New heap spray vulnerability- does NoScript protect?

General discussion about the NoScript extension for Firefox
User avatar
therube
Ambassador
Posts: 7633
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: New heap spray vulnerability- does NoScript protect?

Post by therube » Thu Jul 16, 2009 5:44 pm

FF 3.5.1 looks to have taken care of this problem.
(As it is also fixed in the latest nightlies of SeaMonkey 2 too.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.22) Gecko/20090605 SeaMonkey/1.1.17

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: New heap spray vulnerability- does NoScript protect?

Post by Alan Baxter » Fri Jul 17, 2009 4:46 am

Thank you. I just installed it and reset the jit pref.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1

luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: New heap spray vulnerability- does NoScript protect?

Post by luntrus » Sun Jul 19, 2009 8:54 pm

Hi Alan,

It is water under the bridge now anyway for it is fixed, but I really thought I have read that disabling "just-in-time" would slow down the browser:
Note that disabling the JIT will result in decreased JavaScript performance and is only recommended as a temporary security measure. Once users have been received the security update containing the fix for this issue, they should restore the JIT setting to true by

http://blog.mozilla.com/security/2009/0 ... irefox-35/
I think mozilla's security blog is a good reference, isn't it?

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090719 Shiretoko/3.5.1pre

User avatar
therube
Ambassador
Posts: 7633
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: New heap spray vulnerability- does NoScript protect?

Post by therube » Sun Jul 19, 2009 9:01 pm

Sure.

It has been shown that JIT benchmarks better then non-JIT.
Now that's fine & dandy when you need to compare (brag about) your browser against the competition.
And yes, overall, it will make for a better browsing experience in your browser.

But, in the real world, you load a page on Youtube to view a video, you wouldn't have a clue as to whether JIT was enabled or not. There are for too many variables between you & Youtube's servers, that you would not notice the difference. Now on certain sites, perhaps things would be more apparent. But overall ...

So yes, you want JIT enabled. Will then Internet end if you don't have it enabled, no.

Lifehacker Speed Tests: Safari 4, Chrome 2 And More

performance, chrome, mozilla and tracemonkey
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090716 SeaMonkey/2.0b1pre

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: New heap spray vulnerability- does NoScript protect?

Post by Alan Baxter » Sun Jul 19, 2009 9:17 pm

luntrus wrote:I think mozilla's security blog is a good reference, isn't it?

Yes. I've added it to my feeds.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1

Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: New heap spray vulnerability- does NoScript protect?

Post by Grumpy Old Lady » Mon Jul 20, 2009 7:13 am

therube wrote:
So yes, you want JIT enabled. Will then Internet end if you don't have it enabled, no.


Agreed.
I've left JIT off . . . until either I notice a degradation in performance that it can fix, or until there's a certainty that no more exploits can use it.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1

User avatar
Giorgio Maone
Site Admin
Posts: 8860
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: New heap spray vulnerability- does NoScript protect?

Post by Giorgio Maone » Mon Jul 20, 2009 7:33 am

Grumpy Old Lady wrote:I've left JIT off . . . until either I notice a degradation in performance that it can fix, or until there's a certainty that no more exploits can use it.

You can't have any "certainty" about that.
At this moment, though, there are no publicly know JIT exploits for 3.5.1, so I guess you can enable it back.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)

Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: New heap spray vulnerability- does NoScript protect?

Post by Grumpy Old Lady » Mon Jul 20, 2009 7:40 am

Quoth Giorgio Maone
At this moment, though, there are no publicly know JIT exploits for 3.5.1, so I guess you can enable it back.

I forgot to add the ;-) after "certainty", forgive my poor attempt at irony.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1

Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: New heap spray vulnerability- does NoScript protect?

Post by Grumpy Old Lady » Mon Jul 20, 2009 10:42 am

Hi Giorgio again,

Just considering your advice again, is your advice more pointed than it's ok to enable jit.content?
In other words, is NS functionality improved with it turned ON? In this home computing scenario, I mean, with medium and low-powered hardware on a laggy dsl line - all other things assumed equal?
Mozilla/5.0 (X11; U; Linux i686; en-AU; rv:1.9.1.1) Gecko/20090716 Ubuntu/9.04 (jaunty) Shiretoko/3.5.1

User avatar
Giorgio Maone
Site Admin
Posts: 8860
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: New heap spray vulnerability- does NoScript protect?

Post by Giorgio Maone » Mon Jul 20, 2009 11:08 am

Grumpy Old Lady wrote:In other words, is NS functionality improved with it turned ON?

No, NoScript will work the same.
Grumpy Old Lady wrote:In this home computing scenario, I mean, with medium and low-powered hardware on a laggy dsl line - all other things assumed equal?

