by Carla Schroder
Managing Editor
A medium-large bit of news this week is a potentially serious
exploit in the shiny new freshly-released Firefox 3.5, which
was released, discovered, and fixed nearly all at the same
time:“Mozilla’s Firefox 3.5.1 browser is now out with fixes
for one critical zero-day vulnerability that first became public
earlier this week.The zero-day flaw is a vulnerability in Firefox 3.5’s
Just-in-Time (JIT) JavaScript compiler. Mozilla’s security advisory
describes the vulnerability as “an exploitable memory corruption
problem.””Even though this is a potentially serious security hole that
could possibly allow a remote attacker to take control of the
user’s PC, the Firefox team were praised for taking rapid action
and early disclosure, and reporting a workaround to plug the hole
until it could be fixed permanently. Another open source security
success story!Except for one thing– of all the news stories I read, and the
announcement on
Security Focus, and the announcement on the
Mozilla Security Blog itself, none of them bothered to report
if this dastardly flaw affects Linux, Mac, and Windows, or just
Windows, which naturally is the default assumption. Yo Firefox
persons– you do know it is a cross-platform application, don’t
you?So I spent a good part of my morning reading and calling people,
and finally unearthed this little nugget buried in the comments on
the Mozilla security blog:“44. Daniel Veditz {Thursday July 16, 2009 @ 12:30
am}
@DJ, @Kevin: the underlying bug happens on all platforms. The
proof-of-concept exploit posted to milw0rm contained a windows-only
payload, but it wouldn’t be too hard for someone to graft on Mac
and Linux payloads from the Metasploit project and make it
cross-platform.”I’m trying to not yell and swear, but why isn’t this information
front and center? What should Linux and Mac users do, run around in
a panic like Windows users, and hope we have current uninfected
backups? How much of a threat is it really on Linux and Mac? We
know that Firefox’s Javascript engine is the same one on all three
platforms. We know that Linux has genuine privilege separation and
it is very hard to execute remote code on a Linux system. If you
further confine privileges with SELinux, or set up a guest on a
virtual machine you can download and execute malicious code all day
just to watch it wiggle helplessly. (The code for this exploit,
which is not really an actual exploit but a proof-of-concept, is at
milw0rm.com/exploits/9137,
without a payload)Like most Firefox users, I am neither an ace coder nor a
security guru whiz, so I don’t know the answers. Anyway it’s your
job to tell us what we need to know.Firefox folks, you can’t have it both ways– you can’t dole out
little nuggets of incomplete information and expect us to be
informed users who do the right things to keep our systems safe. I
happen to know for a fact that you do not get charged by the word,
so please use a few more words and always give us complete
information. Thank you.
LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.