back to article Unpatched Firefox flaw lets fox into henhouse

An unpatched memory corruption flaw in the latest version of Firefox creates a means for hackers to drop malware onto vulnerable systems. Security notification firm Secunia reports that the security bug (which it describes as extremely critical) stems from errors in handling JavaScript code. The flaw has been confirmed in the …


This topic is closed for new posts.
  1. Bob Gateaux

    Too many now

    This gets to be beyond the funny joke.

    Microsoft must launch program to help user stop Firefox before it starts as part of security suite, or uninformed user will accidentally use it and have their bank stolen.

    Why Firfox developers not prosecuted for all this?

  2. Tom 15

    Chrome, Opera and Safari

    Security through obscurity is surely worse than an obscure non-exploited bug.

  3. Tom 101

    @Bob Gateaux

    You do realise IE has a security issue with activeX currently don't you?

  4. James Dunmore

    Who will patch it first

    It's all about days without patching when it comes to security stats.

  5. Anonymous Coward
    Jobs Horns

    And now for something completely different...

    a security hole in Firefox...

  6. Roger Stenning

    That's one of the reasons I use NoScript.

    That's why I use NoScript - belt and braces all the way: it may not stop the attacks, but it makes it a tad more difficult for those script kiddies and whatnot to execute an attack.

  7. Anonymous Coward
    Thumb Down

    I demand

    That Firefox's vulnerabilities are not fixed for a year - not doing this would give them an unfair advantage over IE.

  8. Anonymous Coward

    Opera, Safari and Chrome more secure?

    Safari is full of almost as many holes as Internet Exploiter, crapple just don't admit it.

    Opera is bloatware, closed source and has a complete lack of good addons as well as being nowhere near perfect in security. Chrome also lacks essential addons as well as basic functionality such as RSS reader, or even menus.

    As it is, no browser is secure until you install Adblock Plus and NoScript.

  9. Anonymous Coward
    Anonymous Coward

    Time to fix is the key

    Bugs happen. Let's see which one gets a fix available first...

  10. OkKTY8KK5U

    A fine theory, but...

    "Selecting Firefox over IE when both have unresolved security problems fails to make much sense, leaving Windows users looking for more secure surfing software alternatives with a choice limited to Opera, Safari and Google Chrome."

    Other than the fact that with Firefox, anybody with half a brain is using Adblock and Noscript?

  11. Cameron Colley

    Slow hand clap for 3.5...

    I know it must be dull as hell pouring over already written code looking at ways to remove leaks and the like but, for fuck's sake, can't they at least try and fix the memory leaks in one major version before releasing the next?

    Let me guess, it's because they still have to support XP that this happened?

    Makes me wish Opeara wasn't so fucking annoying.

  12. Martin Taylor 1

    Not rocket science...

    The simplest workaround is to install the "NoScript" add-on, and only allow scripts on sites known to be trusted.

  13. Klaus

    Re: Too many now

    I'm sure other people will chime in before me, but what the F#@I are you talking about??? If you compare the amount of security vulnerabilities and the length of time until they're patched FF still beats IE hands down.

  14. amanfromMars 1 Silver badge

    A Natural Viral Progression/Regression

    Would protection be needed against milfw0rm, or would it be a Active Novel Purge Strain of Alien to Man Code...... Sweet Nectar for Sticky Honey Traps.

  15. Wokstation

    NoScript FTW?

    Is NoScript any good at halting this attack vector, oh lords of El Reg?

  16. Flocke Kroes Silver badge

    More choices

    lynx is safe against all attacks that require javascript, java, flash or activex. It works very well with limited bandwidth.

    If you are too lazy to compile your own browser, a web search for "lynx browser compiled windows" will give you several choices. Similar searches for links and w3m did not show anything convincing near the top, but I did find this:

  17. BlueGreen

    @Cameron Colley

    It's a mem corruption not a leak, assuming you know the difference. Perhaps you could be a beta tester/code reviewer instead of moaning. Probably too dull for you though.

    Or: use noscript.

  18. H 5

    FF anyday

    Id use FF over any of the others on my PC any day - AdBlockPlus and NoScript are essential addons. FF isnt invulnerable but its a damn sight better and more customisable than IE or Chrome.

