Firefox 3.0’s First Vulnerability Reported

All those millions of people that rushed to download Firefox 3 got something they didn’t expect – a critical security vulnerability. Some people smell a rat!

The vulnerability, which could allow the excevution of arbitrary code, was reported to TippingPoint’s Zero Day Initiative just five hours after the open source browser was released on Tuesday. The Zero Day Initiative pays researchers for finding vulnerabilities in software, then provides the information to the vendor concerned.

The timing has led to allegations that the researcher concerned had discovered the flaw prior to the release of Firefox 3 but delayed notification to gain the maximum publicity. The fact that the flaw also affects Firefox 2 is thought to support this theory.

Since the researcher has chosen to remain anonymous, he or she will gain little kudos from being the first to discover a flaw in Firefox 3, leading to speculation that the researcher is in some way associated with another browser.

But enough of the conspiracy theories – what’s to be done by the 12 million plus users that have already downloaded Firefox 3, let alone the 140 million or so that Mozilla says are using its predecessors?

Practically nothing is known about the nature of the flaw. All TippingPoint is saying is that “Not unlike most browser based vulnerabilities that we see these days, user interaction is required such as clicking on a link in email or visiting a malicious web page.”

So the usual warnings about being careful about visiting shady sites and avoiding links in dodgy email would seem to apply until an update is released.

There’s not even any indication of whether the flaw is specific to Firefox on a particular platform, or if all supported operating systems are equally affected.

Mozilla security chief Window Snyder said “This issue is currently under investigation. To protect our users, the details of the issue will remain closed until a patch is made available. There is no public exploit, the details are private, and so the risk to users is minimal.”

When TippingPoint receives details of unpatched vulnerabilities, it confirms the issue and may offer a cash payment for exclusive rights. If accepted, the software vendor is notified. If the vendor fails to respond or to provide a fix in “a reasonable period of time”, TippingPoint makes a public disclosure.

Meanwhile, it uses the information in its own security products and may share it with other security vendors. via itwire

This entry was posted on Sunday, June 22nd, 2008 at 9:43 pm and is filed under Browser. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.