Although all the source code of Firefox is public and can be scrutinized during development at any time, a Tipping Point Security Advisory has been announced right in the middle of the Firefox 3 download day.
A unlucky coincidence, of course: only a conspiracy theorist could suspect that the timing had been chosen in order to maximize the hype effect for the Zero Day Initiative.

However Mozilla developers are working around the clock, and there's already a patch being privately tested. All the information publicly available so far is that this vulnerability allows a malicious web page to trigger the execution of arbitrary code on the client side, and affects Firefox 2, 3 and likely all the products based on the same rendering engines. Technical details and exploitation proof of concepts are being kept private by Tipping Point as well until the patch is shipped, therefore Mozilla users should be relatively safe: after all we can be 99.99% sure every browser out there is vulnerable to something; we just hope that the bad guys don't know the details yet.

I can add that, even in this case, NoScript users are the safest.

12 Responses to “Firefox 3 Untimely Security Advisory”

  1. #1 kuza55 says:

    One of these days there's going to be a code exec bug in the CSS parser or similar, and you're not going to be able to say that....

  2. #2 Giorgio says:

    @kuza55:
    maybe, but even in that case JavaScript and/or Java and/or Flash will be likely needed to prepare the heap for reliable exploitation, so... ;)

  3. #3 Congrats to Mozilla’s Download Day « I’m Just an Avatar says:

    [...] the news is not all good for Firefox 3, as the first vulnerability was announced while millions of people were still helping go for the record. Window Snyder, [...]

  4. #4 Mark Dowling says:

    It might be untimely but I have no doubt that it was, in fact, timed by those who found it to appear on/after Download Day rather than reported during the RC process. I wonder if there's a way to tweak bug bounties so that RC bugs get more $$...

    That said, release did flush it out before autoupdate kicked in for the 2.0.x stream, which is nice...

  5. #5 Giorgio says:

    @Mark Downling:

    release did flush it out before autoupdate kicked in for the 2.0.x stream, which is nice…

    Not sure, why exactly is it nice, considered that this bug affects Firefox 2.0.x as well?

  6. #6 Firefox 3: una vulnerabilidad está siendo investigada | Zona Firefox says:

    [...] la delantera en tan embarazoso rubro, pero si te preocupa este problema siempre puedes seguir la recomendación de Giorgio Maone: instalar [...]

  7. #7 Mark says:

    *Exactly* the same thing (although not tipping point) happened with wordpress 2.5 as well.

    It seems fashionable to find bugs in RC releases and wait until RELEASE to publish them.

  8. #8 Primera vulnerabilidad en Firefox 3 « HispaSystem Group Blog says:

    [...] Mozilla ya investiga el asunto. Según Giorgio Maone, una vez más los usuarios de NoScript estarían a salvo [...]

  9. #9 Robert Accettura says:

    I'm not a conspiracy theorist. I'm a skeptic. ;-)

  10. #10 ADH says:

    It happens many a times that there are some bugs in the old foundation(reusable modules) of software products which gets exposed when newer software versions are build on it. This case is very common with Windows. When Vista is tested for some attack/security hole , its also found to affecting XP.
    Such incidences proves the need of thorough and continuous regression of the foundational classes/reusable modules.

  11. #11 MJR's slef-reflections: Firefox 3, day 6: security flaw and banks says:

    [...] didn't spot this when I wrote my last post, but it seems there's a security alert for FF3 already - hackademix.net: Firefox 3 Untimely Security Advisory - but it also affects FF2 and probably my cautious Javascript settings are enough to stop it [...]

  12. #12 hackademix.net » Yahoo!'s Attitude Encouraging Zero Day Full Disclosure? says:

    [...] processes, and “reward” reporters, not necessarily with money prizes, which may become dangerous when they feed an anonymous, uncontrolled vulnerability brokerage market. Most of these guys would [...]

Bad Behavior has blocked 3041 access attempts in the last 7 days.