  19. Sooty

    it's only a javascript bug

    so no-script will sort it.

  20. ElReg!comments!Pierre


    "Secunia advises Firefox users to avoid browsing untrusted websites or following untrusted links pending the availability of a fix from Mozilla"

    Or maybe just untick the "allow javascript" box?

  21. Anonymous Coward

    Shock! Horror!

    A serious security bug in JavaScript, "Well who dun thunk it was possible?"!

    Seriously, turn off JS in ANY browser you run, it's the worst thing since MS, Oracle and Sun all started boasting about improved securityin their products!

  22. twelvebore


    Sorry, NoScript isn't the answer. Or rather NoScript is no more the answer to web security than pulling the Ethernet cable out the back of your PC. NoScript is like Vista UAC but ten times more intrusive and annoying, and therefore ten times more likely to get the "yeah, whatever <click OK> <mutter>stupid *%^@ing browser</mutter>" treatment.

  23. Eddy Ito


    "leaving Windows users looking for more secure surfing software alternatives with a choice limited to Opera, Safari and Google Chrome"

    Who's fault would that be? No I get it, because OS Xers and linuxites get sooo many more options.

  24. The Original Steve

    @FF lovers

    The thing you are forgetting is that by using IE on Vista or Win7 you aren't exposed to the issues relating to the IE zero day bug or the Firefox bug.

    The security pro's should probably be saying "avoid using Firefox until a fix is released, such as using IE7/IE8 on Vista or Windows 7".

    Also to the guys gloating about NoScript and AdBlock.... the problem is that the majority of the users out there have less that "half a brain". FF has the market share where it's logical to assume that it's way, way past a geek thing. Mums and Dads, Grandma, kids etc. are all using FF on IT Pro's recommendations.

    Do you really think they've installed NoScript? If you've installed it do you really think they haven't disabled it or will the very second they find out it's stopping them from getting their "FREE SCREENSAVER!!!"...? Course not.

    Security by picking a product cause it's open source is bollocks. It's no better or worse than closed sourced.

    And you can skip the bullshit about taking a year to fix. The IE exploit has been in the public domain for a few weeks, yet the dev's have known about it for a year. The FF one could easily have been in the same boat - where a sole dev has known about it but hasn't fixed it as it's not in the public domain as yet and a fix could break a lot.

    P.S. I love the way OSS fans have gone from "it's open source so anyone can read the code. 100,000 devs looking at the codebase must make it more secure that just a few hundred." to moving along to a different angle of "it's all about the speed of a fix which anyone can do as it's open source." FUCK OFF! IT MAKES NO DIFFERENCE. Most people don't give a flying fuck if it's open, closed or ajar source - they won't bother looking at the code.

  25. Conor Turton

    Difference with IE...

    The difference with IE on Vista and Win7 is that it runs in a sandbox so even if there were an exploit, the OS is safe unlike you'd be using Firefox.

  26. Anonymous Coward


    Back to lynx! Yay!

  27. Kev K


    Or instead of bitching about which is the bestest way of reading the news/facebook you could do what many IT aware folks do - random surfing in FF with adblock/noscript & "trusted" sites like your Bank/Intranet in IE (ALT tab - not hard is it to switch between browsers?), run a (free) OpenDNS account with phishing/malware sites blocked at dns level. A decent antivirus (Avast (free) is my personal choice for home & Trend Worry Free (Small/Medium biz/SOHO) for the office) & if you MUST look for warez/torrents/cracks/keygens/pr0n/stuff™ either use a limited account, a sandbox or a virtual machine (don't M$ offer theirs free now ??)

    ITS NOT ROCKET SCIENCE to spend an hour or so setting yourself a secure system up, you have no-one to blame but yourself if you cant be ar$ed to keep your system reasonably secure.

    FFS your reading a IT site with loads of free info handed out not only in the articles - but also in the comments, half a dozen clicks on Google will sort you out.

    Back to the article - Ohh another browser with issues - bet your glad you weren't singing the praises of FF in the "IE's knackered" story earlier .... Oh.... Opps, isn't there a saying about pride goes before sticking your foot in your gob or something ??

