Mozilla warns about JavaScript vulnerability in Firefox 3.5

Mozilla is warning users and administrators of a critical JavaScript flaw in its Firefox 3.5 browser. Bug was discovered last week in Firefox 3.5’s Just-in-time (JIT) JavaScript compiler was disclosed publicly yesterday. It is a critical vulnerability that can be used to execute malicious code.

The vulnerability can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code. The vulnerability can be mitigated by disabling the JIT in the JavaScript engine.

To do so:

1. Enter
   about:config
   in the browser’s location bar.
2. Type
   jit
   in the Filter box at the top of the config editor.
3. Double-click the line containing
   javascript.options.jit.content
   setting the value to false.

Note that disabling the JIT will result in decreased JavaScript performance and is only recommended as a temporary security measure.  Once users have been received the security update containing the fix for this issue, they should restore the JIT setting to true by:

1. Enter
   about:config
   in the browser’s location bar.
2. Type
   jit
   in the Filter box at the top of the config editor.
3. Double-click the line containing
   javascript.options.jit.content
   setting the value to true.

Alternatively, users can disable the JIT by running Firefox in Safe Mode.  Windows users can do so by selecting

Mozilla Firefox (Safe Mode)

from the Mozilla Firefox folder.

Mozilla developers are working on a fix for this issue and a Firefox security update will be sent out as soon as the fix is completed and tested. The flaw is the latest in a string of high-profile browser exploits in recent days.