Firefox 3.6 suffers from unpatched "highly critical" vulnerability

Firefox 3.6 suffers from unpatched "highly critical" vulnerability

Summary: A vulnerability has been uncovered in Firefox 3.6.x. This bug is rated as highly critical by Secunia.

SHARE:
TOPICS: Security, Browser
136

A vulnerability has been uncovered in Firefox 3.6.x. This bug is rated as highly critical by Secunia.

Details are sketchy, and there's no official word from Mozilla yet. Here's what Secunia has on the bug:

Description A vulnerability has been reported in Mozilla Firefox, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an unspecified error and can be exploited to execute arbitrary code.

The vulnerability is reported in version 3.6. Other versions may also be affected.

Solution Do not visit untrusted websites or follow untrusted links.

This vulnerability can allow a hacker to take over a system remotely.

Topics: Security, Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

136 comments
Log in or register to join the discussion
  • And I thought...

    And I thought that only Internet Explorer had periodic security issues. (grin)
    Tom12Tom
    • Hey, smart people never said that it was ONLY IE

      However, the flaws in IE on Windows XP are usually more serious and are ALL code-execution probabilities.
      Lerianis10
      • What are you talknig about?

        What you said makes no sense. "code-execution probabilities"... huh?
        DevStar
        • He's "talknig" about how IE has more flaws allowing remote code execution.

          [b] [/b]
          AzuMao
          • More specifically, IE6

            It will be a sad day for ABMers when IE6 is dead and gone.
            Lester Young
          • Not gonna happen anytime soon; more people use it than IE7 and IE8 combined

            And by the time that changes, there'll be more exploits for IE7/IE8.
            AzuMao
      • So... Does that make Mozilla stupid...?

        Or is it just the marketing department?

        Seems to me that way back when Firefox was just coming out of it's first beta, the big claim was that there WERE no vulnerabilities. It was the cure for the viral plague that affected only IE.
        Wolfie2K3
        • According to ...

          ... many of the *-tards we see all too often around here, any product with a vuln is the result of stupid developers and hopeless testers working at pointless companies who are going to be out of business within 12 months.

          Alas, they fail to see that software is created by people with the knowledge, mindset, tools and processes available at a moment in time. The longer that software exists and the more widespread that software's use, the more difficult and costly it is to maintain, patch and update.

          FF is only now reaching the user levels required for them to become a truly viable target for hackers. Expect A LOT MORE vuln's and exploits being "discovered" in FF over the coming years.
          de-void-21165590650301806002836337787023
          • Noone around here has made such a claim, nice straw-man, though.

            There's a pretty thick line between leaving in known vulnerabilities for weeks/months after exploits for them are out in the wild (IE) and never having any kind of problem, ever, at all (your ridiculous straw man). There are shades of gray in between.

            To clear up this confusion I propose a new metric known as RSS (Relative Suckitude Scale); 0, on one extreme, being absolute perfection, and 10, the other extreme, being as bad as IE.

            You will find that most products aren't at either polar opposite of this scale.
            AzuMao
          • Weeks or months?

            The difference is a factor of four. It is significant. And what does "leaving" mean? No work being done on a patch? Seriously?

            Your hyperbole doesn't lend you much credence.
            Lester Young
          • It varies, and it means not releasing a working fix, respectively.

            [b] [/b]
            AzuMao
        • Um.. no?

          Nobody said everything was [i]perfect[/i], just that nothing was as bad as IE.
          AzuMao
      • Want to back up that claim, or is it just your belief?

        <i>"However, the flaws in IE on Windows XP are
        usually more serious and are ALL code-execution
        probabilities[sic]."</i>

        Go through the CVE at Secunia (or any other CVE
        database) and you will find that Firefox
        suffers from the most and the most severe bugs
        of ALL browsers.

        MOST Firefox bugs are memory corruption bugs.
        They are in the "most severe" class because
        memory corruption can easily lead to code
        execution.

        You are just spewing popular belief induced by
        Microsoft haters. But all through 2009 (and
        2008), Firefox was THE most vulnerable
        application out of ALL applications - not just
        browsers.

        So please, show us how the IE bugs are more
        severe? Please quote a reputable security
        researcher/analyst who claim so.

        You can't? Well, I guessed that.
        honeymonster
    • Nope.

      Just because nothing else is nearly as bad as it, doesn't mean everything else is absolutely 100% perfect in every way.
      AzuMao
  • RHEL/CentOS/Fedora SELinux

    protected...
    no_barry_2012
    • openSUSE too for that matter...thanks

      nt
      D.T.Schmitz
      • Better still ... upgrade to Win7 x64 ...

        ... which prevents unsigned code from executing within the kernel and vastly reduces the ability of rootkits and many other forms of malware from establishing a foothold.

        And you still get to run all your favorite apps, your corporate LOB apps, your games, your hardware, and the best of the OSS world too.
        de-void-21165590650301806002836337787023
        • Wrong.

          Unless you don't mind not being able to install common programs such as ATI Tray Tools, you have to disable the driver sign checking anyways.

          Of course, this wouldn't really be much of an impediment anyways, since it can be done programmatically (without user interaction).

          Of course, all of the above is irrelevant, since even without actually modifying the kernel, malware can [i]still[/i] screw up your system pretty bad.

          So your advice is bad to the point of negligence, maybe even maliciousness; you're telling people they will be more secure using a solution that is clearly far less secure!
          AzuMao
  • So you want me to switch to an inferior platform...

    ...just to avoid the possibility of being hit by an exploit in an app?

    You need to lay of the crack sir.

    BTW methinks you you need to go back to school and do some learnin' on how OSs work because what you said about IE Protected mode and that rootkit makes no sense. Once a root kit is already installed on a system (ANY system), existing security mechanisms on the system are irrelevant.
    toadlife
    • how to get a rootkit in the first place

      Windows does benefit the malware writer in so many ways outside of the browser, one of which being the way the OS handles file execution.

      In all versions of windows, it does not seem to matter what the filename is, if it contains an executable payload it will run hands down at the users current privs.

      On linux, it has to be a payload that is specific to the associated application, then it will run.

      I know it goes far deeper but this is just one example of why linux attacks are much more focused or even interactive...
      ~doolittle~