Code execution vulnerability found in Firefox 3.0

Summary:It's not all about world records for Firefox 3.0.Just hours after the official release of the latest refresh of Mozilla's flagship browser, an unnamed researcher has sold a critical code execution vulnerability that puts millions of Firefox3.

Code execution vulnerability found in Firefox 3.0
It's not all about world records for Firefox 3.0.

Just hours after the official release of the latest refresh of Mozilla's flagship browser, an unnamed researcher has sold a critical code execution vulnerability that puts millions of Firefox3.0 users at risk of PC takeover attacks.

According to a note from TippingPoint's Zero Day Initiative (ZDI) , a company that buys exclusive rights to software vulnerability data, the Firefox 3.0 bug also affects earlier versions of Firefox 2.0x.

Technical details are being kept under wraps until Mozilla's security team ships a patch.

According to ZDI's alert, it should be considered a high-severity risk:

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code, permitting the attacker to completely take over the vulnerable process, potentially allowing the machine running the process to be completely controlled by the attacker. TippingPoint researchers continue to see these types of "user-interaction required " browser-based vulnerabilities - such as clicking on a link in email or  inadvertently visiting a malicious web page.

It looks very much like the vulnerability researcher was hoarding this vulnerability and saving it for Firefox 3.0 final release to make the sale.

In the absence of a fix, Firefox users should practice safe browsing habits and avoid clicking on strange links that arrive via e-mail or IM messages.

There are no reports of this issue being exploited but,  if you are worried about being at risk of drive-by attacks, consider using a different browser.

Topics: Browser, Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.