Welcome to Land of Tricks

US-CERT on Tuesday warned about vulnerability in the new Firefox 3.5 browser that could allow a remote attacker to execute malicious code.

Proof-of-concept exploit code was posted Monday on Milw0rm.com, an exploit code aggregation site, so it’s likely that the vulnerability is being actively exploited.

The vulnerability, discovered by Simon Berry-Byrne, is related to the way Firefox 3.5 processes JavaScript code.

Mozilla has acknowledged the vulnerability and has a fix that’s being tested. “The vulnerability can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code,”the company said on its security blog. “The vulnerability can be mitigated by disabling the JIT in the JavaScript engine.

To do this:

1) Enter about:config in the browser’s location bar.

2) Type jit in the Filter box at the top of the config editor.

3) Double-click the line containing javascript.options.jit.contentsetting the value to false.

As an alternative, the NoScript plug-in, which disables all JavaScript in the browser, should also offer protection.

Secunia, a computer security company based in Denmark, rates the vulnerability “highly critical” and notes that older versions of Firefox may be affected as well.

F-Secure, a computer security company based in Finland, said in ablog post that its Exploit Shield security software blocks the exploit.

In an interview on Monday about a bug in Google’s Chrome browser, Robert “RSnake” Hansen, CEO of SecTheory, a computer security consulting firm, criticized Firefox’s security process as being less rigorous than Microsoft’s. “For the most part, it’s just a bunch of random dudes who are contributing to it,” he said.

Nevertheless, Hansen said that Firefox, rather than Internet Explorer, was his browser of choice because it was better for hacking.

Johnathan Nightingale, whose business card says “human shield” — he manages the front-end team for Firefox and security issues — says he’s proud of the work Mozilla does and that he can’t compare Mozilla’s efforts to Microsoft’s because Microsoft’s security process isn’t open.

He notes that Mozilla devotes significant resources to security and that the company’s security team has been growing. He welcomes those who want to contribute to Mozilla to make it more secure.

Exploit code for a vulnerability in Firefox was posted online on Monday. Mozilla says it is working on a fix.

US-CERT on Tuesday warned about vulnerability in the new Firefox 3.5 browser that could allow a remote attacker to execute malicious code.Proof-of-concept exploit code was posted Monday on Milw0rm.com, an exploit code aggregation site, so it’s likely that the vulnerability is being actively exploited.

Mitch Wagner gives us a first look at Firefox 3.5, inlcuding some of its new user interface features, privacy mode, its geolocation capability, and its new embedded video and audio functionality using HTML 5.

The vulnerability, discovered by Simon Berry-Byrne, is related to the way Firefox 3.5 processes JavaScript code.Mozilla has acknowledged the vulnerability and has a fix that’s being tested. “The vulnerability can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code,”the company said on its security blog. “The vulnerability can be mitigated by disabling the JIT in the JavaScript engine.

To do this:

1) Enter about:config in the browser’s location bar.

2) Type jit in the Filter box at the top of the config editor.

3) Double-click the line containing javascript.options.jit.contentsetting the value to false.

As an alternative, the NoScript plug-in, which disables all JavaScript in the browser, should also offer protection.

Secunia, a computer security company based in Denmark, rates the vulnerability “highly critical” and notes that older versions of Firefox may be affected as well.

F-Secure, a computer security company based in Finland, said in ablog post that its Exploit Shield security software blocks the exploit.

In an interview on Monday about a bug in Google’s Chrome browser, Robert “RSnake” Hansen, CEO of SecTheory, a computer security consulting firm, criticized Firefox’s security process as being less rigorous than Microsoft’s. “For the most part, it’s just a bunch of random dudes who are contributing to it,” he said.

Nevertheless, Hansen said that Firefox, rather than Internet Explorer, was his browser of choice because it was better for hacking.

Johnathan Nightingale, whose business card says “human shield” — he manages the front-end team for Firefox and security issues — says he’s proud of the work Mozilla does and that he can’t compare Mozilla’s efforts to Microsoft’s because Microsoft’s security process isn’t open.

He notes that Mozilla devotes significant resources to security and that the company’s security team has been growing. He welcomes those who want to contribute to Mozilla to make it more secure.

Mozilla released Firefox 3.5 this week, and the Web browser has numerous improvements over its previous version. For those Microsoft Explorer holdouts, it’s worth taking a look at. As of this writing, Mozilla reported approximately 4 million downloads. Here’s five reasons Firefox 3.5 is a hit.

1. Speed:The number one criterion for a browser is fast speed. The 3.5 version of Mozilla Firefox is markedly faster than its predecessor. According to Mozilla, it ran the industry-standard SunSpider JavaScript Benchmark, which measures how fast browsers render JavaScript, on versions 2, 3 and 3.5 of Firefox. The company claims the newest version performed with at least double the speed of Firefox 3 and is more than 10 times as fast as Firefox 2.

2. Privacy:Just as Explorer offers InPrivate Browsing, Mozilla Firefox 3.5 has Private Browsing. Once a Private Browsing session is activated, computer users can surf any site at all with no trace remaining when they are finished: no cookies, no temp files, no forms information and no search information.

Further, if a user isn’t in Private Browsing mode, but still wants to eliminate traces of where he or she has been, there’s the “Forget About This Site” feature. That erases the site from the History list, as well as all traces of the browsing session on your computer, including cookies and temp files, search history, forms and more.

3. Music and Video Support:Because Firefox 3.5 supports HTML 5 audio and video elements, users can watch video and listen to music directly in a Web page, without launching any plug-ins. The video or audio can be saved by right-clicking and saving it. That’s a big improvement with the torrent of video viewing taking place on the internet.

4. “Awesome Bar:”The location bar -dubbed the “Awesome Bar” by some perhaps overly enthusiastic developers - has been made even more, well, awesome in Mozilla Firefox 3.5. Previosuly, you could simply type the name of what you were searching into that field, foregoing the search box altogether, and a Google search page would show results. Mozilla has tweaked the search functionality in the browser so surfers can show only bookmarks by using an asterisk after a query such as “Channelweb *”, or show only tags by using a plus “Channelweb +”.

5. Session Control:If Mozilla Firefox crashes, users can choose which tabs to resuscitate, a feature previously available through the Session Manager add-on. That’s handy particularly if a Flash-based or heavy JavaScript site was the cause of the crash, so users aren’t caught in a perpetual, and irritating, crash-and-restart cycle in their browser.<