"Critical security hole in Firefox 3.5" Javascript based

[kukla]

Since this exploit is Javascript based, I'm wondering if anyone knows if NS will protect FF 3.5 users?

http://www.computerweekly.com/Articles/ ... ox-3.5.htm

[GµårÐïåñ]

Wasn't this already asked and answered here? http://forums.informaction.com/viewtopic.php?f=8&t=1953

Yes it does.

or is this somehow something new?

[kukla]

That must be the one. Apparently NS will protect, but not against an allowed site if it's been hacked. Following change, which I made in about:config is recommended:

Setting the javascript.options.jit.content about:config preference to false mitigates this bug, since it is a TraceMonkey vulnerability.

And, from what I could gather no one is certain exactly what platforms are affected. Do you know if Mac is? Thanks.

EDITED

[GµårÐïåñ]

Generally if you allow a page, the assumption is that you want it to do whatever. However, there are some things that NS protects against regardless of whether the site is allowed or not. Additionally, although MAC are not completely immune to malicious attacks, given they are used by a smaller group of generally sub-specialty group of people, it is not wide enough in range to be worth the exploit and most hackers won't waste their time with it.

This being said, generally Linux and Mac are fairly safe from the most "general' and broad of attacks (since they are often targeted to the most widely used windows platform to do the most damage and reach the most people) unless the exploit is of core function that is facilitated by a cross platform application like Fx that will cause the same result, in which case everyone is equally affected (again if its using an API present only in windows, then obviously it will fail in other OS regardless of how it is facilitated).

The worst thing a user can do is give into FUD and start taking actions they are not sure about which are more likely to open them up (done improperly) than to practice safe common sense browsing habits, take note of where you are going, what you are doing and take basic steps to protect yourself. You wouldn't just give your id to anyone who asks for it, would you? but that won't stop you from giving it to people who need to see it? What's the difference? use of common sense. Apply that to computing and you will be fine more times than not.

Any further specifics and I will let Giorgio comment on it and provide you with any examples he feels are relevant or important.

[kukla]

Thanks for that. I made the above change in about:config, Was that a mistake, premature? Should I go back and reverse that? (Giorgio must be asleep by now.)

[GµårÐïåñ]

That edit to your about:config is fine, you will not harm yourself and you can safely leave it in place. Its a bug that has been mitigated by NS already but that will ensure that you have an additional layer just in case.

[kukla]

And one final thing: is this still just a POC, i.e. nothing yet reported in the wild? Thanks again for help on this.

[GµårÐïåñ]

Its not a wildfire, let's just say that, its out there and its used and the code is available but unlikely it will get out of hand. Its not coming up through internal Fx update but it is available on their site.

[Mc]

Fx 3.5.1 is out with a fix

[GµårÐïåñ]

Yes I thought it was already stated but many didn't get it because it wasn't available through Fx update as of yesterday but it was available on their site if you wanted to get it that way.