On Metacritic: How to predict the Oscar winners
BNET Business Network:
BNET
TechRepublic
ZDNet

June 19th, 2008

Mozilla confirms Firefox 3.0 flaw, says risk minimal

Posted by Ryan Naraine @ 3:43 pm

Categories: Arbitrary Code Execution, Botnets, Browsers, Exploit code, Firefox, Mozilla, Open source, Responsible disclosure, Viruses and Worms, Vulnerability research

Tags: Mozilla Firefox 3.0, Mozilla Firefox, Mozilla Corp., TippingPoint Technologies, Flaw, Snyder, Web Browsers, Internet, Ryan Naraine

Mozilla confirms Firefox 3.0 flaw, says risk minimalMozilla security chief Window Snyder (left) has confirmed the existence of a serious code execution vulnerability in the brand-new Firefox 3.0 browser.

Snyder’s confirmation follows a public warning by TippingPoint’s ZDI (Zero Day Initiative) that the flaw could lead to PC takeover hijacks if a user simply surfs to a rigged Web site with Firefox.

[ SEE: Code execution vulnerability found in Firefox 3.0 ]

On the Mozilla security blog, Snyder said the bug impacts Firefox versions 2.x and 3.0:

This issue is currently under investigation.  To protect our users, the details of the issue will remain closed until a patch is made available.  There is no public exploit, the details are private, and so the current risk to users is minimal.

At Mozilla we appreciate any report of security issues because that is how we make the browser stronger and more secure.  The best way to keep Firefox users safe is to report the issues directly to Mozilla as TippingPoint has chosen to, and to wait to release details until a fix is available.

As previously reported, the vulnerability was sold to TippingPoint ZDI a few hours after Mozilla’s shipped the final release of Firefox 3.0.

Also see this USA Today piece on Snyder’s efforts to harden Firefox against hacker attacks.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

  • Talkback
  • Most Recent of 44 Talkback(s)
Pathetic moron?
Did you check it out, or do you blog on just to jump on somebodies opinions?
Blog on, Pathetic (Read the rest)
Posted by: Buff Loon Posted on: 06/26/08 You are currently: a Guest | | Terms of Use
Minimal?  rpmyers1 | 06/19/08
Careful!!! It's minor.....  garry_k@... | 06/19/08
Since it's Firefox . . .  JLHenry | 06/19/08
my Windows Update downloads patches for IE7 almost every month, NOT YEARS!  qmlscycrajg | 06/20/08
Yep  balaknair | 06/20/08
And your own words condemn you!  eMJayy | 06/20/08
Downloading a patch for IE7 this month...  Letophoro | 06/20/08
qmlscycrajg is an IE proponent...  dayfydd | 06/20/08
Read your IE security updates  AndyCee | 06/19/08
Flames  radar_z | 06/20/08
RE: Mozilla confirms Firefox 3.0 flaw, says risk minimal  larry2617 | 06/19/08
Developing on FF3 without a SINGLE hitch  fr0thy2 | 06/19/08
Until plug-ins are updated, adoption's unattractive anyway.  dgurney | 06/19/08
RE: Duh! It was a candidate release and not the final release  Google Junky | 06/19/08
Final Release?  jimfishes | 06/21/08
It was the Final Release.  bjbrock | 06/22/08
What happens to the "Open Source == Bug Free" blah blah blah?  LBiege | 06/19/08
No software is bug free  fr0thy2 | 06/19/08
It Should Be "Paid For Software == Bug Free" blah blah blah  itanalyst2@... | 06/20/08
RE: What happens to the "Open Source == Bug Free" blah blah blah?  tomweeks@... | 06/20/08
quasi-religious ideological ranting  radar_z | 06/20/08
Who in the world said FOSS was bug free...  storm14k | 06/20/08
RE: Mozilla confirms Firefox 3.0 flaw, says risk minimal  IzNoGood | 06/20/08
Exactly (NT)  balaknair | 06/20/08
RE: Mozilla confirms Firefox 3.0 flaw, says risk minimal  wizardgdog@... | 06/20/08
WARNING: zdnet.com advertisings are spreading a malware  qmlscycrajg | 06/20/08
You pathetic moron..  Kaiwai | 06/22/08
Pathetic moron?  Buff Loon | 06/26/08
Window Snyder  Kromaethius | 06/20/08
looks hot...  storm14k | 06/20/08
Agreed  Suicida| | 06/22/08
Easy to remove this minimal risk even before the patch arrives  bbaston@... | 06/20/08
RE: Mozilla confirms Firefox 3.0 flaw, says risk minimal  ctsheehy@... | 06/20/08
Also Older plugins do not work  colinmaharaj@... | 06/20/08
Moron  Kaiwai | 06/22/08
Let us wait and see  mhenriday | 06/20/08
RE: Mozilla confirms Firefox 3.0 flaw, says risk minimal  LBiege | 06/20/08
Oh dear oh dearl  elderlybloke | 06/20/08
THE TRUTH!  SABallmer | 06/21/08
Not even close to The Truth  magcomment | 06/21/08
The problem is poor coding.  bjbrock | 06/22/08
Yeah so unlike Vista  Suicida| | 06/22/08
So Far So Good  HawkCW4@... | 06/21/08
You are very much on target here.  hkommedal | 06/22/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads