Firefox v3.5 Memory corruption vulnerability discovered

Posted on July 15, 2009. Filed under: News, Others, Security, Super Fast Updates, Web | Tags: , , , , , , , |

         If you want to upgrade your Firefox to the latest 3.5 then think again.

     SBerry released code on Milw0rm, has issued an advisory warning of a memory corruption error in Mozilla’s newest version of Firefox, version 3.5. The vulnerability, if exploited, allows code execution that could lead to system compromise.

       The vulnerability is caused due to an error when processing JavaScript code handling e.g. "font" HTML tags and can be exploited to cause a memory corruption.

         

Here is SBerry code.

     Secunia is offering advice to Firefox users that until this newest vulnerability is patched, they should avoid untrusted websites and links. However, Brian Krebs took the smart road in his advice on the issue. Krebs, who is a reporter for the Washington Post, advised his users to disable "javascript.options.jit.content" in about:config. This fix has a drawback however, it will lower the rendering speeds of JavaScript, which is one of the major performance improvements in Firefox 3.5. If you are willing to take the trade, then his fix should work fine.

DNS INFORMATION LEAK

     There is another little glitch in firefox that exposes DNS information for users wanting to remain anonymous using proxy settings.

    Tw1zl3r reports that, “The DNS Leak issue in FireFox 3.5 is a BIG BUG because even if you use the about:Config force remote DNS look ups using a proxy the requests are still sent to your local DNS. The local DNS query leaks your web searches out for anyone with a brain cell and WireShark to view a users web query’s in plain text. FireFox 3.5 has the toggle network.proxy.socks_remote_dns option in it but when adding the option in about:Config it does nothing and is all show no go. The setting does nothing and allows DNS to Leak.”

      However, some users who tested his point wonder if the DNS leak has more to do with an add-on than Firefox itself. However, if it is a Mozilla issue, then it would need to be addressed as soon as possible.

[Source]

Advertisements

One Response to “Firefox v3.5 Memory corruption vulnerability discovered”

RSS Feed for AKS-Feel The Change! Comments RSS Feed

Hi,

The DNS leak is now fixed in FoxyProxy Standard 2.16, FoxyProxy Basic 1.3, and FoxyProxy Plus 3.3. Be sure to check “Use this proxy for all DNS lookups” when marking a proxy as SOCKS in FoxyProxy.

If you agree that it’s fixed, I’d appreciate another blog post (or an update to this one) so people finding your blog on the internet–like me–get more accurate information.

Best regards,
Eric Jung
Author
FoxyProxy


Comments are closed.

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: