HOW-TO: Firefox Javascript Security Hole Stopgap Measure

Firefox 3.5 may be the greatest and latest release but it has its share of security holes. Hackers have posted the code and instructions on how to exploit the critical security hole in the popular browser, so until it is patched it literally leaves millions of users exposed to the threat.

The security hole is introduced with the addition of Tracemonkey, a javascript engine known to speed up javascript rendering in this version of Firefox.

There is no need for you to downgrade to Firefox 3.0. The same website referenced above illustrates the procedure on turning Tracemonkey feature off.

  • open a new tab;
  • type “about:config” and hit enter;
  • read the warning and heed its wisdom;
  • enter “jit” in the filter field;
  • change the value of “javascript.options.jit.content” to enable (true) or disable (false) TraceMonkey for JavaScript in Web content;
  • change the value of “javascript.options.jit.chrome” to enable (true) or disable (false) TraceMonkey for JavaScript in XUL/chrome.

While Mozilla is tackling the issue and trying to address the security hole with a patch/upgrade, it is advisable to plug the hole by disabling Tracemonkey. This thus downgrades the 3.5 to the 3.0 javascript rendering speeds. Believe me with millions (even billions) of websites out there, disabling the Tracemonkey engine is well worth the trade-off for now.

And with the millions of users who have downloaded Firefox 3.5 since its release, imagine the potential targets of malicious javascript code.

It is true, functionality should take precedence over security. But in this case it is prudent to prioritize security given the powerful functionality javascript has and what it can do, most especially when exploited. You can be the next unwilling victim!

With their track record, Mozilla should be able to come up with a fix soon.

You might also be interested in:

Feedback

We at pimp-my-rig strive to keep on improving, help us reach that goal by leaving comments or constructive criticisms. Don't miss out on our next feature -- subscribe via RSS (What is RSS?).

Share This

0 comments: