Linux Solutions

So, like me, you’re probably sitting looking at your shiny new Firefox 3 browser. With over 8 million downloads in its first 24 hours, and all the hype leading up to D-day you’d hope the product was perfect. Well – to everyones surprise, security researchers have found a problem that not only affects the new browser but Firefox 2.0.x also.

TrippingPoint’s DVLabs reported that its Zero Day Initiative (ZDI) program received a critical vulnerability. The specific details are being kept under wraps by both Mozilla and DVLabs so its hard to say just how venerable Firefox 3 actually is.

“Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code. Not unlike most browser-based vulnerabilities that we see these days, user interaction is required such as clicking on a link in e-mail or visiting a malicious Web page,” DVLabs noted.

Its quite a feat this vulnerability managed to make its way to the finished product, what with all the Beta testing that took place. Surely Mozilla had enough time to check for flaws, but hindsight is a wonderful thing…

DVLabs verified the vulnerability, acquired it from the researcher, and then reported it to Mozilla. DVLabs won’t discuss the problem until Mozilla fix it.

TrippingPoint buy the vulnerabilities from security researchers, who are essentially hackers. TrippingPoint then purchase the vulnerability based on the flaws severity and the scope of the problem. Generally the more downloads of a product, the more hype there is surrounding the flaw, therefore there is a better chance the seller will get a better price.

In this particular case, the security researcher wishes to remain anonymous, and TrippingPoint will keep the seller’s identity a secret. DVLabs have declined to comment thus far, but Mozilla did post on its security blog a few extra details:

“This issue is currently under investigation. To protect our users, the details of the issue will remain closed until a patch is made available. There is no public exploit, the details are private, and so the risk to users is minimal,” noted Windows Snyder, Mozilla’s security team leader.

We should expect a pretty rapid response from Mozilla so as to prevent bad press.

“Considering how high-profile it is, I’d highly suspect a very rapid fix,” Rich Mogull, an independent security consultant with Securosis, said.

“Maybe days at the worst, but it’s hard to guess. It really depends on the nature of the vulnerability and the work required to generate and properly test a fix,” he added.

As for actual risk to users, Mogull said the risk is quite small. “As part of the ZDI program, no vulnerability details are released, and whoever found it is legally barred from releasing details. While they could break that contract, then they don’t get paid,” he explained. They could also open themselves up to a lawsuit, he added.