Firefox 3 suffers its first vulnerability -cnet

Forum Moderators: open

Message Too Old, No Replies

Firefox 3 suffers its first vulnerability -cnet

cnet news item

teylyn

11:32 pm on Jun 18, 2008 (gmt 0)

Less than one day after its launch, Firefox 3 has a vulnerability.
According to Tipping Point's Zero Day Initiative, the vulnerability, which it rates as critical, was reported within the first five hours of Firefox 3's release.
"Once the vulnerability was verified in TippingPoint's DVLabs and acquired from the researcher, the vulnerability was promptly reported to the Mozilla security team," said a representative.
Although the Zero Day Initiative team does not offer specifics until the vendor has a chance to patch it, the blog post did say this vulnerability, which also affects Firefox 2, requires user interaction and could result in an attacker executing arbitrary code.
Mozilla is reported to be working on a fix.
The Zero Day Initiative has been criticized in the past for paying researchers who find vulnerabilities.

source: [news.cnet.com ]

bill

8:17 am on Jun 19, 2008 (gmt 0)

Worth waiting for a patch on this one before upgrading?

Gomvents

3:46 am on Jun 23, 2008 (gmt 0)

"...the blog post did say this vulnerability, which also affects Firefox 2..."

I'd say upgrade now, I already did and it's great.

seems the vulnerability is the same in FF2 and 3 anyways...

eriky

8:47 am on Jun 23, 2008 (gmt 0)

If it requires user interaction it's probably something that won't happen to an experienced web surfer anyway. Just another company that wants some attention at the cost of the reputation of another. Why would they release such information now instead of before the release? The betas and release candidates have been out for months..

maximillianos

1:26 pm on Jun 23, 2008 (gmt 0)

Microsoft is playing dirty! Oh, I guess that does not surprise any of us... ;-)

SEOMike

2:44 pm on Jun 23, 2008 (gmt 0)

The Zero Day Initiative has been criticized in the past for paying researchers who find vulnerabilities.

Why? It makes sense to pay someone skilled to evaluate software to find a vulnerability.

zafile

9:28 pm on Jun 23, 2008 (gmt 0)

"Microsoft is playing dirty!"

Right, as it did in 1999 when it run the SMP Mindcraft tests against Linux.

This new fiasco is only Mozilla's fault.

whoisgregg

6:13 pm on Jun 24, 2008 (gmt 0)

The Zero Day Initiative has been criticized in the past for paying researchers who find vulnerabilities.

Why? It makes sense to pay someone skilled to evaluate software to find a vulnerability.

I imagine the issue here is that it's an independent company paying third parties to find vulnerabilities.

It's a bit like your neighbor paying a locksmith to check if you locked all your windows and doors and, if they find one that's open, to rummage around your house to see if you left any valuables laying around.