Thursday, October 28, 2010
Firefox 3.6.12 released to patch a vulnerability being exploited in the wild
The vulnerability was in the JavaScript interpreter. It was of a category named use-after-free. Memory was dynamically allocated, then freed - and then use continued after that. It is not terribly uncommon in large, complex programs written in C and C++. This type of bug cannot be written directly in Java because Java uses garbage collection instead of letting application programmers do alloc/free themselves.
Users running NoScript addon for Firefox were safe all along, unless they expressly gave permission to an infected web site to run JavaScript.
Labels: firefox, javascript, malware, mswin, security, security snafus, web
Hopefully, someday I will get this page to validate!