Thursday, June 19, 2008

Security Vulnerability Already Found in Firefox 3

Firefox 3 was only released on Tuesday, and a security vulnerability has already been found. In fact, the vulnerability was found within the first five hours of its release at 10 AM PDT.

The vulnerability first showed up on Zero Day Initiative's Upcoming Advisories page where a vulnerability was reported for Mozilla (ZDI-CAN-349). According to Tipping Point's Digital Vaccine (DV) Labs, the vulnerability affects both Firefox 2.0.x and Firefox 3.
We verified the vulnerability in our lab, acquired it from the researcher, then promptly reported the vulnerability to the Mozilla security team shortly after. Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code. Not unlike most browser based vulnerabilities that we see these days, user interaction is required such as clicking on a link in email or visiting a malicious web page.
Zero Day Initiative won't reveal anything about the vulnerability until Mozilla has a fix, as is their policy. Once a patch is available, Zero Day will publish details here.

Mozilla is reportedly working on a fix.

While they're at it, I hope they fix some of the other issues I've already found, like new pages opening in a "new window" despite being set to open in a "new tab" and the Alt-S workaround for forum posting no longer working.

No comments: