Earlier this week, I wrote about a “highly critical” — and unpatched — vulnerability that puts millions of Web surfers at risk of malicious hacker attacks.
Since then, there has been word that the release of the vulnerability and exploit was “self-inflicted” (Mozilla exposed the bug themselves) and official instructions on how to mitigate the risks until a patch is ready.
Here are those instructions, via the Mozilla security team:
The vulnerability can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code. The vulnerability can be mitigated by disabling the JIT in the JavaScript engine. To do so:
- Enter
about:config
in the browser’s location bar. - Type
jit
in the Filter box at the top of the config editor. - Double-click the line containing
javascript.options.jit.content
setting the value to false.
Note that disabling the JIT will result in decreased JavaScript performance and is only recommended as a temporary security measure. Once users have been received the security update containing the fix for this issue, they should restore the JIT setting to true by:
- Enter
about:config
in the browser’s location bar. - Type
jit
in the Filter box at the top of the config editor. - Double-click the line containing
javascript.options.jit.content
setting the value to true.
Alternatively, users can disable the JIT by running Firefox in Safe Mode. Windows users can do so by selecting Mozilla Firefox (Safe Mode)
from the Mozilla Firefox folder.
Firefox users should always consider running the NoScript extension to avoid scripting attacks.