bit-tech.net

Mozilla confirms 0-day Firefox flaw

Mozilla confirms 0-day Firefox flaw

The latest versions of Mozilla's popular Firefox browser are vulnerable to a remote code execution attack.

The Mozilla Foundation has confirmed the existence of a critical zero-day vulnerability in its popular Firefox web-browser - but says a fix won't arrive before the end of the month.

Posting on its official security blog, the Foundation confirmed a vulnerability which it has "determined to be critical and [which] could result in remote code execution by an attacker."

The good news? The Foundation has already developed a fix, which is currently undergoing quality assurance testing prior to a general roll-out. The bad news? That roll-out isn't due for at least a week, potentially leaving Firefox users vulnerable to attack.

The bug, originally discovered by security researcher Evgeny Legerov last month, was posted publicly but without the code required to carry out an attack. However, it appears that Legerov was reticent to provide detailed information to Mozilla - with ARN pointing to a now-deleted post on the researcher's blog admitting to "ignoring e-mails" from the foundation and refusing to provide enough detail for the Foundation to reproduce the exploit.

Thankfully, the Foundation says that Legerov has now provided "sufficient details to reproduce and analyse the issue," meaning the flaw can be fixed and the patch prepared for a planned 30th of March roll-out. Those who are itching for a fix and don't mind running code that isn't as well tested as a standard release are advised to grab a copy of the nightly build of Firefox 3.6.2, which contains the patch to prevent the exploit from running.

Are you disappointed to see the Mozilla Foundation taking so long to patch a vulnerability in its browser software, or is it important that the patch is fully tested before being rolled out? Could the zero-day nature of the exploit have been prevented if Legerov had followed responsible disclosure guidelines? Have your say over in the forums.

20 Comments

Discuss in the forums Reply
mi1ez 22nd March 2010, 14:30 Quote
A Firefox flaw! Somewhat of a rarity.
proxess 22nd March 2010, 14:32 Quote
ZOMG the end of the world! Here I thought there were such things as perfect applications...
Pieface 22nd March 2010, 14:33 Quote
The new firefox has messed up for me a fair bit. One forum I can't post fully, or use quotes ad the text editor just won't work.
thehippoz 22nd March 2010, 14:43 Quote
yeah I have the minefield 3.7 build installed too.. but I still use 3.6

3.6 seems slower at everything than 3.5.7- it's the saddle pops that need to worry =]
l3v1ck 22nd March 2010, 15:22 Quote
"Are you disappointed to see the Mozilla Foundation taking so long to patch a vulnerability in its browser software,"

You can patch it now if you want, using the nightly build. Even if you don't, a week is much less time than MS take to patch IE.
rickysio 22nd March 2010, 15:24 Quote
I'm already using Minefield 3.7a4pre, doubt this concerns me. :)
leexgx 22nd March 2010, 16:20 Quote
opera here so not really an issue (you have to get past UAC as well if opera had an issue)
RichCreedy 22nd March 2010, 16:32 Quote
but at least with internet explorer you know there may be a risk, people using firefox think they are immune( the average person)
Showerhead 22nd March 2010, 18:07 Quote
Germany warning it's citizens again similar to what it did with IE from bbc
airchie 22nd March 2010, 18:24 Quote
What's the nature of the exploit?
In my experience, it tends to be that exploits usually use javascript to leverage a flaw and so Noscript usually blocks it.

Anyway, the bitdefender news earlier highlights the issues with rushing out poorly-tested code. ;)
HourBeforeDawn 22nd March 2010, 19:22 Quote
okay so for the next couple of weeks I will just switch to my other browser eg Chrome. :) Until this all passes.
DeX 22nd March 2010, 21:13 Quote
Which version(s) of Firefox are affected by this flaw?
leexgx 22nd March 2010, 21:59 Quote
it would be all i guess
cyrilthefish 22nd March 2010, 22:33 Quote
Quote:
The bug, originally discovered by security researcher Evgeny Legerov last month, was posted publicly but without the code required to carry out an attack. However, it appears that Legerov was reticent to provide detailed information to Mozilla - with ARN pointing to a now-deleted post on the researcher's blog admitting to "ignoring e-mails" from the foundation and refusing to provide enough detail for the Foundation to reproduce the exploit.

So let me get this straight:

It's somehow Mozilla's fault that it's taken a month to fix a bug, when the person that discovered the bug refuses to let them know what the bug exactly *was* for quite some time :|

"you have a bug!"
mozilla: "omg what is it?"
<tumbleweed>
<time passes>
"omg you haven't fixed the bug!¬"
rickysio 23rd March 2010, 04:34 Quote
Quote:
Originally Posted by DeX
Which version(s) of Firefox are affected by this flaw?

The public use ones. The nightly builds are safe.
crazyceo 23rd March 2010, 08:18 Quote
Hilarious! and to think many would have changed to firefox since the browser choice screen a few weeks ago. Now you have Germany telling it's population to switch until it's fixed. France is sure to follow as it always does. UK won't do anything since they would have fixed it before the UK "government" would have planned a response.

So who will benefit from this? Opera? IE? or the many other browsers apparently no one scrolled along to look at? Somebody will because those who recently changed will happily move away as they wont have any loyalty to Firefox.
crazyceo 23rd March 2010, 11:12 Quote
Quote:

Is that the Beta they talk about above?
DocWolfe 23rd March 2010, 11:47 Quote
My firefox just downloaded 3.6.2
airchie 23rd March 2010, 13:50 Quote
Quote:
Originally Posted by
Yep, mine's updated itself to 2.6.2 as well.
Germany have changed their statement telling users to upgrade instead of change.

Good effort by the Germans getting things stirred-up enough to get the ball rolling faster. :)
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums