TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... In December of 2007, Microsoft released seven security bulletins which fixed 11 new security vulnerabilities. TippingPoint and ZDI were credited with discovering a total of four of those vulnerabilities.

Mozilla Firefox 3.0 Vulnerability

  • By Zero Day Initiative
  • Wed 18 Jun 2008 14:58pm
  • 14618 Views
  • 2 Comments
  • Link
A number of people who monitor our Zero Day Initiative's Upcoming Advisories page noticed yesterday that we reported a vulnerability to Mozilla (ZDI-CAN-349).  Taking into account the coincidental timing of the Firefox 3.0 release, many are asking us if this is the first reported critical vulnerability in the latest version of the popular open source browser.

What we can confirm is that about five hours after the official release of Firefox 3.0 on June 17th, our Zero Day Initiative program received a critical vulnerability affecting Firefox 3.0 as well as prior versions of Firefox 2.0.x. We verified the vulnerability in our lab, acquired it from the researcher, then promptly reported the vulnerability to the Mozilla security team shortly after. Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code. Not unlike most browser based vulnerabilities that we see these days, user interaction is required such as clicking on a link in email or visiting a malicious web page.

While Mozilla is working on a fix, we wont be divulging anything else until a patch is available, adhering to our vulnerability disclosure policy.  Once the issue is patched, we'll be publishing an advisory here. Working with Mozilla on past security issues, we've found them to have a good track record and expect a reasonable turnaround on this issue as well.

For more information on the Zero Day Initiative, you can read an intro.



Tags:
Published On: 2008-06-18 14:58:14

Comments post a comment

  1. Anonymous commented on 2008-06-18 @ 18:07

    Why did you not find it in the Release Candidates

  2. Zero Day Initiative commented on 2008-06-18 @ 18:52

    @Anonymous
    The vulnerability was submitted to us by a researcher that prefers to remain anonymous. Even though the issue affects older 2.0.x versions, as to why he didn't find the vulnerability earlier is something we don't presume to know.


Links To This Post

  1. Code execution vulnerability found in Firefox 3.0 | Zero Day | ZDNet.com
    linked on 2008-06-18 @ 18:00 Show Comment

    According to ZDI’s alert, it should be considered a high-severity risk: Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code, permitting the attacker to completely take over the vulnerable process, potentially allowing the machine running the process to be completely controlled by the attacker. TippingPoint researchers continue to see these types of “user-interaction required ” browser-based vulnerabilities - such as clicking on a link in email orĀ  inadvertently visiting a malicious web page.

  2. Mozilla Firefox 3 Needs A Fix Already ~ The Blade by Ron Schenone, MVP
    linked on 2008-06-18 @ 20:48 Show Comment

    Source.


Trackback