New Security Issue Under Investigation

Window Snyder

20

TippingPoint ZDI notified Mozilla of a vulnerability in Firefox that impacts versions 2.x and 3.0.  This issue is currently under investigation.  To protect our users, the details of the issue will remain closed until a patch is made available.  There is no public exploit, the details are private, and so the current risk to users is minimal.

TippingPoint will also keep the details closed to protect Firefox users.  From their blog post:

While Mozilla is working on a fix, we wont be divulging anything else until a patch is available, adhering to our vulnerability disclosure policy.  Once the issue is patched, we’ll be publishing an advisory here. Working with Mozilla on past security issues, we’ve found them to have a good track record and expect a reasonable turnaround on this issue as well.

At Mozilla we appreciate any report of security issues because that is how we make the browser stronger and more secure.  The best way to keep Firefox users safe is to report the issues directly to Mozilla as TippingPoint has chosen to, and to wait to release details until a fix is available.

20 responses

  1. lolo Irie wrote on ::

    Link to the TippingPoint Blog is wrong. ;)

  2. Michael Lefevre wrote on ::

    Yay for responsible disclosure.

    Your link to their blog post is broken though, due to a missing colon.

  3. Joseph wrote on :

    Any recommendations, e.g. disabling JavaScript?

  4. Palonek wrote on ::

    Interesting, Does the company in question get paid to exploit Firefox? If they have discovered it, then how many other people could do the same? Still this is a far better product then IE. in IE when they discover a flaw, it takes months sometimes. Thank you ZDI and the team @ Mozilla into active security protection. Palonek @ http://www.paloneks.ca

    PS: In a time where cyber security is being such a big issue. The next browser that will be popular just might be decided on basis of how secure it is…

  5. Window Snyder wrote on ::

    Link is fixed now. Thanks for the heads up.

  6. Fx3 wrote on :

    The researcher that found the vulnerability chose to sit on it for weeks instead of properly disclosing it during the Beta and RC periods, really irresponsible behaviour. The announcement during Download Day was purely to damage the release of Firefox 3. And TippingPoint paid this irresponsible researcher?

  7. IT Dude wrote on :

    It’s an issue in Firefox 2.x as well, so it wouldn’t be effective to stop people from going from 2 to 3.

  8. Alberto Ferrer wrote on ::

    They wait to release, thanks and try the next time dont save it under your carpet.

    Mozilla FF dont need this type of publicity.

  9. Wayne Patrick wrote on :

    It sounds like the researcher, indeed, deliberately sat on the info and released it the day he did to try to put a damper on FF 3.0. I haven’t found any other browser that can compete with FF and am confident a patch for this will be out very soon….keep the faith!!

  10. Joanna wrote on ::

    Well I downloaded your new version of Firefox three and what a mess I have been in since. I am unable to retrieve my e-mail from my current high speed internet due to this recent problem. My internet server is working on it but unable to access my e-mails at this time. I hope this doe’s not ruin or cause a bug, because I am now experiencing pop-ups as well, I sure wish I never downloaded this new version. I liked the past one much better.

  11. George Fiotakis wrote on :

    Actually this is a very nice chance to prove that security is one of the main priorities of mozilla. It just takes a quick fix to gain even more publicity. After all, there’s no chance that a piece of software can be 100% bullet-proof. A browser’s security should be decided on how fast each hole is fixed, so if it’s fixed quickly, it could be turned to a positive news headline.

  12. Honey Singh wrote on ::

    Firefox in no doubt superior than any other browser like IE but some times we face issues with CSS (all different in ie,FF and opera).
    FF is open source application any one can test it but i’ll sure appreciate ZDI group for not disclosing the flaws method publicly.
    Hope Mozilla team will patch this flaw asap.
    One again cheers from http://honeytechblog.com to Mozilla Team for such large no of downloads.
    Waiting for fixes rather than finding the flaws code on the net

  13. Adam Quigley wrote on ::

    Wondering if there is any news on when a fix will be out. My work has suspended use of Firefox and made us go back to IE7 and using the excuse of this problem to keep us from using the browser we like. Firefox works so much better for us that are sight impaired I hope all can be fixed soon.

  14. Jan Schejbal wrote on ::

    Erm, this issue is now nearly a month old. Are the mozilla people trying to compete with microsoft in the “who leaves the gaping hole open longer”? ;-)

    No, seriously: A month should be more than enough time to create a patch for a critical issue. Is there some ETA when we can expect it?

  15. Window Snyder wrote on ::

    It’s fixed in Firefox 3.0.1 and Firefox 2.0.0.16.

  16. Louise Larsen wrote on :

    I was running Firefox 2 yesterday and suddenly the screen was taken over by a screaming warning about spyware with 2 fixes that I needed to install IMMEDIATELY because my computer was compromised and at least one of the problems was CRITICAL. The caps are not mine. However, the references were to Microsoft, and I have a Mac. Also, there were words misspelled and a couple of grammatical oddities. When I declined to install – only then – a Firefox notice appeared. I finally got rid of the warning by shutting down Firefox, and today I upgraded to Firefox 3.

    Either this was a viral problem or I do actually have trouble on my Mac. I can’t find the warning at the moment and have not been able to get through to Firefox. I would like to know what’s up. lel

  17. LINDA wrote on ::

    I JUST SWITCHED TO MOZILLA FROM IE …I TRIED FF YEARS AGO BUT DID NOT LIKE IT AS WELL, BUT YOU GUYS HAVE CERTAINLY IMPROVED AND I LOVE IT AND I’M NEVER GOING BACK TO IE–TOO MANY PROBLEMS WITH IE ITS AWFUL NOW–WORST IT’S EVER BEEN, SPY, AND ADWARE IS INCREDIBLE AND ERROR MESSAGES AND ALWAYS SHUTTING DOWN–I THINK BILL GATES HAS GOT SOME MEAN COMPETITION ON HIS HANDS AND HIS EMPIRE WILL BE CRASHING DOWN SOON! THANKS FF KEEP UP THE GOOD WORK, CAUSE IF YOU START SUCKING THEN IT’S ON TO GOOGLE….LINDA

  18. Dave Lenney wrote on :

    I downloaded 3.0, have attempted to remove it, and am told that the browser must be closed in order to remove the browser. The browser appears to be closed each time I go to Add/Remove programs. Can anyone help me?

    Dave

  19. Ray wrote on :

    Hey nothing is bullet proof . I have used Fire Fox for a long time with
    no problems . They have the best [money] can buy , pun . To be blunt if
    money was the issue here I would put it with Mozilla every time . They
    do what the big money can not, or will not do , look out for us .
    Keep up the good work Mozilla, I and others like and app. your efforts .

  20. Linda Owen wrote on :

    I have a virus that says mozilla fire fox it is antivirus xp2009 i can not get it off is this a part of my fire fox