Login:
Password:
Lost Password?
Print this article  |  E-mail this article  |  Comment on this article

First reports of a Firefox 3 vulnerability

By Scott M. Fulton, III, BetaNews

June 19, 2008, 11:42 AM

A group of researchers collaborating on behalf of security firm TippingPoint has claimed it has written a report concerning a "critical vulnerability" in the just-released Firefox 3.0, and has presented that report to the Mozilla organization.

The nature of the vulnerability has not been publicly released, and TippingPoint states its policy is to notify the vendor first.

This much was said in a blog post yesterday afternoon: "We verified the vulnerability in our lab, acquired it from the researcher, then promptly reported the vulnerability to the Mozilla security team shortly after. Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code." It added that some social interaction with the user was required, as with commonly deployed exploits elsewhere, to compel her to click on a link that triggers the delivery of the malicious payload.

TippingPoint added it received news of the vulnerability from a researcher who volunteered that information under its DVLabs program. Through that program, independents are invited to present vulnerabilities they find, and may be offered money for that information.

The amount of money offered, according to TippingPoint's publicly stated policy, depends on the level of deployment of the affected product. "The amount we offer to a researcher for a particular vulnerability depends on the following criteria," begins the firm's list. The first item on that list reads, "Is the affected product widely deployed?"

Arguably, the wide deployment of the final release of Firefox 3.0 was zero up until last Tuesday, after which it eclipsed nine million. TippingPoint lists its vulnerability report at the top of a list of upcoming advisories, which shows the firm's report was written on Tuesday, the very day of FF3's record-breaking public release, and not one day before.

Late yesterday, Mozilla security chief Window Snyder acknowledged having received the report from TippingPoint. "This issue is currently under investigation," she wrote. "To protect our users, the details of the issue will remain closed until a patch is made available."

Members of some independent Firefox users' blogs this morning noted that Mozilla's typical response time for discovered vulnerabilities during Firefox 2's lifecycle was about ten days.

BetaNews has contacted Mozilla's California-based representatives for comment this morning, which may be forthcoming.

Add a Comment (43 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By Cornelis

posted Jun 20, 2008 - 9:18 AM

After switching from FF2 to FF3, I really wonder why all that fuzz, claims and hopes were so high.

FF3 is worse than the best browser, which is FF2.

Score: 0

By PC_Tool

posted Jun 20, 2008 - 3:57 PM

FF3 is worse than...FF2.

How's that?

Score: 0

By darkxiiindp

posted Jun 20, 2008 - 7:07 AM

The list of vulnerabilities in Firefox grow day by day. It now as much as IE. I think it time to see the artice with title like Fifefox got vulnerabilities AGAIN.

Today my Fifefox 3 crashed 4 times already. If it not the meebo plugin I was dropped it.

Score: 0

By Atrius

posted Jun 20, 2008 - 12:02 PM

Who said that IE had more vulnerabilities?

Score: 0

By Ryusennin

posted Jun 19, 2008 - 11:25 PM

When all is doomed, we need the Mystery Men...

I mean, the beer drinkers from Opera.

Score: 0

By Tenoq

posted Jun 19, 2008 - 10:53 PM

So... how come it took the security researchers this long to notify Mozilla of the flaw? I mean, surely this flaw has been in all the RCs and probably many of the previous betas - they've had access to those for months.

Smells of profiteering and headlining a little - waiting until just after the official release to notify them of the bug. :p

Score: 0

By sturgess

posted Jun 19, 2008 - 4:23 PM

We at Opera don't make such a performance out of a new browser. We just get on with our lives happy in the knowledge that we at least are safe. Firefox was riding for a fall and with all it's cheering fans breathlessly posting how many millions of this and that had been downloaded it became a tad embarrassing. But we take no joy in the fact that it has fallen so soon, and that now you who were cheering so loudly must feel a bit silly. Cheer up IE8 will be here soon and you will be able to tell us all what a load of rubbish it is, and how many bits you have added to Foxy. But we'll just smile, fire up Opera as we have done for the last ten years and get on with our lives.

Score: 0

By DakotaSunRunner

posted Jun 19, 2008 - 7:27 PM

Yes I agree, with all the gloating over the new Firefox it was and is a bit embarrassing to see people act so silly over software. I think Firefox is a excellent piece of software and I do use it. It is sad to have a vulnerability already, which tells me, no matter what any browser maker creates or how they do it, there is always someone out there ready to break it for you. It makes no difference if it is Opera, IE, Safari, or Firefox, a browser is a browser if it does what you want. I use several, but it is just a shame so many are willing to break things on others and think they are so smart. Hackers really make me kind of sick, they are pathetic.

Score: 0

By Anoiktos

posted Jun 19, 2008 - 7:19 PM

It's... A vulnerability, not a group of armed insurgents invading 'mozilla headquarters' with squirt guns full Drive-Wipe(tm).

