| Author |
Topic: Firefox 3.5 JavaScript bug patched in FF 3.5.1 |
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 16 Jul 2009 2:31 pm |
|
Just days after Firefox 3.5 was released to the public a hacker posted exploit code that took advantage of one of the new browser's enhanced features; a faster JavaScript compiler. It didn't take long for others to add appropriate codes to their exploit kits to leverage this against Firefox 3.5 early adapters.
This JavaScript bug only affects the newly released Firefox 3.5 rendering engine, not previous versions.
Actually, this bug was discovered by technicians and beta testers and was reported and being tracked on the Bugzilla forum. That may be how the exploit code was developed by the hacker who posted it on Milw0rm. Mozilla developers are working on a fix for this issue and a Firefox security update will be sent out as soon as the fix is completed and tested.
In lieu of a patch, Firefox 3.5 users can protect themselves by disabling the "just-in-time" component of the TraceMonkey engine. To do that, users should enter "about:config" in Firefox's (3.5 only) address bar, type "jit" in the filter box, then double-click the "javascript.options.jit.content" entry to set the value to "false." The popular NoScript add-on will also ward off attacks.
Set your Firefox options to automatically check for, download and install updates to the browser itself and to notify when updates are available for add-ons. Many add-ons are not compatible with version 3.5 that worked fine in 3.0.11. Checking for updates to browser-disabled add-ons will alert you when they have been made compatible.
When a patched version is released I will tell you whether or not to re-enable that setting. Or, maybe the update will reset the value to the fast setting for you. It remains to be seen.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog
Last edited by Wiz Feinberg on 16 Jul 2009 6:45 pm; edited 1 time in total |
|
|
 |
Mitch Drumm
From:
Frostbite Falls, hard by Veronica Lake
|
Posted 16 Jul 2009 5:05 pm
|
|
Wiz:
I just updated and ran Spybot Search and Destroy.
It found 30 problems, all in the Firefox browser.
I have run that application hundreds of times in the last 5 or 6 years and have found perhaps a total of 10 problems. I found 3 times that many today. I had been running IE exclusively until the last week or so.
Is this typical behavior when running Spybot on Firefox?
Regardless of whether it is typical behavior, what does it tell you? |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 16 Jul 2009 6:38 pm
|
|
Mitch;
First, empty your Firefox cache and close the browser, then rescan. You may have inadvertently acquired these threats by browsing to an infected web page or ad. They would be stored in the browser cache until you clear it out.
By any chance, were most of those threats cookies? If so, ignore them and exclude cookies from further detections. Also, do not trust the heuristic results of file scans. Only trust the main scanner in the program interface. Do not trust TeaTimer explicitly either. I report on false positives every week in my Wednesday Spybot S&D updates blog articles.
Notice:
Firefox v3.5.1 released
From an admin account, start Firefox, then >Help >Check for Updates
-OR-
Download Firefox v3.5.1
- http://www.mozilla.com/firefox/all.html
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
|
|
|
Mitch Drumm
From:
Frostbite Falls, hard by Veronica Lake
|
Posted 16 Jul 2009 11:34 pm
|
|
Wiz:
I think most of those problems were cookies. The point is I found 3 times as many in one week of Firefox use as I did in 5 years of IE use. I used the same Spybot settings with Firefox as on IE.
I set Firefox to empty cache, shut it down, and went to Spybot advanced mode tools where I noticed an “ignore cookies” choice. I poked it.
I am guessing that poke by itself does NOT cause cookies to be ignored—when I poked it, a window opened with roughly 900 items, each with an empty checkbox. 26 of these items had a blue icon representing IE and began with the word cookie. The remaining 800 plus had a red icon representing Firefox, began with a dot, and didn’t include the word cookie.
Am I to assume that to really ignore cookies you would have to hand-check 900 check boxes one at a time? Who in the world would do that? There is no “check all” option. Poking “ignore cookies” does not cause these 900 boxes to become checked. If a check is required in these boxes, what is the genius programmer thinking that expects users to check 900 boxes by hand? Is there another control elsewhere?
