Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-186: Mozilla Firefox 3.5 'Tracemonkey' Component Remote Code Execution Vulnerability

July 17, 2009 13:00 GMT
PROBLEM: Mozilla Firefox version 3.5 contains a vulnerability in the TraceMonkey components of Firefox's JavaScript engine.
PLATFORM: Mozilla Firefox 3.5
ABSTRACT: The vulnerability is a JS engine bug dealing with deep bailing not properly restoring the return value from the result of the (fast native) escape function.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-186.shtml
  OTHER LINKS: Security Focus
http://www.securityfocus.com/bid/35660/discuss
Mozilla Website
https://bugzilla.mozilla.org/show_bug.cgi?id=503286#c14
http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/
http://www.mozilla.org/security/announce/2009/mfsa2009-41.html
US-Cert
http://www.kb.cert.org/vuls/id/443060

IMPACT ASSESSMENT: This risk is high. A remote, unauthenticated attacker may be able to execute arbitrary code or cause Firefox to crash. 
Discussion:
Mozilla Firefox is prone to a remote code-execution vulnerability. Successful exploits may allow an attacker to execute arbitrary code in the context of the user running the affected application. Failed attempts will likely result in denial-of-service conditions.

The issue affects Firefox 3.5; other versions may also be vulnerable.

NOTE: Remote code execution was confirmed in Firefox 3.5 running on Microsoft Windows XP SP2. A crash was observed in Firefox 3.5 on Windows XP SP3.

UPDATE (July 15, 2009): Remote code execution is also possible in Firefox 3.5 running on Apple Mac OS X.

Solution:
Firefox 3.5.1 has been released to address this issue. See Mozilla Foundation Security Advisory 2009-41 for more information. Until updates can be applied, the below workarounds may mitigate this issue.

Disable TraceMonkey

To disable the vulnerable components, use the about:config interface to set javascript.options.jit.content and javascript.options.jit.chrome to false. This will still allow JavaScript to run, but it will disable the TraceMonkey performance enhancements.

Use NoScript

Using the Mozilla Firefox NoScript extension to whitelist web sites that can run scripts will help to mitigate this vulnerability. Further details for configuring NoScript are available in the Securing Your Web Browser document.

Disable JavaScript

For instructions on how to disable JavaScript in Firefox, please refer to the Firefox section of the Securing Your Web Browser document.
DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788