Wednesday, June 18, 2008

Mozilla Firefox 3.0 Vulnerability

Were they waiting for the release to report this? Note that the vulnerability also affects Firefox 2.0.x. I would expect a fast fix.

What we can confirm is that about five hours after the official release of Firefox 3.0 on June 17th, our Zero Day Initiative program received a critical vulnerability affecting Firefox 3.0 as well as prior versions of Firefox 2.0.x. We verified the vulnerability in our lab, acquired it from the researcher, then promptly reported the vulnerability to the Mozilla security team shortly after. Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code. Not unlike most browser based vulnerabilities that we see these days, user interaction is required such as clicking on a link in email or visiting a malicious web page.
(Bold added)

Mozilla is reported to be working on a fix.

The Zero Day Initiative has been criticized in the past for paying researchers who find vulnerabilities.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

No comments: