Enables attackers to perform drive-by attacks and distribute malware

Jul 15, 2009 09:12 GMT  ·  By

A zero-day proof-of-concept exploit for a critical vulnerability in the latest Mozilla Firefox version has been recently released. The flaw allows attackers to execute malicious code on users' computers by tricking them into visiting a maliciously crafted page.

According to Mozilla's Security Team, the bug was discovered last week and is located in the Just-in-time (JIT) JavaScript compiler of the recently released Firefox 3.5. Danish vulnerability research company Secunia catalogs it as a memory corruption vulnerability and assigns it a "Highly Critical" severity rating.

Proof-of-concept exploit code has been published two days ago on milw0rm and is expected to soon be integrated into malicious web attack toolkits, as it happens with most browser vulnerabilities of this kind. The exploitation employs a common technique called heap spraying, which allows inserting rogue code at a particular location in memory.

Mozilla suggests disabling the JIT compiler as a temporary mitigation solution. To do this, users need to type "about:config" in the address bar, then search for the "javascript.options.jit.content" option and set its value to false. Less technical users can achieve the same result by running Firefox in Safe Mode, using the "Mozilla Firefox (Safe Mode)" link from the "Programs" folder on the Windows Start menu.

"Note that disabling the JIT will result in decreased JavaScript performance and is only recommended as a temporary security measure. Once users have been [sic.] received the security update containing the fix for this issue, they should restore the JIT setting to true," the Firefox developers advise.

This vulnerability couldn't have come at a worse time for Web users, as two similar 0-day remote code execution flaws affecting the latest version of Internet Explorer have been recently disclosed. Microsoft shipped a fix for one of them during yesterday's Patch Tuesday, but the other one has not been addressed. This means that, at the moment, the two most widely used browsers are wide open to drive-by attacks.

Update: This vulnerability has been addressed in the Mozilla Firefox 3.5.1 release. Users who previously disabled the JIT compiler in order to mitigate the problem are advised to revert the change after installing the new version.