Mozilla admits critical flaw in Firefox 3

gallery

A critical vulnerability has already been found in the Mozilla Firefox browser, only days after its official release.

Tipping Point’s Zero Day Initiative, a program which rewards security researchers for disclosing problems, found that there was a critical vulnerability which affected Firefox 3.0 as well as prior versions of Firefox 2.0.

Tipping Point said that it had verified the vulnerability in its lab, acquired it from the researcher, and quickly reported it to the Mozilla team.

It said that if the vulnerability was successfully exploited, an attacker could ‘execute arbitrary code’. Tipping Point also said that the vulnerability was common to most browser based vulnerabilities in that user interaction was required – such as clicking a link in an email or visiting a malicious page.

Mozilla said that the issue was under investigation and would remain closed until a patch was made available. It said the exploit was private rather than public, so the risk to users was minimal. It also said that it appreciated the report of any security issues as it made the browser stronger and more secure.

Tipping Point said in its blog post: “While Mozilla is working on a fix, we won’t be divulging anything else until a patch is available, adhering to our vulnerability disclosure policy.

“Once the issue is patched, we’ll be publishing an advisory. Working with Mozilla on past security issues, we’ve found them to have a good track record and expect a reasonable turnaround on this issue as well.”

The Firefox ‘Download Day’ was a success, with Mozilla claiming that 8.3 million users downloaded the browser on launch day. But it wasn’t without problems, as it servers crashed for almost two hours due to the massive demand.

Email to a friend

Print this page