Firefox 3 Vulnerability Rains on Mozilla Download Parade
For all the hype over how many people downloaded Mozilla's Firefox 3 open-source browser in a five-hour period, there is now hype about how long it took security researchers to disclose a flaw.
Five hours after Mozilla officially released the much-anticipated update, Tipping Point confirmed a vulnerability. Tipping Point's Zero Day Initiative program received notification about a critical vulnerability affecting both Firefox 3 and Firefox 2.
"We verified the vulnerability in our lab, acquired it from the researcher, then promptly reported the vulnerability to the Mozilla security team shortly after," Tipping Point wrote in its Digital Vaccine Laboratories blog.
"Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code," the company said. "Not unlike most browser-based vulnerabilities that we see these days, user interaction is required, such as clicking on a link in e-mail or visiting a malicious Web page."
Take All Normal Precautions
Mozilla is working on a fix, and Tipping Point isn't saying much else until a patch is available. So just how serious is the threat? It's difficult to say for sure, according to Carole Theriault, a security researcher at Sophos, because there's not much detailed information on the threat.
However, she said, it would be sensible to take the normal precautions that people are advised to take: Visit only reputable Web sites, patch security vulnerabilities, and put this patch in place as soon as Mozilla makes it available.
"Companies that are concerned that their users are dashing out and installing the new browser should consider controlling what browser and version can be used in the company," Theriault said. Tools like Sophos' Application Control allow administrators to control browser usage within the network, ensuring that the network is not at unnecessary risk.
Was Mozilla Set Up?
It's not unusual for bug reports to emerge in the wake of newly released software, especially browsers. But the fact that this is a bug in Firefox 2 leads Theriault to consider the possibility that the "researcher" might have been sitting on it for a while, awaiting the launch of Firefox 3.
"Any payout or glory for a vulnerability will be much higher in a new version of a browser," she said. "I can't help but think that contacting Mozilla as soon as it was discovered to help them make their product more secure for their millions of users would have been a better, dare I say it, less selfish approach."
Raining on Mozilla's Parade?
Could this bug discovery put a damper on the overall success of the Firefox 3 launch that saw more than eight million downloads in a matter of hours?
No software company likes to have its launch clouded by a security bug, but Mozilla has been around a long time and knows a bug was bound to be found sooner or later, Theriault said.
"Software is man-made and we all miss things occasionally, no matter how much testing and forethought goes into development," she noted. "What matters now is that Mozilla respond quickly with a patch to deal with this flaw. Let's hope they get a solution out before someone leaks the details of the flaw, where we will be facing an even grimmer situation."