Friday, 20 June 2008 02:35

Firefox 3 fans cry foul as first vulnerability reported

All those millions of people that rushed to download Firefox 3 got something they didn't expect - a critical security vulnerability. Some people smell a rat!

The vulnerability, which could allow the excevution of arbitrary code, was reported to TippingPoint's Zero Day Initiative just five hours after the open source browser was released on Tuesday. The Zero Day Initiative pays researchers for finding vulnerabilities in software, then provides the information to the vendor concerned.

The timing has led to allegations that the researcher concerned had discovered the flaw prior to the release of Firefox 3 but delayed notification to gain the maximum publicity. The fact that the flaw also affects Firefox 2 is thought to support this theory.

Since the researcher has chosen to remain anonymous, he or she will gain little kudos from being the first to discover a flaw in Firefox 3, leading to speculation that the researcher is in some way associated with another browser.

But enough of the conspiracy theories - what's to be done by the 12 million plus users that have already downloaded Firefox 3, let alone the 140 million or so that Mozilla says are using its predecessors?

Practically nothing is known about the nature of the flaw. All TippingPoint is saying is that "Not unlike most browser based vulnerabilities that we see these days, user interaction is required such as clicking on a link in email or visiting a malicious web page."

So the usual warnings about being careful about visiting shady sites and avoiding links in dodgy email would seem to apply until an update is released.

What does Mozilla have to say about the flaw? Please read on.

There's not even any indication of whether the flaw is specific to Firefox on a particular platform, or if all supported operating systems are equally affected.

Mozilla security chief Window Snyder said "This issue is currently under investigation. To protect our users, the details of the issue will remain closed until a patch is made available. There is no public exploit, the details are private, and so the risk to users is minimal."

When TippingPoint receives details of unpatched vulnerabilities, it confirms the issue and may offer a cash payment for exclusive rights. If accepted, the software vendor is notified. If the vendor fails to respond or to provide a fix in "a reasonable period of time", TippingPoint makes a public disclosure.

Meanwhile, it uses the information in its own security products and may share it with other security vendors.

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News