    Browser wars are the same as OS wars use the tools your given and don't click on the "lolz - I saw you doing something stupid in a place you've never been - while you were tucked up in bed with a glass of milk" or the "you have won something" or famous chick with her airbags out" & you know a random stranger is not going to email you a fortune/love letter - you know its a scam & if you click on it your just a retarded moron


    Deep breath & Calm


    I have been dealing with multiple idiots all day who "know about computers"

    Grenade as morons should be made to eat one once in their life

  28. Anonymous Coward

    Firefox vs Exploder

    The thing with alternative browsers used to be that when someone took advantage of Internet Explorer vulnerabilities it was the equivalent of handing them regular Explorer. They were the exact same piece of software which is why Microsoft always complained that unbundling IE was impossible. Anyone who remembers Windows 1.0 will know that it was nothing more than File Manager, the predecessor to Explorer. Internet Explorer was Explorer with a different skin.

    However all that got murky with the release of IE 7 and now Microsoft have started doing things like forcing .Net as an irremovable addon into Firefox. That all they needed to do to make Firefox as vulnerable as IE was to make it an all user addon rather than install it under the current profile is a massive Firefox flaw in of itself. Don't tell me all you need to do is disable the addon, the fact you can't remove it is a joke.

    Add this to that the fact Firefox (and Mozilla) has always been Javascript-challenged and now you have something that needs addons to make it safe to use as well as some basic re-configuration that most key-mashing users with no technical background will never do.

    So now our choices seem to be handing someone Explorer through IE, handing them Windows through Firefox or hoping that the coders of the next alternative browser have learned something from the mistakes of Microsoft and the Mozilla Foundation. I'm not exactly overwhelmed with optimism when it comes to Chrome and Opera has turned into some sort of adware delivery system.

    Yes it is partly Microsoft's fault for making taking out Firefox, and while I never automatically install every update Microsoft claims is vital, I'm stuck with the quandary of wondering what flaws I've left unresolved and whether the updates I do install have introduced new flaws as well as maybe some old flaws that have been cut and paste back into the code.

  29. This post has been deleted by its author

  30. Henry 3

    We will all be safer

    when we stop using web browsers like IE and Firefox. Me? I use Lynx.

  31. Jason DePriest

    where is proof-of-concept

    So I can see if Firefox with AdBlock Plus+NoScript+RequestPolicy+JavaScript Options can prevent exploit.

    Let's see... for IE I can use the extension... um... or... never mind.

  32. J 3

    @Too many now

    Furthermore, what do you have against articles, be they definite or indefinite? There was one lonely "the" there, and it was used incorrectly anyway, poor thing...

    Wait a sec... Russian has no articles. Are you a Russian with a French handle?

  33. Anonymous Coward

    @Bob Gateaux

    You forgot "Ha ha, I troll you!"

    Silly billy.

  34. BOBSta

    That's it!

    I've had enough and I'm bricking up my intertubes right... no... <carrier lost>

  35. Anonymous Coward

    All platforms?

    Is this advisory for Firefox users on all platforms, or just Windows?

  36. adnim


    After playing with the code from milw0rm I just need to create my own shell code and upload this beauty to all my porn/warez web sites and XSS a few others I have rooted, nice one. Thanks Simon.

    I do wonder however, how many people smart enough to choose FF over IE are so dumb that they don't use NoScript.

  37. Sly

    noscript FTW

    javascripts got your idents... block them with noscript...


    I haven't surfed without noscript for over a yaer now. no issues since either.

    I don't see IE having a script blocker on it or add-in for such to work around the active-x bugs. at least firefox users can put on a condom (noscript) unlike IE users that are just open for abuse.

  38. blackworx

    Chrome, Safari, Opera

    Chrome: Completely unsecure in normal config (only time I ever got drive-by download nastyware was when using Chrome).

    Safari on Windows: As bad as FF/IE, security through (relative) obscurity.

    Opera: Same

    Firefox may not be very good security wise, but NoScript and a small army of other security/visibility-enhancing plugins go a long way towards fixing that, and also makes Firefox much, much easier to keep an eye on. Using any other browser I'm constantly worried about what's going on behind my back.

  39. Steve Evans

    Early adopters...


    I'm still waiting for some of my add-ons to be updated for 3.5, so I'm still on 3.0.11... Maybe I'm safe... Maybe I'm not... Anyone know?

