Oops: Firefox 3.0 critical vulnerability

It's IT Blogwatch: in which yesterday's excitement over Firefox 3.0 is tempered by a critical security report. Not to mention the program that gets less accurate in each new version...

Gregg Keizer reports:

Only hours after Mozilla Corp. launched the final of Firefox 3.0, a researcher sold a critical vulnerability in the browser to TippingPoint's bug bounty program, the security company acknowledged Wednesday. The bug has been reported to Mozilla ... TippingPoint ... is perhaps best known for sponsoring an annual hacking contest, in which researchers try to break into stock Windows, Mac OS X or Linux laptops, at the annual CanSecWest security conference ... released little information about the Firefox bug other than to confirm that it affects the new Firefox 3.0 as well as older 2.0 versions ... classified the vulnerability as "critical" ... Mozilla regularly touts its patch speed when it defends its security record ... Firefox 3.0, released Tuesday, was downloaded more than 8.3 million times in its first 24 hours of availability. more
Matt Hickey adds:
This kind of sucks. After all the ballyhoo yesterday regarding Firefox 3 and it’s 8.4 million downloads comes word of the first vulnerability in the browser, a zero day attack that would allow an attacker to trick a user into executing their code, which could wreak all kinds of havoc on a computer ... Zero day attacks are a popular way for malicious users to infect other computers with spyware, worms, trojans, and all sorts of nastiness. Hopefully this one gets patched up before someone not as nice as the Zero Day Initiative can exploit it. more
TippingPoint's anonymous blogger blogs:
A number of people who monitor our Zero Day Initiative's Upcoming Advisories page noticed yesterday that we reported a vulnerability to Mozilla (ZDI-CAN-349) ... about five hours after the official release of Firefox 3.0 on June 17th, our Zero Day Initiative program received a critical vulnerability affecting Firefox 3.0 as well as prior versions of Firefox 2.0.x. We verified the vulnerability in our lab, acquired it from the researcher, then promptly reported the vulnerability to the Mozilla security team shortly after ... The vulnerability was submitted to us by a researcher that prefers to remain anonymous. Even though the issue affects older 2.0.x versions, as to why he didn't find the vulnerability earlier is something we don't presume to know. more
Mozilla's Window Snyder discloses:
TippingPoint ZDI notified Mozilla of a vulnerability in Firefox that impacts versions 2.x and 3.0. This issue is currently under investigation. To protect our users, the details of the issue will remain closed until a patch is made available. There is no public exploit, the details are private, and so the risk to users is minimal. TippingPoint will also keep the details closed to protect Firefox users ... TippingPoint ZDI notified Mozilla of a vulnerability in Firefox that impacts versions 2.x and 3.0. This issue is currently under investigation. To protect our users, the details of the issue will remain closed until a patch is made available. There is no public exploit, the details are private, and so the risk to users is minimal. TippingPoint will also keep the details closed to protect Firefox users. more
Ron Schenone shrugs:
What the heck. Nobody is perfect and the folks at Mozilla are only human. It is going to be interesting to see how quickly this can be fixed ... I am sure the folks at Mozilla might feel that this could put a damper on their world record for downloads. I don’t believe it will. What is unfortunate is that this was not found before the final release. more
After yesterday's prediction, Nom du Keyboard crows:
I told you so! So now we have what? 8 million suddenly vulnerable machines? more
This Anonymous Coward makes the obvious connection:
Since the vulnerablility also affects FF 2.x, I'd say whoever discovered the problem waited to disclose the issue to rain on Mozilla's parade. So waiting to release 3.0 would have been pointless since the Mozilla team didn't know about issue. more
Steve Hodson is a self-confessed cranky old fart:
I wonder if this will get Mozilla another entry in the book of records as the quickest vulnerability report for a product immediately following it setting a download record. more
And finally...

Buffer overflow:

Other Computerworld bloggers:

RSS feed icon
Like this stuff? Subscribe to the RSS feed.

Richi Jennings is an independent analyst/adviser/consultant, specializing in blogging, email, and spam. A 21 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him on Twitter, pretend to be Richi's friend on Facebook, or just use boring old email: blogwatch@richi.co.uk.


Previously in IT Blogwatch:

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies