Last week a critical bug was discovered in Mozilla Firefox’s JavaScript engine. Unfortunately, the details of exploiting this bug was released yesterday and is currently doing the rounds on the internet. This bug affects Firefox’s new JavaScript rendering engine(TraceMonkey) and has been termed as highly critical by the Secunia.com ^[1]. Hackers can gain control of any user’s system by installing rogue software when they visit an exploited website.

Mozilla has confirmed that they are working on a fix. In the meantime there are a couple quick fixes you can implement.

• This vulnerability only affects the new Just In Time compiler that is a part of Tracemonkey JavaScript engine. Hence, you would be safe if you disable the new engine.
  • Type “about:config” in the address bar and press Enter. Ignore the warning.
  • In the filter box type “jit”. You should notice an entry titled “javascript.options.jit.content”.
  • Change its value from True to False. You can change the value by double clicking on the line or using Toggle option from the right click context menu.
    This will force Firefox to use the older rendering engine which is slower, but immune to this exploit. Once a patch is released simply change the value back to true.
• Another solution is to simply block JavaScript on all untrusted websites using No-Script extension ^[2].

^[3]

The critical nature of this vulnerability coupled with the full disclosure of the exploit is extremely worrying. Until a fix is released by Mozilla we would highly recommend that all Firefox users apply these quick fixes and stay on the safer side.