  40. jake Silver badge

    But ...

    But what about Konqueror?

  41. Anonymous Coward


    "Secunia advises Firefox users to avoid browsing untrusted websites or following untrusted links pending the availability of a fix from Mozilla"

    So now we're advised to avoid untrusted sites while we happen to know of a specific bug our browser has. What do we do the rest of the time? What we really have to do is accept that browsers are crappy applications that we feed every piece of crap we can find into.

  42. Ken Hagan Gold badge


    You know, even IE is pretty secure if you disable scripting and ActiveX. (I wonder if would-be internet advertisers know that only dumb folks can see their ads.)

  43. Ian Neal

    Better Pipeline

    A better place to see what is happening security wise is plus a temporary workaround is given.

  44. Stevie


    Predictably the FF support choir starts bleating that it's leaky boat is better than the other leaky boat because when it comes to leaky boats, it's all about the add-ins (C/W duelin' dirty trix by otherwise doctrinally sound open source evangelists), days since the last hole was patched yaddayaddayadda.

    Face it foxers, your "better" product is as motheaten as The Other Guy, and for much the same reasons. Now you have to find a new browser to fall in love with & cease thy evangelising of a broken product, or be labeled hypocrites. Instead of directing your ire at the people who don't now, and never will use this ugly bit of tat, direct it at the people who left the bleeding holes in the thing in the first place.

    If I understand the open source process, at least as it has been touted in these here comment pages over the years WRT Firefox, that would be yourselves in some cases.

    And how ironic is it that Ms Clinton was just being harrangued by "knowledgable" government IT people begging for Firefox?

    The whole internet "world in a browser" model is fundamentally flawed anyway. I blame dynamic linking, cascading style sheets and the senseless demand for more shiny in the webpages.


  45. Anonymous Coward
    Anonymous Coward

    We are running out.......

    Of safe browsers. They suggest using an "alternative browser" but please tell me which one isnt full of holes ?. Its like telling someone to rub in one direction away from a bomb ,only to find that they are blown up by a bomb whilst running the opposite way.

  46. This post has been deleted by its author

  47. Remy Redert

    RE: Opera, Safari and Chrome more secure?

    Opera may be closed source and it might be lacking in add-ons (A lacking which I personally am not bothered by), it is quite secure and most certainly not bloatware. Opera's the only browser I've seen so far that I can leave open for weeks at a time without it gobbling up huge amounts of memory.

    Internet Explorer 7 just falls over after a few hours, once I get past a dozen or so tabs IE8 I haven't tested yet, Firefox leaks memory all over the place, having a lot of tabs open just makes matters worse. Chrome does fine with small amounts of tabs and doesn't seem to leak memory, but after a dozen or so tabs starts to use excessive amounts of CPU time.

    I haven't tested Safari (No Apple software on my Windows machines, tyvm) myself, so no comments on that.

  48. Antoinette Lacroix

    Bloated ?

    If Opera is so bloated, why is it only 30% of FFs size ? The addons, some might miss, are already build-in. Closed source it may be, but look at the bright side: It keeps the GPLtards away.

  49. Si 1


    I don't use NoScript. I've tried to put up with it but it breaks too many sites. Even when you completely disable it I've had dozens of sites that still won't load properly. It's great in theory but it just has too many compatibility problems to make it worth the hassle. I do run AdBlock though as that has never caused me any problems.

  50. The BigYin


    Two security flaws for MS and Mozilla to address. Let's see who wins, it's a straight race.

  51. SilverWave

    Temp Fix

    "As it is related to the new TraceMonkey JavaScript optimizer, users can mitigate it by temporarily disabling the optimizer. To do so:

    * Enter about:config in the location bar to access advanced preferences.

    * Look for javascript.options.jit.content and double click it to set it to false."

  52. Steve 72

    Opera is bloatware?

    Yeah, right, best do some math over.

    FF has routinely beaten out IE for exploits on multiple occasions. What a (dubious) achievement.

  53. David 141

    Security "advisory" isn't

    The link to the demo script is informative. It looks like the script can stuff arbitrary code into the heap allocated to Firefox's document object model and get it to execute (when it is rendered?).