I mean, if single vulnerabilities spelled the end of a program, windows'd have been thrown out years ago.

Opera's a fine browser (albeit one which I can never get the hang of using: one would think "point, click, type in URL", but somehow the aesthetic is missing), and your paradoxically smug "but we take no joy" comment only detracts from its fine impression.

Score: 0

By internetworld7

edited Jun 19, 2008 - 7:13 PM

Yes, we here in Safari land will do the same. Seeing that Apple has already seeded Safari 4 to developers, what's there to worry about?

Let the browser wars begin. LOL

Score: 0

By wincement

edited Jun 19, 2008 - 10:20 PM

Us here at "My Cool Web Browser" are doing fine too. Our next release, MCWB V. 842,849,481.3 is coming out in the next 2 seconds.

Score: 0

By fewt

edited Jun 20, 2008 - 6:59 AM

I keep trying to download but your link doesn't work. Your browser sucks, I'm going back to opera because it downloads so it doesn't suck.

Score: 0

By sturgess

posted Jun 19, 2008 - 3:59 PM

Score: 0

By pc_creator

edited Jun 19, 2008 - 3:25 PM

sounds to me like someone a)trying to get their name in the news, b) who's a fan(IE employee or paid contractor) of MS, or c) who created the requisite " Social Interaction" required for this exploit to get their MS loving @r$es in the news..... and yes Niro, i would call MS incompetent if they had a flaw on release day.... same as i do every day....

Score: 0

By Setian^Stalker

edited Jun 20, 2008 - 3:41 AM

....

Score: 0

By rotjong

posted Jun 19, 2008 - 3:06 PM

This situation looks like: (1) the ball was dropped for awhile because this exists in Firefox 2, as well, and is not a new vulnerability and (2) it appears someone had this vulnerability in their pocket and they were waiting for the perfect time to release it and what better time to get attention than with the release of Firefox 3?

Score: 0

By rodneyr

posted Jun 19, 2008 - 3:04 PM

Niro --- shhhhh, you're spoiling the glee of Christmas for a lot of little kids!

FWIW - FF3 final is running a lot more stable than the betas.

Score: 0

By Niro

posted Jun 19, 2008 - 1:45 PM

You know what's interesting...a vulnerability found in firefox a day after it's release and everybody gets defensive about it.

I bet if MS released a new version of IE and this article was released the following day about IE instead of firefox...people would be calling MS incompetent.

Score: 0

By kappen

posted Jun 19, 2008 - 2:02 PM

I personally don't use firefox but it seems a little obvious that the company had this tucked in their hat waiting for a product release, something I keep seeing lately with these unknown security companies.

Score: 0

By PC_Tool

posted Jun 19, 2008 - 1:56 PM

People look for excuses to find flaws in anything they do not like. These people are called trolls.

People defending the products they like against trolls are often called fanboys.

This concludes today's lesson. Check back tomorrow when we cover "How *not* to be GNAA'd".

Score: 0

By GodImGood

edited Jun 20, 2008 - 11:48 AM

Yet another mirror of your psyche Toolie? Nuttin' to add, yet another meaningless post!
Have you ever in your life outside the van, considered (yep, pun intended, considered that is), that there is a world outside your drain?
When you so eloquently articulate your disparagement of "Trolls'", are you not the finest here?
Flame bait, buddy have a look at what you contribute, yet this amuses you! Got nothing to add. so I'll be a smarty.
I've been a member here for probably longer than you, yet you want to dominate, most curious indeed!
You proffer nothing, no encouragement, absolutely zip, like a vapour and with some sort of steam.
I'm well aware that your hero the "Duke of Nukem" is in his last few months, (and, I know how much he achieved with regard to guzzoline prices), must be somewhat depressing, but chin up my friend you can enjoy wallowing in what you have helped create!

Score: 0

By Paul Skinner

posted Jun 19, 2008 - 3:11 PM

Dare I ask what the hell GNAA means?

Score: 0

By PC_Tool

posted Jun 19, 2008 - 3:33 PM

Sure, but you don't want to know.

Trust me.

Whatever you do, do *not* Google it.

It's like being rickrolled, only much...much worse.

Score: 0

By internetworld7

posted Jun 19, 2008 - 7:18 PM

What PC_Troll sheepishly forgot to tell you is that he is an active member and trail blazer for GNAA.

http://www.gnaa.us/about.phtml

Score: 0

By PC_Tool

posted Jun 20, 2008 - 8:47 AM

...and you still call me the troll.

The irony is strong with this one, folks...

