June 18th, 2008
Code execution vulnerability found in Firefox 3.0
It’s not all about world records for Firefox 3.0.
Just hours after the official release of the latest refresh of Mozilla’s flagship browser, an unnamed researcher has sold a critical code execution vulnerability that puts millions of Firefox3.0 users at risk of PC takeover attacks.
According to a note from TippingPoint’s Zero Day Initiative (ZDI) , a company that buys exclusive rights to software vulnerability data, the Firefox 3.0 bug also affects earlier versions of Firefox 2.0x.
Technical details are being kept under wraps until Mozilla’s security team ships a patch.
According to ZDI’s alert, it should be considered a high-severity risk:
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code, permitting the attacker to completely take over the vulnerable process, potentially allowing the machine running the process to be completely controlled by the attacker. TippingPoint researchers continue to see these types of “user-interaction required ” browser-based vulnerabilities - such as clicking on a link in email or inadvertently visiting a malicious web page.
It looks very much like the vulnerability researcher was hoarding this vulnerability and saving it for Firefox 3.0 final release to make the sale.
In the absence of a fix, Firefox users should practice safe browsing habits and avoid clicking on strange links that arrive via e-mail or IM messages.
There are no reports of this issue being exploited but, if you are worried about being at risk of drive-by attacks, consider using a different browser.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
| 06/19/08
