Only hours after Mozilla Corp. launched the final of Firefox 3.0, a researcher sold a critical vulnerability in the browser to TippingPoint's bug bounty program, the security company acknowledged Wednesday. The bug has been reported to Mozilla ... TippingPoint ... is perhaps best known for sponsoring an annual hacking contest, in which researchers try to break into stock Windows, Mac OS X or Linux laptops, at the annual CanSecWest security conference ... released little information about the Firefox bug other than to confirm that it affects the new Firefox 3.0 as well as older 2.0 versions ... classified the vulnerability as "critical" ... Mozilla regularly touts its patch speed when it defends its security record ... Firefox 3.0, released Tuesday, was downloaded more than 8.3 million times in its first 24 hours of availability. moreMatt Hickey adds:
This kind of sucks. After all the ballyhoo yesterday regarding Firefox 3 and its 8.4 million downloads comes word of the first vulnerability in the browser, a zero day attack that would allow an attacker to trick a user into executing their code, which could wreak all kinds of havoc on a computer ... Zero day attacks are a popular way for malicious users to infect other computers with spyware, worms, trojans, and all sorts of nastiness. Hopefully this one gets patched up before someone not as nice as the Zero Day Initiative can exploit it. moreTippingPoint's anonymous blogger blogs:
A number of people who monitor our Zero Day Initiative's Upcoming Advisories page noticed yesterday that we reported a vulnerability to Mozilla (ZDI-CAN-349) ... about five hours after the official release of Firefox 3.0 on June 17th, our Zero Day Initiative program received a critical vulnerability affecting Firefox 3.0 as well as prior versions of Firefox 2.0.x. We verified the vulnerability in our lab, acquired it from the researcher, then promptly reported the vulnerability to the Mozilla security team shortly after ... The vulnerability was submitted to us by a researcher that prefers to remain anonymous. Even though the issue affects older 2.0.x versions, as to why he didn't find the vulnerability earlier is something we don't presume to know. moreMozilla's Window Snyder discloses:
TippingPoint ZDI notified Mozilla of a vulnerability in Firefox that impacts versions 2.x and 3.0. This issue is currently under investigation. To protect our users, the details of the issue will remain closed until a patch is made available. There is no public exploit, the details are private, and so the risk to users is minimal. TippingPoint will also keep the details closed to protect Firefox users ... TippingPoint ZDI notified Mozilla of a vulnerability in Firefox that impacts versions 2.x and 3.0. This issue is currently under investigation. To protect our users, the details of the issue will remain closed until a patch is made available. There is no public exploit, the details are private, and so the risk to users is minimal. TippingPoint will also keep the details closed to protect Firefox users. moreRon Schenone shrugs:
What the heck. Nobody is perfect and the folks at Mozilla are only human. It is going to be interesting to see how quickly this can be fixed ... I am sure the folks at Mozilla might feel that this could put a damper on their world record for downloads. I dont believe it will. What is unfortunate is that this was not found before the final release. moreAfter yesterday's prediction, Nom du Keyboard crows:
I told you so! So now we have what? 8 million suddenly vulnerable machines? moreThis Anonymous Coward makes the obvious connection:
Since the vulnerablility also affects FF 2.x, I'd say whoever discovered the problem waited to disclose the issue to rain on Mozilla's parade. So waiting to release 3.0 would have been pointless since the Mozilla team didn't know about issue. moreSteve Hodson is a self-confessed cranky old fart:
I wonder if this will get Mozilla another entry in the book of records as the quickest vulnerability report for a product immediately following it setting a download record. moreAnd finally...