Critical JavaScript vulnerability in Firefox 3.5
http://blog.mozilla.com/security/2009/07/1...-in-firefox-35/
07.14.09 - 10:15am
--------------------

Edit:
Mozilla responds, and fast - "There are already candidate builds up for a 3.5.1 update that will fix this and will go official after testing of it is complete, should be
within a few days."
-----------------------
Issue
A bug discovered last week in Firefox 3.5’s Just-in-time (JIT) JavaScript compiler was disclosed publicly yesterday. It is a critical vulnerability that can be used to execute malicious code.

Impact
The vulnerability can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code. The vulnerability can be mitigated by disabling the JIT in the JavaScript engine. To do so:

1. Enter about:config in the browser’s location bar.
2. Type jit in the Filter box at the top of the config editor.
3. Double-click the line containing javascript.options.jit.content setting the value to false.

Note that disabling the JIT will result in decreased JavaScript performance and is only recommended as a temporary security measure. Once users have been received the security update containing the fix for this issue, they should restore the JIT setting to true by:

1. Enter about:config in the browser’s location bar.
2. Type jit in the Filter box at the top of the config editor.
3. Double-click the line containing javascript.options.jit.content setting the value to true.

Alternatively, users can disable the JIT by running Firefox in Safe Mode. Windows users can do so by selecting Mozilla Firefox (Safe Mode) from the Mozilla Firefox folder.

Status
Mozilla developers are working on a fix for this issue and a Firefox security update will be sent out as soon as the fix is completed and tested.

Credit
Zbyte reported this issue to Mozilla and Lucas Kruijswijk helped reduce the exploit test case.

Addition

Heise DE Online reports July 19th 2009 that the patched and new launched release Firefox 3.51 has a extrem critical JavaScript hole.

More about:
Heise DE Online

National Vulnerbility Database

A second bug has been discovered - it's a stack overflow and it is not exploitable; the above mentioned javascript critical vulnerability was fixed in release 3.5.1

milw0rm 9158 “stack overflow” crash not exploitable (CVE-2009-2479)

07.19.09 - 02:44pm
"In the last few days, there have been several reports (including one via SANS) of a bug in Firefox related to handling of certain very long Unicode strings. While these strings can result in crashes of some versions of Firefox, the reports by press and various security agencies have incorrectly indicated that this is an exploitable bug. Our analysis indicates that it is not, and we have seen no example of exploitability."

Mozilla Security Blog:
http://blog.mozilla.com/security/2009/07/1...-cve-2009-2479/

On Windows, Firefox 3.0.x and Firefox 3.5.x are terminated due to an uncaught exception during an attempt to allocate a very large string buffer; this termination is safe and immediate, and does not permit the execution of attacker code.

On the Macintosh in Firefox 3.0.x and 3.5.x, a crash occurs inside the ATSUI system library (part of OS X), due to what appears to be a failure to check allocation results. This issue is likely to affect any application using the recommended text-handling libraries on OS X. We have reported this issue to Apple, but in the event that they do not provide a fix we will look to implement mitigations in Mozilla code. We recommend that other developers who use these libraries consider a similar practice, and we have added mitigations in the past for similar bugs in these libraries.

As a result of our analysis, we do not believe that this represents an exploitable vulnerability in Firefox. Further, we believe that the IBM report is in error, and that the severity rating in the National Vulnerability Database report is incorrect. We have contacted them and hope to resolve the inaccuracies shortly.

Mike Shaver
VP Engineering, Mozilla Corporation