So, I poked ignore cookies on the off chance that that alone would cause cookies to be ignored and ran the scan again. It found nothing.
I also notice that if Firefox is open when I poke “ignore cookies” in Spybot, only the blue 26 items representing IE are in the list, not 900. Counter-intuitive?
I freely admit I apparently don’t understand cookies at all. They appear to be scattered all over C: and have no common naming format. I could have 26 of them, 900 of them, or any random number in between.
I have never used Tea Timer and always use the main scanner in the interface.
I am using 3.5 and don’t recall a choice to download any earlier version. FF is set to check for new versions, but not to install them.
FYI, I did a "full" scan with Malware Bytes at 2 AM, 7-15-09. It found nothing.
I became aware of the threat you mention on Wednesday the 15th when Cal Sharp mentioned it in another thread and immediately applied the fix. |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 17 Jul 2009 8:22 am
|
|
Mitch;
Using the main interface on Spybot S&D, click on its menu item MODE > Advanced Mode (answer Yes) > Settings > Ignore Products > Cookie. Click the Search and Destroy button and your changes are saved. You can also open the Ignore Cookies tab and right click > Select All, which takes longer to complete.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
Mitch Drumm
From:
Frostbite Falls, hard by Veronica Lake
|
Posted 17 Jul 2009 9:58 am
|
|
Wiz:
Absolutely nothing happens when I right click ignore cookies. There is no “select all” choice.
You say “your changes are saved”. What changes have I made simply by viewing the cookie tab in ignore products?
Ignore products reveals a series of about 24 tabs. Poking the cookies tab shows about 110 cookies.cbi files. Each has an empty checkbox in front of it. Poking the cookies tab followed by poking the Search and Destroy button doesn’t seem to change anything. No checks in the boxes before and no checks in the boxes after.
Here are pastes from the Spybot help file about ignore products and ignore cookies. My comments in bold.
Ignore products:
This section lists all products defined internally and in the external include files. If you want to exclude a complete product, or include it again, select the file from this section and toggle the checkbox in front of the product name.
What checkbox? The only checkbox is one for each of the 110 cookie.cbi files shown. You didn’t mention a checkbox. Select the file?? Does that mean file type by poking the cookies tab? Or does that mean each individual cookie via the checkbox? You didn’t mention selecting anything other than looking at the cookies tab . Do you or the help file mean to manually check each of the 110 checkboxes?
Ignore Cookies
Cookies are usage tracks, but you may want to keep some useful cookies. This section lists all cookies currently on your system, allowing you to exclude them from further searches.
Of course, it doesn’t say how to exclude them, but each of the 900 has an unchecked checkbox. The implication is to check any of the 900 that you want to exclude from searches. Mousing over a random cookie brings up a balloon that says “check a cookie to exclude it from removal”. Of course, I have no idea why 900 cookies are shown in “ignore cookies” and only 110 in the cookies tab of “ignore products. I see no way to select all 900 other than manually.
I’m no doubt operating at about room temperature IQ, but I am having trouble squaring your instructions with the help file, my own eyes, and my understanding of English. |
|
|
|
John Cipriano
From:
San Francisco
|
Posted 17 Jul 2009 3:09 pm
|
|
The cbi files are like signatures for Spybot. But just do the first thing Wiz said, that is go into settings and then under Ignore Products select Cookies.
If you did it wrong then the next time you search you'll see some cookies. It's not a big deal either way.
