Firefox 3.5 - Critical JavaScript POC Exploit developed
Firefox users should be on the lookout for an update soon, as noted in the Mozilla blog:
Firefox 3.5 - Critical JavaScript POC Exploit developed
http://isc.sans.org/diary.html?storyid=6796
http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/
http://www.h-online.com/security/First-Zero-Day-Exploit-for-Firefox-3-5--/news/113761
QUOTE: The vulnerability can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code. An update does not currently exist. So far there are no reports of sites on the internet being first to use the hole for active infections and exploitation of Windows PCs. Since the published exploit uses PC heap spraying under JavaScript, disabling JavaScript should act as a stop gap. When the exploit was tested with Windows 7 RC1, after a short time, the browser displayed a dialogue offering to abort the script.
WORKAROUNDS
1. The vulnerability can be mitigated by disabling the JIT in the JavaScript engine (see Mozilla link above)
2. No Script is also a good security add-on that will alert users whether JS is present on a site by site basis:
http://noscript.net/