    - I'd like to see whether DEP will stop this - it should prevent code in Firefox's heap executing

    - Running as a limited user will mitigate damage

    - Turning Javascript off should prevent the problem entirely

  54. Chris Miller

    If NoScript is the answer, what was the question?

    In the wise words of St Bruce of Schneier: "If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology."

    Apart from the problem already pointed out, that typical users will just click through any warnings to get to their web page, it only needs a flaw on your favourite (oh so safe) web site to allow an attacker to insert an attack vector.

  55. Anonymous Coward
    Anonymous Coward


    Just to point out, you can achieve the same thing, and more, by using security zones in IE.

    As for recommending people to switch from IE & Firefox to another browser, that's just stupid - these other browsers will have holes, and they will be exploited if lots of people suddenly decide to use them.

  56. A J Stiles

    Konqueror FTW

    I'm still using Konqueror and it's still great. 'Nuff said.

  57. Anonymous Coward

    Noscript is the second coming

    It will save us all, even if sites we regularly use are compromised?

    Nope? Maybe it's not complete security.

    However a lot of infections come from dodgy ad servers loading scripts instead of adverts, so it helps. And if you're not using adblock it'll help with loading times. Unfortunately it's tendancy to cripple sites unless opartially disabled means that it's not total invulnerability, just a bit more protection. Which honestly, is the best you can hope for. More protection without significant performance overheads is about as good as security can get without lost functionality. Adblock just does it by stopping anything you don't need to use (and everything by default)

  58. Anonymous Coward


    ...aren't I glad I have a girlfriend. ;0)

    Reading how consistently passionate everyone is about something that has always been this way, and will NEVER change, really makes me smile.

    It's not the end of the world.

    Personally (and thanks to working in IT Dev), I couldn't give a toss if my machine at home fell victim to an attack via this (or any other) browser flaw, and there are many. I sit at a f*cking computer ALL DAY damn it! The freedom would soon be realised and appreciated.

    And if one of these flaws takes down my pc at work. Who cares! It's not mine!

    'Browser wars - Episode 753 - The Phantom news story'.

    BIG Bagpuss style <YAAAAAAWN> :0)


  59. kain preacher

    @ 17:09 GMT

    However all that got murky with the release of IE 7 and now Microsoft have started doing things like forcing .Net as an irremovable addon into Firefox.

    Um its removable.

  60. Chris 29

    .net in FF

    While it is atrocious that the beast from Redmond does this it is just as easily reversed... When i upgraded to ff3.5 i checked my add ons and chucked the ms one out... First disable and then remove... easy peasy

  61. Dave Bell

    It's the Webtards

    Javascript is useful, but if the webtards didn't make so much depend on their code running on my machine, if there wasn't the sea for the sharks to swim in, I'd be a lot happier.

  62. The BigYin

    @Chris 29

    It's not "easy peasy", it requires registry hacking. It is a serious flaw the FF allowed in install (for all users!) without express consent and it is a further serious flaw that FF gives you no "easy peasy" way to get rid of the .Net pish.

  63. Anonymous Coward

    @kain preacher and the .Net add-on

    "Um its removable"

    a) Yes, it is NOW.

    b) They had no f*cking business adding it on in the first place.

  64. Bernie 2

    Re: Chirs Miller

    "If NoScript is the answer, what was the question?"

    I think the question is "how best to make your internet browsing experience a miserable one"

    - bernie

  65. adnim

    @David 141:Security "advisory" isn't

    If you mean DEP as enabled by default in XP, then no DEP dosn't mitigate the attack.

    FF 3.0.11 on linux is also vulnerable, I haven't managed to craft a working payload yet ( with the aid of msf... I ain't smart enough to craft my own) but I have crashed/locked up Ubuntu 9.04 whilst trying.

  66. Dale Richards

    @Jason DePriest et al

    I use Firefox+NoScript as much as the next man, but it's wrong to say that you can't achieve the same thing in IE.

    The equivalent functionality is built into IE and does not require any add-ons. Just disable scripting and ActiveX for the Internet Zone and add trusted sites to the Trusted Sites zone. Admittedly, adding sites to Trusted Sites isn't as "two clicks" user friendly as NoScript, but it achieves the same thing.

