Mozilla confirms Firefox 3.0 flaw, says risk minimal

Mozilla confirms Firefox 3.0 flaw, says risk minimal

Summary: Mozilla security chief Window Snyder (left) has confirmed the existence of a serious code execution vulnerability in the brand-new Firefox 3.0 browser.

TOPICS: Browser

Mozilla confirms Firefox 3.0 flaw, says risk minimalMozilla security chief Window Snyder (left) has confirmed the existence of a serious code execution vulnerability in the brand-new Firefox 3.0 browser.

Snyder's confirmation follows a public warning by TippingPoint's ZDI (Zero Day Initiative) that the flaw could lead to PC takeover hijacks if a user simply surfs to a rigged Web site with Firefox.

[ SEE: Code execution vulnerability found in Firefox 3.0 ]

On the Mozilla security blog, Snyder said the bug impacts Firefox versions 2.x and 3.0:

This issue is currently under investigation.  To protect our users, the details of the issue will remain closed until a patch is made available.  There is no public exploit, the details are private, and so the current risk to users is minimal.

At Mozilla we appreciate any report of security issues because that is how we make the browser stronger and more secure.  The best way to keep Firefox users safe is to report the issues directly to Mozilla as TippingPoint has chosen to, and to wait to release details until a fix is available.

As previously reported, the vulnerability was sold to TippingPoint ZDI a few hours after Mozilla's shipped the final release of Firefox 3.0.

Also see this USA Today piece on Snyder's efforts to harden Firefox against hacker attacks.

Topic: Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Minimal?

    Last time I remember something public like this labeled "minimal", they changed it to "critical" pretty quickly.
  • Careful!!! It's minor.....

    The FF fanboys will slit your throat for talking about a flaw in their pet browser. If it was IE7 that had the flaw there would be a hundred flaming opinions about it here. But since it is Firefox it is minor, not worth talking about it.
    • Since it's Firefox . . .

      It'll get fixed within a month, instead of YEARS like IE7 does . . .
      • my Windows Update downloads patches for IE7 almost every month, NOT YEARS!

        my Windows Update downloads patches for IE7 almost every month, NOT YEARS!
        • Yep

          Patches to bugs in IE7 are released every month. Some of these bugs were found way back, but since there are so many bugs, I guess MS just spreads the patch cycle over a months to years time. Unlike Mozilla, which works to get patches and bugfixes out as early as possible- usually a fix is coded within 2-3 days, testing takes another 2-3 days, and the patch is released around a week after the bug was found. Firefox then automatically updates next time it's run.
        • And your own words condemn you!

          Every month! And it doesn't even bother you that it has so many exploits and bugs that it has to be patched EVERY month?
        • Downloading a patch for IE7 this month...

          does not mean that the problem fixed by the patch hasn't been known of by MS for a year or more.

          The usual routine for MS appears to be:
          1. Be notified privately of an exploitable flaw.
          2. Ignore it for a few months.
          3. On the Wednesday after patch Tuesday find out that the original discoverers of the flaw have made the flaw public due to lack of response from MS.
          4. On Thursday, find out that exploit code for the flaw is in the wild from the hundreds of users that have been pwned.
          5. Claim that the flaw is not that dangerous, and issue workaround instructions that essentially render IE useless for the Web.
          6. On patch Tuesday, issue the patch in a [b]critical[/b] update.
        • qmlscycrajg is an IE proponent...

          And that is exactly where we want you to stay.
    • Read your IE security updates

      I run IE7 and FF3..

      Seriously, have you ever read the details of an IE security patch? This FF only made news because it was the bug was reported straight after the overhyped release of FF3. The same would happen for IE* if anyone ever got excited about releases of IE.

      I would consider it more serious, if
      a) [i]Anyone[/i] reported a real-life example of a non-test machine being compromised, or
      b) If I hadn't been de-sensitised to these warnings from IE and FF patches already.
    • Flames

      You f--k--g guys who like to flame each other ruin these talkbacks. Very rarely do I manage to read all the talkbacks because invariably someone has to say what they use is the best and what someone else uses is terrible. They really shouldn's let children on this site.
  • RE: Mozilla confirms Firefox 3.0 flaw, says risk minimal

    They should make sure they fix firefox3 while they are at it.From what i have been reading they still have problems besides this vulnerability
    • Developing on FF3 without a SINGLE hitch

      on Ubuntu.
  • Until plug-ins are updated, adoption's unattractive anyway.

    Too bad there's no plug-in compatibility layer to keep Firefox 2 plug-ins working.

    Until Bookmark Sync & Sort (for example) works in version 3, switching isn't an option.
  • RE: Duh! It was a candidate release and not the final release

    The release was only a candidate. What did you expect?
    It isn't even a final release. I don't know why anyone would download it until they are really done with it.
    Google Junky
    • Final Release?

      In my somewhat limited experience, "Final Release" is a complete myth for any OS or program! It is a sad commentary on humankind that hackers will make valiant
      efforts to screw up everything they can.

      Just my tuppence.
    • It was the Final Release.

      Read the article.
  • What happens to the "Open Source == Bug Free" blah blah blah?

    FOSS was caught red-handed, AGAIN.
    • No software is bug free

      But software from the Bloatfarm is always rushed out of the door to revenue deadlines, not when it's ready. Vista was Alpha when it was release at best, and hopefully Microsoft caught a proper cold this time and learned a lesson.
    • It Should Be "Paid For Software == Bug Free" blah blah blah

      But that's not the case with Microsoft now is it? You get what you pay for.
    • RE: What happens to the "Open Source == Bug Free" blah blah blah?

      This post is a textbook example of the "straw man" argument. I can't recall anyone ever seriously claiming that open source software is "bug-free".No software is bug-free.

      I like Firefox because it works for me. My God, it's just a Web browser! If someone else prefers some other Web browser that is their business. All this quasi-religious ideological ranting about a piece of software is really silly. It would be nice to read some commentary from an adult, but that's hard to come by in this world of open source opinion-sharing.
      I blame insufficient parental control of household computer usage.Now go do your homework, clean up your room and quit huffing the Clearasil fumes.