Vulnerability found in Firefox 3 five hours after release

Source: Tigervision Media

Five hours after Firefox 3 was released to the public, security firm Tipping Point claims to have found a critical security flaw, which could affect any Firefox 2.0x or Firefox 3 simply by clicking on a malicious link. Exploitation of the vulnerability could allow an attacker to execute arbitrary code.

Tipping Point said that it will not share any details about the problem since Mozilla is currently working on a fix. The discovery of vulnerability coincided with the release of Firefox 3, downloaded by more than 8 million people in the first 24 hours of its release.

The severity of this vulnerability is ranked as “high”, but an exploit requires user interaction such as clicking on a link in email or visiting a malicious web page. Once the issue is patched, Tipping Point said it will publish an advisory. The organization expects Mozilla to move swiftly into action and release the fix as soon as possible. "Working with Mozilla on past security issues, we've found them to have a good track record and expect a reasonable turnaround on this issue as well," said Tipping Point.

Read more: http://www.tgdaily.com/content/view/38018/112/

I will be waiting for the fix and being extra vigilant about strange links...

I used to love Netscape until Explorer destroyed it and I recently found out that Firefox is related to that original Netscape. Honestly, though, with the exception of a few features, I don't see much difference between it and Explorer. But I don't like the monolithic nature of Microsoft so I'm always likely to go for the competitor, if possible.

tavalon

It's sad hat Netscape are no more.. I do liked Netscape for many reason.. Even that I do used the IE... And if Firefox are related to Netscape so much better;):

And yes, I do have Firefox 2.0 on my PC..

Diclotican

Sorry my bad english, not my native language

sometimes. I am using the new IE-8 right now in its Beta 1 form, Beta 2 is supposed to be out next month. Will probably end up using the Firefox 3 when they get things cleared up or both as I do a lot.

That's pretty much the only reason we keep IE around.

That's exactly how it gets used around here. LOL

:)

It's called IE View. Not sure if it's compatible with version 3 since I haven't upgraded yet.

I always use Firefox though. Firefox is a better browser and offers a lot more flexibility. I installed IE8 because I wanted to see what they did and it didn't really matter since I use Firefox. I will probably install Beta 2 when it comes out but I will only use it to access limited sites that require IE....like my work site.

quicker. There are just some things I use IE for so I will keep both. Especially looking forward to the new Windows, I wish I had never gone to Vista, just kind of a pain and XP was OK. The worst thing was I got Home Premium Vista, later upgraded to Ultimate for the $159.00 and then I had a problem with Bit Locker, so did a reinstall and have never been able to get Ultimate back on. Best Buy says to go to Microsoft and Microsoft says you bought it through Best Buy so there you go, out the $159.00. The more I think about it, I may finally break down and go to Apple. Have just always been a Windows guy.

I wonder if this is a potential problem for linux and mac systems as well

I have great faith in the Firefox folks. I've been using 3.0 for a bit now, and it's absolutely great!

yesterday and today. i'll keep an eye out for the fix, thanks

"You internet jockeys need to learn to pay attention to republicon occultists. Smirk."

- Ronald Reagan's Dead Republicon Astrologer

:)

Do I wait for the fix or just upgrade now since it sounds like it affects 2.0 as well?

Is that the most recent before 3.0? in any event, I'll be very careful from here on. Thanks for the heads up!

pnorman

sometimes I don't last that long

This happens for every major software program that had a public beta.

The code was out there. It was hacked, and they waited. Now, it will be patched within hours. I think the people that were willing to update to 3.0 on release day are probably savvy enough to be doing their updates. This isn't going to be the same as the people still running Windows 95 that haven't patched in years.

I'm typing this response on 3.0 on my Mac. I installed 3.0 on my Mac, my work machine and my gaming rig.

I have no doubt that a patch will be available in a matter of hours.

Thanks for getting this on the front page though, it is important for people to keep an eye on where they're browsing. Considering that I am sitting on this site or a couple of jobs sites all day, I'm not worried about it. :-)

NOW Que next post:evilgrin:

Unless it's a sequel to this movie:

I just closed it down and am back to using Explorer.

It said it wouldn't work without Firefox. I was trying to figure out who in Malaysis was reading my blog and my stat counter directed me to a site that for some reason required Firefox to work. I downloaded it but it didn't really tell me anything.