If you want to do it the other way, you absolutely should not have to check each box manually. Somewhere, either by right-clicking on one of the items in the list, or in the empty space around the list, you should be able to get a context menu that comes up which says "Select All". |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 17 Jul 2009 6:39 pm
|
|
| John Cipriano wrote: |
| If you want to do it the other way, you absolutely should not have to check each box manually. Somewhere, either by right-clicking on one of the items in the list, or in the empty space around the list, you should be able to get a context menu that comes up which says "Select All". |
Amen! That is what I see when I right click anywhere over a cookie in the cookies.cbi list. There are two options that appear: "Select All" and "Deselect All." Excluding all cookies by using the Exclude > Cookies option is faster, since you don't have to wait while all your cookies are loaded into the cookies field.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
Mitch Drumm
From:
Frostbite Falls, hard by Veronica Lake
|
Posted 18 Jul 2009 1:27 am
|
|
I got it now.
I took Wiz's original instructions literally when I shouldn't have.
Going to Ignore Products > Cookie and clicking the Search and Destroy button does nothing.
Right clicking the ignore cookies tab does nothing either.
It takes a right click somewhere inside the list of cookies. Now, Spybot finds no errors regardless of the settings.
I apologize for my poor comprehension. For my next trick, I will try to find the "any" key on my keyboard.
Last edited by Mitch Drumm on 18 Jul 2009 2:33 am; edited 1 time in total |
|
|
|
Steve Norman
From:
Seattle Washington, USA
|
Posted 18 Jul 2009 1:31 am
|
|
my ubuntu ff3.5 loses title bar menu and close buttons in gnome and fluxbox. Its not ready yet. If I remember right ff3.0 was buggy as well. seems best to wait a bit on new ff releases as they seem to quality control their new releases via user fail.
_________________
GFI D10, Fender Steel King, Hilton Vpedal,BoBro, National D dobro, Marrs RGS |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 18 Jul 2009 7:54 am
|
|
| Mitch Drumm wrote: |
| For my next trick, I will try to find the "any" key on my keyboard. |
I can help you there Mitch. The "Any Key" is on the right side of the left edge of the keyboard. There is a duplicate on the left side of the right edge of the keyboard, for those whose prefer to do things that way.
The original name for the "Any Key" was "Execute" and you were supposed to press it every 108 minutes to keep your connection to the file server alive.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
Bob Hickish
From:
Port Ludlow, Washington, USA, R.I.P.
|
Posted 23 Jul 2009 8:20 am
|
|
Wiz
What is going on when you get a warning " firefox 3.5.1 image corrupt "
I have been trying to up date but no joy.
-- Mac 10.3.9 --
Hick |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 23 Jul 2009 9:25 am
|
|
| Bob Hickish wrote: |
Wiz
What is going on when you get a warning " firefox 3.5.1 image corrupt "
I have been trying to up date but no joy.
-- Mac 10.3.9 --
Hick |
Bob;
Take that to mean what it says. The downloaded update file is corrupted for some reason. Empty your Firefox cache and all temporary files and download the US English Firefox 3.51 setup file from the "Mac" column, on the Firefox 3.51 downloads page. Close Firefox and run the setup, using admin privileges. This should complete the upgrade process, except for checking your add-ons for compatibility.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
Bob Hickish
From:
Port Ludlow, Washington, USA, R.I.P.
|
Posted 23 Jul 2009 9:38 am
|
|
| OK thanks Wiz ! |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 23 Jul 2009 1:05 pm
|
|
Note to Ubuntu and Debian users. You must updated Firefox via your (Administrative Tools) Update Manager. You cannot update via the browser itself. I don't know if the same applies to Mac PCs and Firefox, but suspect as much. A direct manual download for Mac, or other installable Linux distros should work.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
John Cipriano
From:
San Francisco
|
Posted 23 Jul 2009 8:57 pm
|
|
| Steve Norman wrote: |
| my ubuntu ff3.5 loses title bar menu and close buttons in gnome and fluxbox. Its not ready yet. If I remember right ff3.0 was buggy as well. seems best to wait a bit on new ff releases as they seem to quality control their new releases via user fail. |
If you haven't already, try hitting F11.
I think it's possible 3.5 has a problem where it triggers full screen without asking. |
|
|
|
