko/20090716 Ubuntu/9.04 (jaunty) Shiretoko/3.5.1
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: New heap spray vulnerability- does NoScript protect?
No, NoScript will work the same.Grumpy Old Lady wrote: In other words, is NS functionality improved with it turned ON?
Laggy dsl line - no benefit.Grumpy Old Lady wrote: In this home computing scenario, I mean, with medium and low-powered hardware on a laggy dsl line - all other things assumed equal?
Low powered hardware - the obvious benefit of the increased speed.
However, since you come straight from Firefox 2, upgrading Fx 3.5, even with JIT disabled (which "downgrades" its JS performance about at the same level as Fx 3.0) is already a very noticeable progress.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)
-
- Senior Member
- Posts: 240
- Joined: Fri Jul 03, 2009 7:20 am
Re: New heap spray vulnerability- does NoScript protect?
Well, I have had quite a few months now with 3.0 on this machine (after abandoning 2 on the old PPC 10.3.9 when I couldn't justify the spend to upgrade the system to host 3) and 3.0 has been not much different in "feel" on this little portable with the famously flat T2080 - despite linux claims otherwise. Not that I want flashy speeds, I just want a machine that I can use for the most secure work online, one that I have a chance of learning all the processes on so that I can get good warning if something is futzing around with it.
But you're so right. The 3.5.1 is at least another factor better in feel - either with or without jit.content ON.
On the other hand, on the relatively well-equipped XP system, I get occasional flashes of acceleration with 3.5.1 (probably when the backhaul is momentarily not going all around the world to get back here), but most of the time I couldn't pick the difference between 3.0 and the new baby on that one.
But you're so right. The 3.5.1 is at least another factor better in feel - either with or without jit.content ON.
On the other hand, on the relatively well-equipped XP system, I get occasional flashes of acceleration with 3.5.1 (probably when the backhaul is momentarily not going all around the world to get back here), but most of the time I couldn't pick the difference between 3.0 and the new baby on that one.
Mozilla/5.0 (X11; U; Linux i686; en-AU; rv:1.9.1.1) Gecko/20090716 Ubuntu/9.04 (jaunty) Shiretoko/3.5.1
-
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
Re: New heap spray vulnerability- does NoScript protect?
I'm afraid I rarely notice when something's faster. Counter-intuitively, it might be because my machine is so old and slow and I have only a 256kbps DSL connection. I'm used to everything taking a long time. A couple of exceptions that I can recall:Grumpy Old Lady wrote:but most of the time I couldn't pick the difference between 3.0 and the new baby on that one.
- Fx 2 was so slow opening up a new window that I finally changed my settings to open everything in tabs. Fx 3 is so much faster that opening a page in a new window is now a viable option.
- It would take many seconds for Fx 3.0 to shutdown. Fx 3.5 is much quicker than that.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
Re: New heap spray vulnerability- does NoScript protect?
Don't forget The Power of Persuasion.
I "knew" that FF 3.5.1 would include a fix for extremely slow startups that some had seen.
I had not seen that.
So I put put 351 on my computer at work.
Noticed no difference.
Now a number of days later, on my home computer, & even though I've never had a problem with startup, I think to myself, it does seem to be loading a bit faster!
Then I came to realize that I had not yet even installed 351 at home .
I "knew" that FF 3.5.1 would include a fix for extremely slow startups that some had seen.
I had not seen that.
So I put put 351 on my computer at work.
Noticed no difference.
Now a number of days later, on my home computer, & even though I've never had a problem with startup, I think to myself, it does seem to be loading a bit faster!
Then I came to realize that I had not yet even installed 351 at home .
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.22) Gecko/20090605 SeaMonkey/1.1.17
-
- Senior Member
- Posts: 240
- Joined: Fri Jul 03, 2009 7:20 am
Re: New heap spray vulnerability- does NoScript protect?
aka vitamin/placebo/new/red paint effect.therube wrote:Don't forget The Power of Persuasion.
True? Ha ha ha ha.Then I came to realize that I had not yet even installed 351 at home :shock:.
Quoth Alan Baxter
Oh it's a supposedly 1500 killer-bits here (asymmetric - - 256 up), however the latency rather than the bandwidth is the log on the road.I have only a 256kbps DSL connection.
I began using NS when on dialup, and, with tabs, I experienced a great boost in session productivity when I was able to allow on-the-fly. It remains the single biggest difference I've noticed in Fx. Since Phoenix.
Funny about startups, I've never paid attention to that - either with system boots or app starts.
Edit: Removed irrelevant detail.
Last edited by Grumpy Old Lady on Mon Nov 30, 2009 1:35 pm, edited 1 time in total.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
Re: New heap spray vulnerability- does NoScript protect?
FYI: v. 3.5 is available in the universe repository, or add the mozilla-daily ppa - here you also get Firefox 3.6 Minefield.Grumpy Old Lady wrote: Now that might be a clue why still the delay in pushing 3.5 through the Ubuntu officials?
EDIT: No. The Ubuntu Fx upgrade policy is to run new numbers in parallel to the "top-level UI" browser - ie the Fx number that is fully supported - in their "stable, security" updates. The stable security updates are the x.04 numbers at the moment, with the x.10 intermediate numbers being the virtual betas of the x.04 releases.
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20090724 Ubuntu/9.04 (jaunty) Minefield/3.6a1pre AutoPager/0.5.2.2 (http://www.teesoft.info/)