Laggy dsl line - no benefit.
Low powered hardware - the obvious benefit of the increased speed.
However, since you come straight from Firefox 2, upgrading Fx 3.5, even with JIT disabled (which "downgrades" its JS performance about at the same level as Fx 3.0) is already a very noticeable progress.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)

Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: New heap spray vulnerability- does NoScript protect?

Post by Grumpy Old Lady » Mon Jul 20, 2009 3:43 pm

Well, I have had quite a few months now with 3.0 on this machine (after abandoning 2 on the old PPC 10.3.9 when I couldn't justify the spend to upgrade the system to host 3) and 3.0 has been not much different in "feel" on this little portable with the famously flat T2080 - despite linux claims otherwise. Not that I want flashy speeds, I just want a machine that I can use for the most secure work online, one that I have a chance of learning all the processes on so that I can get good warning if something is futzing around with it.
But you're so right. The 3.5.1 is at least another factor better in feel - either with or without jit.content ON.
On the other hand, on the relatively well-equipped XP system, I get occasional flashes of acceleration with 3.5.1 (probably when the backhaul is momentarily not going all around the world to get back here), but most of the time I couldn't pick the difference between 3.0 and the new baby on that one.
Mozilla/5.0 (X11; U; Linux i686; en-AU; rv:1.9.1.1) Gecko/20090716 Ubuntu/9.04 (jaunty) Shiretoko/3.5.1

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: New heap spray vulnerability- does NoScript protect?

Post by Alan Baxter » Mon Jul 20, 2009 3:59 pm

Grumpy Old Lady wrote:but most of the time I couldn't pick the difference between 3.0 and the new baby on that one.

I'm afraid I rarely notice when something's faster. Counter-intuitively, it might be because my machine is so old and slow and I have only a 256kbps DSL connection. I'm used to everything taking a long time. A couple of exceptions that I can recall:
- Fx 2 was so slow opening up a new window that I finally changed my settings to open everything in tabs. Fx 3 is so much faster that opening a page in a new window is now a viable option.
- It would take many seconds for Fx 3.0 to shutdown. Fx 3.5 is much quicker than that.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1

User avatar
therube
Ambassador
Posts: 7633
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: New heap spray vulnerability- does NoScript protect?

Post by therube » Mon Jul 20, 2009 4:19 pm

Don't forget The Power of Persuasion.

I "knew" that FF 3.5.1 would include a fix for extremely slow startups that some had seen.
I had not seen that.

So I put put 351 on my computer at work.
Noticed no difference.

Now a number of days later, on my home computer, & even though I've never had a problem with startup, I think to myself, it does seem to be loading a bit faster!

Then I came to realize that I had not yet even installed 351 at home :shock:.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.22) Gecko/20090605 SeaMonkey/1.1.17

Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: New heap spray vulnerability- does NoScript protect?

Post by Grumpy Old Lady » Tue Jul 21, 2009 6:50 am

therube wrote:Don't forget The Power of Persuasion.

aka vitamin/placebo/new/red paint effect.

Then I came to realize that I had not yet even installed 351 at home :shock:.


True? Ha ha ha ha.

Quoth Alan Baxter
I have only a 256kbps DSL connection.

Oh it's a supposedly 1500 killer-bits here (asymmetric - - 256 up), however the latency rather than the bandwidth is the log on the road.
I began using NS when on dialup, and, with tabs, I experienced a great boost in session productivity when I was able to allow on-the-fly. It remains the single biggest difference I've noticed in Fx. Since Phoenix.

Funny about startups, I've never paid attention to that - either with system boots or app starts.

Edit: Removed irrelevant detail.
Last edited by Grumpy Old Lady on Mon Nov 30, 2009 1:35 pm, edited 1 time in total.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1

tlu
Senior Member
Posts: 129
Joined: Fri Jun 05, 2009 8:01 pm

Re: New heap spray vulnerability- does NoScript protect?

Post by tlu » Sat Jul 25, 2009 9:38 am

Grumpy Old Lady wrote:Now that might be a clue why still the delay in pushing 3.5 through the Ubuntu officials?

EDIT: No. The Ubuntu Fx upgrade policy is to run new numbers in parallel to the "top-level UI" browser - ie the Fx number that is fully supported - in their "stable, security" updates. The stable security updates are the x.04 numbers at the moment, with the x.10 intermediate numbers being the virtual betas of the x.04 releases.


FYI: v. 3.5 is available in the universe repository, or add the mozilla-daily ppa - here you also get Firefox 3.6 Minefield.
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20090724 Ubuntu/9.04 (jaunty) Minefield/3.6a1pre AutoPager/0.5.2.2 (http://www.teesoft.info/)

Post Reply