Firefox 3 security compromised

Firefox 3 security flaw reported
Firefox 3 security flaw reported

Somebody has already reported a serious security flaw with Mozilla's latest version of Firefox that was released and downloaded by millions of users last week.

The security flaw was reported to TippingPoint's Zero Day Initiative and Mozilla has been informed of the details, so we will no doubt see a fix for the problem in the next Firefox 3 update.

We are waiting to hear on more details about that from Mozilla, so will be sure to keep you informed.

Cashing in?

As the vulnerability also affects the older version of Mozilla's Firefox 2, there is always the suspicion that the person who flagged the problem with TippingPoint was waiting until Firefox 3 launched with all the accompanying hype and fanfare last week, to cash-in a little more on their discovery.

Bear in mind that The Zero Day Initiative Benefits lists the following factors in determining the value of a reported fault:

• Is the affected product widely deployed?
• Can exploiting the flaw lead to a server or client compromise? At what privilege level?
• Is the flaw exposed in default configurations/installations?
• Are the affected products high value (e.g. databases, e-commerce servers, DNS, routers, firewalls)?
• Does the attacker need to social engineer his victim? (e.g. clicking a link, visiting a site, connecting to a server, etc.)

Internet best practice

Details on the security breach are scarce. The Tipping Point blog merely notes that: "Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code. Not unlike most browser based vulnerabilities that we see these days, user interaction is required such as clicking on a link in email or visiting a malicious web page."

While we await further details on the manner of the security threat, we can only advise that you don't click on any suspicious links in non-solicited emails or visit dodgy websites!

In the meantime, concerned Firefox 3 users might want to install the useful NoScript extension, just to be sure.

Adam Hartley