Score: 0

By GodImGood

posted Jun 20, 2008 - 12:06 PM

My question is, how much do your subscriptions cost Champ?
That you are a member here is a given,
The only irony here, is Toolie trying to disabuse us of the notion that he is not a contributor!!!
If not, perhaps he is indeed the registered owner of the board.
Think, your mischief has finally gottcha Toolie, could only last for so long.
There goes any, indeed, ephemeral credibility!
But, like any good righteous SOB, without shame, we look forward to your future input.
BullInOUts***e.

Score: 0

By PC_Tool

posted Jun 20, 2008 - 1:02 PM

*laughing*

Yay!

Yet another anonymous account from from Zaine to accuse me of doing exactly what he's doing here (only so much better than I ever could).

SSDD...

Score: 0

By wincement

posted Jun 19, 2008 - 10:23 PM

Wow... that is so absolutely horrible on so many levels. The people that come up with this stuff are lower than slime.

Score: 0

By PC_Tool

posted Jun 20, 2008 - 1:12 PM

I told you not to go there....

Why didn't you listen to me??

These guys troll slashdot *constantly*. Thank goodness you can still browse only posts above a certain karma level.

Score: 0

By Ethelred

posted Jun 20, 2008 - 2:45 AM

Could be worse.

They could be serious. I suspect they aren't but since it is on the Internet it could be a sincerely insane site. Its so hard to tell a satire in bad taste from a genuine crank site.

Could be NAMBLA.

That one is not a joke. No matter how insane it appears.

Warning for those whose blood boils at their mention NAMBLA is legal as long it only seeks to change the laws. So don't bother complaining about its existence. No one is going to support them in actually changing the laws. Its most likely illegal in many nations but not the US. Not while the Bill of Rights remains even slightly intact.

Next we will discuss Stormfront in this segue into off-topic land. Or get banned.

Score: 0

By jspratjr

posted Jun 19, 2008 - 1:47 PM

So true...

Score: 0

By fewt

posted Jun 19, 2008 - 2:35 PM

not.

Score: 0

By kappen

posted Jun 19, 2008 - 1:09 PM

Sounds like another "I want my name in the news" security company that held out on a problem/bug they found during the beta until the final release came out so they could be the first to shout oh oh oh I found a security issue!!

Score: 0

By PC_Tool

posted Jun 19, 2008 - 12:57 PM

It added that some social interaction with the user was required,

Here...download this add-on. No, really, it's safe. *trust me*.

There's no fix for stupid.

Score: 0

By wincement

posted Jun 19, 2008 - 10:25 PM

Do you trust this source or do you want to delete your C: drive?

|Yes| |No|

Score: 0

By PC_Tool

posted Jun 20, 2008 - 8:46 AM

Heh...

...Exactly.

Score: 0

By slinkys_delsol

posted Jun 19, 2008 - 12:46 PM

"We verified the vulnerability in our lab, acquired it from the researcher, then promptly reported the vulnerability to the Mozilla security team shortly after. Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code."

I am picturing two guys, a PC, some Mountain Dew and a bag of Funions. They call it "The Lab"

PS. And a Kelly LeBrock Poster (From Weird Science) on the back wall!

Score: 0

By fewt

edited Jun 19, 2008 - 2:41 PM

by lab you mean Moms basement; and by mountain dew you mean their I (less than) 3 IE7 t-shirts that say 0SS suX0rs on the back, and their VISTA VISTA VISTA secret decoder rings.

Score: 0

By slinkys_delsol

posted Jun 19, 2008 - 4:57 PM

One Ring to rule them all!

Score: 0

By nms04

posted Jun 19, 2008 - 12:42 PM

looooooool

Score: 0

By Ryusennin

posted Jun 19, 2008 - 12:26 PM

Strange that TippingPoint didn't notify Mozilla during the beta cycle...

Score: 0

By skapig

posted Jun 19, 2008 - 12:18 PM

So this could have perhaps been picked up in the RC stage, but the DVLabs program provides an incentive to withhold reports until a wider deployment has been reached. Interesting...

Score: 0

Nov 21 - 6:51 PM ET Coalition urges better laws for e-mail and cell phone privacy

Nov 21 - 6:42 PM ET How is Internet advertising faring in this bad economy?

Nov 21 - 6:15 PM ET From out of the Amazon Cloud, an AWS winner emerges

Nov 21 - 5:20 PM ET Mufin music finder enters public beta, adds widgets

Nov 21 - 5:01 PM ET Google launches its SearchWiki semantics plug-in

Nov 21 - 4:57 PM ET Asus previews a slimmer, less costly Eee PC

Nov 21 - 4:32 PM ET New Adobe Media Player ushers in AIR 1.5

Nov 21 - 2:11 PM ET AT&T to add Pantech's low-cost C630 phone to 3G lineup

Nov 21 - 1:11 PM ET iPhone gets firmware 2.2 update

Nov 21 - 11:51 AM ET The Dell surprise: Higher earnings on lower revenue