The renewed Milw0rm site to-day published a new heap spray hole for Firefox 3.5 enabling attackers to get complete control over the browser via a buffer overflow through memory corruption caused by an error in handling “font” HTML tags The vulnerability has not been patched yet, F-Secure free beta Exploit Shield protects against this vulnerability: http://www.f-secure.com/en_EMEA/support/home-office/beta-programs/
We just have to see if the avast shield equally protects. Can we get confirmation of this protection?
The mozilla blog gives a workaround by temporary disabling the javascript.options.jit.content setting in about:config
Seems in terms of mitigation, NoScript works like a charm, successfully detecting the PoC’s attempt to access file://, re: http://forums.informaction.com/viewtopic.php?f=8&t=1953&p=7709#p7709
(where I post under my other nick: luntrus)
NoScript saves the day again as long as the user don’t allow file:// for some odd reason. I’d simply wait for a security update for it while letting NoScript do its job.
[b]Slow Firefox 3.5 start up time[/b]
In recent days, an increasing number of users have been complaining that Firefox 3.5 needs a long time to start, while others don't have a problem. It now appears that the cause has been found and the developers are working on a solution
According to a Mozillazine thread, oddly, it seems to be related with Internet Explorer temp folder… ??? I guess I avoided this issue with dumb luck: Since I’m on relatively high connections, I set the amount of disk space for the temp folder to the lowest and let IE flash it when it closes. Furthermore, CCleaner deals with the temp folder.
Start up issues
Slow start up
Windows only
If you are seeing abnormally slow start up times when you first start Firefox delete the temporary internet files in I.E.
Also see: viewtopic.php?p=6869765#p6869765
Another work around to this problem was posted to the above on July 6th.
The recommended work around follows:
Windows let’s the user control the maximum amount of disk space used for the “Temporary Internet Files”. The default setting is extremely generous. On my old 250GB drive, it was over 8GB. Setting it down to say 100MB or 200MB should REALLY help reduce the sheer number of files to be scanned.
To adjust that, go to Control Panel, Internet Options, General Tab.
Under the Temporary Internet Files heading, click the “Settings” button.
Change the number under “Amount of disk space to use” to 100 or 200.
Click OK. Then, back in the Internet Options, General tab, under the Temporary Internet Files heading, click the “Delete Files” button.
Put a check in the box that says “Delete all offline content”. Click OK.
Click OK to dismiss the Internet Options panel.
That said, I don’t recommend anybody to update to Firefox 3.5. Probably, it would be appropriate for FF users who haven’t upgraded their FFs to 3.5 to stay with the older version and see what the developers can do with the problems.