Although the Firefox 3.0 Download Day went with a bang, with over eight million downloads counted within the all-important twenty-four hour period, a shadow has been cast over the latest version of the popular open source browser already: a critical security flaw brought over from Firefox 2.0.x which remains unfixed.
According to CNet News
, the bug was discovered by a contributor to TippingPoint's controversial bugs-for-cash programme Zero-Day Initiative
. Reported to Mozilla approximately five hours after Firefox 3.0 enjoyed its official launch, the bug is described by TippingPoint as allowing an attacker “to execute arbitrary code
” providing there is some user interaction “such as clicking on a link in an email or visiting a malicious web page.
When pressed for further details, TippingPoint clammed up and merely stated that it wouldn't be handing out details on the flaw until after the Mozilla Foundation has had a chance to get a patch out.
Fans of the browser will be disappointed that this next-generation release – which contains many changes designed to improve user security – has fallen so quickly. Although at first glance having a bug from the previous generation of Firefox make its way into this newest release is at the very least embarrasing, what TippingPoint hasn't yet made clear is whether the bug is one known to the Mozilla team before
the release of Firefox 3.0. Although TippingPoint does describe the flaw as “affecting Firefox 3.0 as well as prior versions of Firefox 2.0.x
” it doesn't make clear whether this was something the Mozilla team could have reasonably prevented.
Either way, it's an inauspicious start to the browser's career. I suggest keeping an eye on the Mozilla Security Center
for a patch, which hopefully will be available pretty darn soon.
This bug aside, which hopefully isn't in the wild yet, how are people getting on with Firefox 3.0? Share your experiences with the new browser over in the forums