  67. Jacob Reid


    No, UAC continually nags you every time. Noscript only needs an initial 'mark as trusted' for trusted sites, and 'mark as untrusted' for analytics sites, ad sites, etc.

  68. OkKTY8KK5U

    @ Si 1

    Very strange. I don't doubt you, but I've never personally had that problem - then again, I take Flash as a personal insult and figure that any site lacking a plaintext navigation system doesn't want me to visit it, so take that for whatever it's worth. I admit that I usually bristle a bit when people suggest this to me, but: have you recorded what other extensions you have installed and made some kind of bug report to Noscript's creators?

  69. Sean Timarco Baggaley

    Would someone please explain why...

    ... Open Source is supposed to be so great again? Not only are people now seriously suggesting that *deliberately crippling* their golden browser is now considered "normal behaviour", but they're also wailing against Safari. Safari is built on WebKit which is *also* Open Source.

    From what I can tell, Opera does everything Firefox does, in a much smaller footprint. Oh yes: and all those tabbed browsing, mouse gestures and quick-dial features? Guess who invented 'em! (Hint: 'fat lady singing'.)

    Development tools and the Internet's present antediluvian infrastructure are the cause. Buggy software and code bloat mere symptoms.

  70. El Richard Thomas


    The only way NoScript can give UAC-like annoyance levels is if you can't be arsed to check out the options. Click the icon, click Options, click Notifications and untick the box marked "Show message about blocked scripts". Thereafter you browse as normal and if a site doesn't work as you expect you can click the icon and decide whether to temporarily allow that site to run scripts.

    The worrying thing is that someone reading a technology site can't work this out for themselves... ;-)

  71. Eddie Johnson

    The problem with "trusted sites" advice...

    The problem with "trusted sites" advice is that no site that allows user content with scripts and links can be trusted. This includes pretty much all of the top 10 destinations, eBuy, FaceSpace, YouBoob, et al.

    I don't know why sites like eBay allow lusers to post JavaScript. I guess for the "rich user experience." All I ever seen people do with it though is try to disable my ability to right click in a misguided attempt to prevent people from saving their precious images - how rich is that?

    I've said all along - if I can't use your site without script and cookies I won't be there long.

  72. Anonymous Coward

    Noscript is besides the point

    Most people here are fully aware of how to mitigate javascript flaws, we've been doing so for over a decade. I'd even go so far as to say most of us know how to surf using Microsoft Firefox Installer without getting enough malware to warrant a rebuild.

    But this isn't the point. The point is that computers have been sold for well over 15 years on the principle that everyone should not only have one, but they should use it to communicate with their grandchildren or college friends and perhaps learn a little bit about the world we live in.

    Worse they are then told a complete crock of shit when they're told that the expensive internet protection package they have bundled with the PC is going to make it safe to do so. Would it be so hard for one of these PC megastores to employ someone who has a clue and will not let anyone take a PC home without a decent firewall in place?

    No because that would be something close to customer service, so instead they'll sell a dog turd of a system and charge a premium for it. Fact is if we are serious about continuing to earn our livings doing this or supporting the businesses that do this, we ought to be able to say with some confidence that you can surf corporate websites with no need to set up firewalls or install and then spend days answering questions from anti-javascript addons.

    Noscript is not a piece of software you can give to someone who doesn't know how to copy photos from a digital camera memory stick. You might as well install it with a Simplified Chinese language pack for all the sense it will make to those that need it most.

    If computers are the appliance that PC World and Best Buy claim they are, they should work with zero configuration required. And if they aren't then they shouldn't be sold to people without a cigarette warning on the box that tells them they'll need to spend months learning how to surf safely before connecting to the internet.

    My own theory is that every PC should be bundled with 100 dvds stuffed full of the best porn and the network card safely configured with a screw driver and a mallet. Because what need for the internet if you've got what you wanted from it already?

  73. jeanX

    unpatched ff

    Golly, I sure miss opera.I miss it b/c I could not that 'lock'.

    It just wasn't there.Plus, I had a site that was permanently blocked,

    a popular site.

    I don't like ff.Where is speed dial?

    This has nothing to say about unpatched ff or the slow start-up of 3.5.

    But, I worry about people using opera.Be careful.

This topic is closed for new posts.

Other stories you might like