So now I have Firefox on my computer but I'm afraid to open it again.

I was about to download 3.0, but I think I'll wait until this issue is resolved.

I always wait a few weeks, see what people are saying, THEN get the new version of whatever.

My computer is too valuable to me to take unnecessary risks.

That said, I don't expect this to be a big problem. The Mozilla team is very proficient.

The headline is meant to shock you into reading it.

that guy was on colbert last night telling everyone to go download firefox 3 cause it was the safest.

probably shoulda waited before making that kinda statement.

I just installed VMFusion on my Mac so I can run a bunch of Windoze SW, saw this story, & installed Safari on my Windoze. I had been having a few stability problems with FF & already put it on my other Windoze laptop. Too bad--FF is a nice browser, but I'm gonna use Safari as my IE alternative until they get FF straightened out.

In case you didn't know, Safari is free from Apple for the downloading.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=macintosh_os&articleId=9091638&taxonomyId=123&intsrc=kc_top

All browsers have bugs. Get used to it.

No, I hadn't heard.

that the exploit finally targets (using an exploit in Safari), so they refused to fix it at first. And MS put out a warning saying not to use Safari until Apple fixes it. Seems like some territorial pissing between MS and Apple to me :)

Someone already mentioned this but it's escaped lots of folks' attention apparently.

This is vulnerability is NOT a result of upgrading. It is in Version 2 also. This "5 hours after release" line is nonsense, just coincidence. Vulnerabilities are found and fixed all the time.

Article:
...Tipping Point claims to have found a critical security flaw, which could affect any Firefox 2.0x or Firefox 3 simply by clicking on a malicious link.

I'm a big supporter.

:toast:

it was disguised as a firefox.exe file FYI.

Do not download this. If your antivirus catches it, DELETE it!!

:kick:

They say the bug has been around all through Firefox 2, and is well-understood. (I don't understand that, but that's what they tell me.)

When I showed them the article, they asked if Tipping Point was being paid off by Microsoft.

These guys are sharp. This story is B.S.

arendt

Not IE.
Not Safari.

Opera possibly.

:eyes:

Media whores.

Aside from the juvenile idiocy of the name (it's officially the "Smart Location Bar," which is almost as bad), it is a pain in the ass to use. And, in a brilliant example of developer arrogance, you can't turn it off.

I'm going back to FF2.

but I can only find video

http://resources.zdnet.co.uk/articles/tutorials/0,1000002006,39436031,00.htm

Mozilla security chief Window Snyder has confirmed the existence of a serious code execution vulnerability in the brand-new Firefox 3.0 browser.

Snyder’s confirmation follows a public warning by TippingPoint’s ZDI (Zero Day Initiative) that the flaw could lead to PC takeover hijacks if a user simply surfs to a rigged Web site with Firefox.

< SEE: Code execution vulnerability found in Firefox 3.0 >

On the Mozilla security blog, Snyder said the bug impacts Firefox versions 2.x and 3.0:

This issue is currently under investigation. To protect our users, the details of the issue will remain closed until a patch is made available. There is no public exploit, the details are private, and so the current risk to users is minimal.

At Mozilla we appreciate any report of security issues because that is how we make the browser stronger and more secure. The best way to keep Firefox users safe is to report the issues directly to Mozilla as TippingPoint has chosen to, and to wait to release details until a fix is available.

http://blogs.zdnet.com/security/?p=1304


Mozilla Sees Little Risk In Firefox 3 Flaw

Mozilla security director Window Snyder confirmed the flaw, which poses a remote code execution threat. On the Mozilla Security blog, Snyder said they are investigating the issue.

"To protect our users, the details of the issue will remain closed until a patch is made available," Snyder said. "There is no public exploit, the details are private, and so the current risk to users is minimal."

A report from TippingPoint cited a flaw that had been privately reported to them through the Zero Day Initiative program. TippingPoint acquired the vulnerability from the researcher, and provided its details to Mozilla.

The security flaw requires user interaction, such as clicking on a malicious link. If people avoid risky behavior like this, the problem poses little threat.

http://www.securitypronews.com/insiderreports/insider/spn-49-20080620MozillaSeesLittleRiskInFirefox3Flaw.html