TippingPoint vulnerability patched in Firefox 3.0.1 and 2.0.0.16

Window Snyder

6

Issue

A vulnerability in the way Firefox handles CSS allows an attacker to take advantage of an integer overflow and execute arbitrary code.  In order for the attack to be successful a user must browse to a malicious site.  The advisory is available here.

Impact

This critical vulnerability was reported to Mozilla before details were available publicly.  By keeping the details of the issue private until the issue was patched, TippingPoint and Mozilla were able to keep the risk to users minimal.

Status

This issue is patched in Firefox 3.0.1 and 2.0.0.16 which are now available.  Users will be prompted to install the update through the automatic update feature.  If you would like to update now, select “Check for Updates” from the Help menu.

Credit

An anonymous reporter found this vulnerability and reported it to TippingPoint.  TippingPoint reported it to Mozilla.

6 responses

  1. JerryCan wrote on :

    So “10 fucking days” has slipped to “One fucking month”?

  2. Window Snyder wrote on ::

    As I mentioned in an earlier post (http://blog.mozilla.org/security/2007/08/06/mike-shaver-ten-days-and-expletives/) we try to fix security vulnerabilities as quickly as possible, but are not working with 10 days (or any other specific time frame) as our goal.

    This issue got a bit of attention, but it is about the same risk to our users as an issue of the same severity found by an internal Mozilla tester. Since the details were not made public, the risk to users is minimal. We still work hard to get those fixes out as soon as possible, because that is the best way to keep users safe.

  3. Gigi wrote on :

    Some of us would prefer not seeing the childish use of potty words by your less mature users. Perhaps,you would consider blanking (yes, censor their little tirades) their nasty little comments, which add nothing of value to the message.
    I feel certain you do everything possible to keep up with all the latest virus threats, etc., and some of us do appreciate it.

  4. Self Sufficient wrote on ::

    Yep i very much hate to say but some people just dont appreciate the work that people put in to make sure things work and are constantly trying to make things right.

  5. John Mclaughlan wrote on :

    thankyou to morzilla firefox i dont know what it is you have done with your browser but i changed to morzilla from windows int ex 7 september this year and i have noticed a big diffrence no longer is my browser crashing but my AV and firewall has also stopped going mad at every home page i ever chose i also have stopped havin to re-boot my computer if there are any security risks with morzilla i certainly have not noticed it i will never go back to windows u have also told every person i know on line to also join morzilla i hope to see more excellent programs from morzilla and once again thanks for all your hard work

  6. John Mclaughlan wrote on :

    ha ha sorry typo i have told everyone i know to get firefox not u ha ha sorry